Can not do the security steps before building a custom kernel

Ask Fedora
,
1

2022-04-17T05:00:00Z

This is in response to https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/. The title of the page is “Building a custom kernel.”

I will include a snip from the page so you will know what I mean when I say :the security steps:

_______ B E G I N N I N G O F S N I P _______

Blockquote
Get the Dependencies
The easiest way to install all the build dependencies for the kernel is to use the Fedora kernel spec file:

sudo dnf install fedpkg
fedpkg clone -a kernel
cd kernel
sudo dnf builddep kernel.spec

If you want to use make xconfig, you’ll need some additional packages:
sudo dnf install qt3-devel libXi-devel gcc-c++

Secure boot
Make sure you add the user doing the build to /etc/pesign/users and run the authorize user script:

sudo /usr/libexec/pesign/pesign-authorize
Create a new Machine Owner Key (MOK) to import to UEFI:

openssl req -new -x509 -newkey rsa:2048 -keyout “key.pem”
-outform DER -out “cert.der” -nodes -days 36500
-subj “/CN=/”
Import the new certificate into your UEFI database:

You will be asked to authorize the import at next boot.
mokutil --import “cert.der”
Create a PKCS #12 key file:Get the Dependencies
The easiest way to install all the build dependencies for the kernel is to use the Fedora kernel spec file:

sudo dnf install fedpkg
fedpkg clone -a kernel
cd kernel
sudo dnf builddep kernel.spec

If you want to use make xconfig, you’ll need some additional packages:
sudo dnf install qt3-devel libXi-devel gcc-c++

Secure boot
Make sure you add the user doing the build to /etc/pesign/users and run the authorize user script:

sudo /usr/libexec/pesign/pesign-authorize
Create a new Machine Owner Key (MOK) to import to UEFI:

openssl req -new -x509 -newkey rsa:2048 -keyout “key.pem”
-outform DER -out “cert.der” -nodes -days 36500
-subj “/CN=/”
Import the new certificate into your UEFI database:

You will be asked to authorize the import at next boot.
mokutil --import “cert.der”
Create a PKCS #12 key file:

openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der

_________ E N D S N I P _________

I followed along with these plainly-written instructions, until the last instructio in the snip:
openssl pkcs12 …

The response I got from the system was “Unable to load keys.”

I am writing this on the off chance that someone else has had a similar experience, and knows why openssl would give me that error, “Unable to load keys.”

If you have an answer, please give me a shout.

Thanks,

Bryguy

2

Hi,

Possibly a stupid question, but did you enter a value for CN and just left it blank for posting on the discourse? I only ask beacusye without a value the key will not be generated and may explain the error you are getting.

Thanks Tom.

3

No, I don’t know why the SNIP came out that way, but the instructions said to put your name in angle brackets after the after the CN, as CN=<Bryguy Zimmer>.

So, very observant of you to notice that, but I did pass that step OK.

Thanks for your reply.

4

Hi,

Could only only produce “Unable to load keys.” once, changing the file to read only fixed. I’ve produced the private key a few times since, and not had the error since (even though the file is read/write for the user only), the error then changed to “unable to load certificates”. I think I’ve found a work around for that:

I’m happy to be wrong here, but I think the the guide is missing a step. I can’t find a way to use cert.der to generate key.p12, but converting to a pem first does. Please try:

openssl x509 -inform DER -in cert.der  -outform PEM -out cert.pem
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.pem

You should then be able to proceed with:

certutil -A -i cert.der -n "<MOK certificate nickname>" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
pk12util -i key.p12 -d /etc/pki/pesign

Thanks Tom.