eduardo
21 May 2023

criar chaves:
mkdir -p /var/lib/shim-signed/mok/
cd /var/lib/shim-signed/mok/
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=dkms/"
openssl x509 -inform der -in MOK.der -out MOK.pem

assinar módulos:
VERSION="$(uname -r)"
SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
MODULES_DIR=/lib/modules/$VERSION
KBUILD_DIR=/usr/lib/linux-kbuild-$SHORT_VERSION
cd "$MODULES_DIR/updates/dkms"
echo -n "Passphrase for the private key: "
read -s KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN
find -name \*.ko | while read i; do sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "$i" || break; done

assinar módulos pve (proxmox):
VERSION="$(uname -r)"
MODULES_DIR=/lib/modules/$VERSION
KBUILD_DIR=/usr/src/linux-headers-$VERSION
cd "$MODULES_DIR/updates/dkms"
echo -n "Passphrase for the private key: "
read -s KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN
find -name \*.ko | while read i; do sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "$i" || break; done

assinar kernel:
sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"

verificar se o kernel está assinado:
sbverify --list /boot/vmlinuz-$VERSION

https://wiki.debian.org/SecureBoot

necessário para assinar automaticamente os módulos com palavra-passe na chave privada:
https://gist.github.com/siddhpant/19c07b07d912811f5a4b2893ca706c99
https://github.com/dkms-project/dkms/issues/273
https://gist.github.com/sbueringer/bd8cec239c44d66967cf307d808f10c4

Tags