How can I sign my self-built kernel with my own key?

I have Fedora 34 Workstation.

I need a self-built kernel because I need modules that are not built with the Fedora-provided kernel.

I have downloaded Kernel 5.14 from kernel.org.

Then I did

cp /boot/config-`uname -r` .config
make oldconfig
[PRESS ENTER ALL TIME]
make xconfig
[ADD MY MODULES]
make
make binrpm-pkg
cd /home/[USER]/rpmbuild/RPMS/x86_64
sudo dnf install ./*.rpm

But the kernel will not boot giving me the following error:

1 Like

It looks like this is due to SecureBoot.

I really don’t want to deactivate SecureBoot.

How can I sign my kernel with my key?

I have a key that I have generated and enrolled with:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/" -nodes

sudo mokutil --import MOK.der
2 Likes

I was able to sign the kernel with the following script:

#!/usr/bin/env bash
read -p "Kernel version: " ver
echo $ver
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-$ver --output /boot/vmlinuz-$ver.signed
sudo cp /boot/initramfs-${ver}.img /boot/initramfs-${ver}.signed.img

However GRUB doesn’t recognize the new entry.

3 Likes

Andreas Mueller provided instructions to sign a module at Virtualbox vboxdrv kernel module not loaded. The instructions are prescriptive so they provide all the steps you need to perform. It is a high quality post.

You should be able to modify Mueller’s procedure to sign the kernel rather than a module.