johnnyjuki
(Joseph Razzy)
September 1, 2021, 10:13am
1
I have Fedora 34 Workstation.
I need a self-built kernel because I need modules that are not built with the Fedora-provided kernel.
I have downloaded Kernel 5.14 from kernel.org .
Then I did
cp /boot/config-`uname -r` .config
make oldconfig
[PRESS ENTER ALL TIME]
make xconfig
[ADD MY MODULES]
make
make binrpm-pkg
cd /home/[USER]/rpmbuild/RPMS/x86_64
sudo dnf install ./*.rpm
But the kernel will not boot giving me the following error:
1 Like
johnnyjuki
(Joseph Razzy)
September 1, 2021, 10:38am
2
It looks like this is due to SecureBoot.
I really don’t want to deactivate SecureBoot.
How can I sign my kernel with my key?
I have a key that I have generated and enrolled with:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/" -nodes
sudo mokutil --import MOK.der
2 Likes
johnnyjuki
(Joseph Razzy)
September 1, 2021, 2:23pm
3
I was able to sign the kernel with the following script:
#!/usr/bin/env bash
read -p "Kernel version: " ver
echo $ver
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-$ver --output /boot/vmlinuz-$ver.signed
sudo cp /boot/initramfs-${ver}.img /boot/initramfs-${ver}.signed.img
However GRUB doesn’t recognize the new entry.
3 Likes
noloader
(Jeffrey Walton)
September 15, 2021, 1:37am
4
Andreas Mueller provided instructions to sign a module at Virtualbox vboxdrv kernel module not loaded . The instructions are prescriptive so they provide all the steps you need to perform. It is a high quality post.
You should be able to modify Mueller’s procedure to sign the kernel rather than a module.