Can not do the security steps before building a custom kernel

2022-04-17T05:00:00Z

This is in response to https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/. The title of the page is “Building a custom kernel.”

I will include a snip from the page so you will know what I mean when I say :the security steps:

_______ B E G I N N I N G O F S N I P _______

Blockquote
Get the Dependencies
The easiest way to install all the build dependencies for the kernel is to use the Fedora kernel spec file:

sudo dnf install fedpkg
fedpkg clone -a kernel
cd kernel
sudo dnf builddep kernel.spec

If you want to use make xconfig, you’ll need some additional packages:
sudo dnf install qt3-devel libXi-devel gcc-c++

Secure boot
Make sure you add the user doing the build to /etc/pesign/users and run the authorize user script:

sudo /usr/libexec/pesign/pesign-authorize
Create a new Machine Owner Key (MOK) to import to UEFI:

openssl req -new -x509 -newkey rsa:2048 -keyout “key.pem”
-outform DER -out “cert.der” -nodes -days 36500
-subj “/CN=/”
Import the new certificate into your UEFI database:

You will be asked to authorize the import at next boot.
mokutil --import “cert.der”
Create a PKCS #12 key file:Get the Dependencies
The easiest way to install all the build dependencies for the kernel is to use the Fedora kernel spec file:

sudo dnf install fedpkg
fedpkg clone -a kernel
cd kernel
sudo dnf builddep kernel.spec

If you want to use make xconfig, you’ll need some additional packages:
sudo dnf install qt3-devel libXi-devel gcc-c++

Secure boot
Make sure you add the user doing the build to /etc/pesign/users and run the authorize user script:

sudo /usr/libexec/pesign/pesign-authorize
Create a new Machine Owner Key (MOK) to import to UEFI:

openssl req -new -x509 -newkey rsa:2048 -keyout “key.pem”
-outform DER -out “cert.der” -nodes -days 36500
-subj “/CN=/”
Import the new certificate into your UEFI database:

You will be asked to authorize the import at next boot.
mokutil --import “cert.der”
Create a PKCS #12 key file:

openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der

_________ E N D S N I P _________

I followed along with these plainly-written instructions, until the last instructio in the snip:
openssl pkcs12 …

The response I got from the system was “Unable to load keys.”

I am writing this on the off chance that someone else has had a similar experience, and knows why openssl would give me that error, “Unable to load keys.”

If you have an answer, please give me a shout.

Thanks,

Bryguy

Hi,

Possibly a stupid question, but did you enter a value for CN and just left it blank for posting on the discourse? I only ask beacusye without a value the key will not be generated and may explain the error you are getting.

Thanks Tom.

No, I don’t know why the SNIP came out that way, but the instructions said to put your name in angle brackets after the after the CN, as CN=<Bryguy Zimmer>.

So, very observant of you to notice that, but I did pass that step OK.

Thanks for your reply.

Hi,

Could only only produce “Unable to load keys.” once, changing the file to read only fixed. I’ve produced the private key a few times since, and not had the error since (even though the file is read/write for the user only), the error then changed to “unable to load certificates”. I think I’ve found a work around for that:

I’m happy to be wrong here, but I think the the guide is missing a step. I can’t find a way to use cert.der to generate key.p12, but converting to a pem first does. Please try:

openssl x509 -inform DER -in cert.der  -outform PEM -out cert.pem
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.pem

You should then be able to proceed with:

certutil -A -i cert.der -n "<MOK certificate nickname>" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
pk12util -i key.p12 -d /etc/pki/pesign

Thanks Tom.