criar chaves:
mkdir -p /var/lib/shim-signed/mok/
cd /var/lib/shim-signed/mok/
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=dkms/"
openssl x509 -inform der -in MOK.der -out MOK.pem
assinar módulos:
VERSION="$(uname -r)"
SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
MODULES_DIR=/lib/modules/$VERSION
KBUILD_DIR=/usr/lib/linux-kbuild-$SHORT_VERSION
cd "$MODULES_DIR/updates/dkms"
echo -n "Passphrase for the private key: "
read -s KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN
find -name \*.ko | while read i; do sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "$i" || break; done
assinar módulos pve (proxmox):
VERSION="$(uname -r)"
MODULES_DIR=/lib/modules/$VERSION
KBUILD_DIR=/usr/src/linux-headers-$VERSION
cd "$MODULES_DIR/updates/dkms"
echo -n "Passphrase for the private key: "
read -s KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN
find -name \*.ko | while read i; do sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "$i" || break; done
assinar kernel:
sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"