nvieville / rpms / akmods

Forked from rpms/akmods 5 years ago
Secure boot is a setup using UEFI firmware to check cryptographic signatures on the bootloader and associated OS kernel to ensure they have not been tampered with or bypassed in the boot process. This verification can be extended to Kernel and its modules. It's default case in Fedora with UEFI and Secure boot enabled. Fedora Project have signed kernels and also main modules with Fedora Key, but 3rd party modules as NVidia, VirtualBox, etc. need to be signed to load. Akmods provides an enroll process to sign third party modules with your own keypair. At the first run of the akmods.service, certificate and keypair will be created with default value using the '/usr/sbin/kmodgenca' script. You may also wish to manually create your own certificate and keypair with `/usr/sbin/kmodgenca` command. If '/usr/sbin/kmodgenca' is launched with the '-a' parameter, it will use default values to complete the cacert.config file, and to generate automatically the cert and the private key. If '/usr/sbin/kmodgenca' is launched without parameters, user will be prompted to complete manually the cacert.config file, then the cert and the private key will be automatically generated. If the cert and the private key files already exist, '/usr/sbin/kmodgenca' will exit unless the '-f' parameter is used. The cert and the private key are stored respectively in /etc/pki/akmods/certs and /etc/pki/akmods/private/ directories. Now you need to enroll the public key in MOK, this process is described below. - Ask MOK to enroll new keypair with certificate with the command `mokutil --import /etc/pki/akmods/certs/public_key.der`. - mokutil asks to generate a password to enroll the public key. - Rebooting the system is needed for MOK to enroll the new public key. - On next boot MOK Management is launched and you have to choose "Enroll MOK". - Choose "Continue" to enroll the key or "View key 0" to show the keys already enrolled. - Confirm enrollment by selecting "Yes". - You will be invited to enter the password generated above. WARNING: keyboard is mapped to QWERTY! - The new key is enrolled, and system ask you to reboot. You can confirm the enrollment of the new keypair once the system rebooted with: `mokutil --list-enrolled | grep Issuer` or with: `mokutil --test-key /etc/pki/akmods/certs/public_key.der`