Custom Kernel want to secure boot with custom private key

Support for security such as Firewalls and securing linux
Post Reply
jack.lan
Posts: 2
Joined: 2018/12/06 09:06:37

Custom Kernel want to secure boot with custom private key

Post by jack.lan » 2018/12/06 09:48:51

OS: CentOS 7.5

I need some help.

My project need secure boot with custom key, so bios secure boot is enable,and because need modify kernel so rebuild kernel source myself follow below website.

path: https://wiki.centos.org/zh-tw/HowTos/Custom_Kernel

but can't boot because invalid signature when secure boot enable.

Even though search about "secure boot" information on google, I don't what to do...

shim or bootx64.efi need to sign? add private or anything to database?

or i need to modify kernel.spec

Source13: centos-ca-secureboot.der
Source14: centossecureboot001.crt

create der and crt with custom private key to replace this file?

I can't found more detail official information , about secure boot in centos 7.

The key security mechanism and secure boot are just like the language of another world. The information on the Internet is too fragmented, especially in Linux. I need some direction or help. :cry:

someone can help?

kaplin.ae
Posts: 1
Joined: 2019/02/07 09:33:10

Re: Custom Kernel want to secure boot with custom private key

Post by kaplin.ae » 2019/02/07 09:50:58

I also need that information. Seems I figured out how I can create centos-ca-secureboot.der certificate. But I need information how I can generate centossecureboot001.crt for kernel and grub signing. Can anybody provide us a detailed information about how I can install Linux on UEFI hardware using signed shim, grub, kernel. How I can sign it? I agree with jack.jan that the information on the Internet is too fragmented.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Custom Kernel want to secure boot with custom private key

Post by TrevorH » 2019/02/08 09:47:43

CentOS is already secure boot enabled and does not require any modification.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

harrywangca
Posts: 107
Joined: 2016/01/12 23:27:04
Location: Vista California

Re: Custom Kernel want to secure boot with custom private key

Post by harrywangca » 2020/04/06 20:35:32

For by-default CentOS it is signed and could bring up after installation.
But if re-compile a new kernel we need to sign it otherwise we can not boot it up. I have the same issue.....

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Custom Kernel want to secure boot with custom private key

Post by hunter86_bg » 2020/04/14 20:32:16

You need to compile and sign your new kernel. Then, you have to find a way to make your signature trusted.

I think that you might find more info here .

Post Reply