I wanted to try a custom kernel, but its unsigned, and I use Secure Boot. According to the Red Hat documentation you can sign it with a MOK (Machine Owner Key) (What is MOK?) but this doesn’t seem to work, I still get “bad shim signature” on boot.

1. Getting a custom kernel

I was reading about CachyOS and it turns out they have ported their kernel to Fedora so I thought I’d try it out.

sudo dnf copr enable bieszczaders/kernel-cachyos
sudo dnf install kernel-cachyos kernel-cachyos-devel-matched
sudo setsebool -P domain_kernel_load_modules on

I rebooted and was greeted by “bad shim signature”. Thankfully I could switch back to the previous kernel.

error: ../../grub-core/kern/efi/sb.c:192:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:258:you need to load the kernel first.

Press any key to continue...

I researched the issue and it turns out that the CachyOS kernel isn’t signed in any way. While it’s possible to disable the signature check with mokutil --disable-validation I’d prefer to have the kernel signed (automatically).

2. Signing the kernel

I found instructions for signing a custom kernel in the Red Hat docs, and tried my best to follow them:

sudo dnf install pesign openssl kernel-devel mokutil keyutils
sudo efikeygen --dbdir /etc/pki/pesign \
            --self-sign \
            --kernel \
            --common-name 'CN=CachyOS Secure Boot' \
            --nickname 'CachyOS Secure Boot'
sudo certutil -d /etc/pki/pesign \
           -n 'CachyOS Secure Boot' \
           -Lr \
           > sb_cert.cer
sudo mokutil --import sbcert.cer          

Then a manual reboot to enroll the key as a MOK.

cd /boot
sudo pesign --certificate 'CachyOS Secure Boot' \
         --in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \
         --sign \
         --out vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed
sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.x86_64

So, now the key is added as a MOK and vmlinuz-6.14.6-cachyos1.fc42.x86_64 is signed. After a reboot I was sadly once again presented with bad shim signature.

error: ../../grub-core/kern/efi/sb.c:192:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:258:you need to load the kernel first.

Press any key to continue...

I’m clueless. Does GRUB use hardcoded keys? Is there something wrong with my key? Was there something wrong with the kernel signing? mokutil --disable-validation still lets me bypass the validation and boot the kernel.

While I have never seen myself in the situation of having to sign a third party Kernel, I recompiled mine at least once and I had to sign it: Fedora has its own documentation for this.

There seem to be a couple steps not referred by your original post. Namely, add your user to /etc/pesign/users and run an authorisation script.

I am not sure if those steps are relevant to the build process or to sign any other kernel, but it may be worth a try.

See:

Thank you @gvisoc!

I tried generating the certificate using the slightly more complicated process like in the Fedora guide, and added myself to /etc/pesign/users:

sudo echo "mikaeldui" >> /etc/pesign/users
sudo /usr/libexec/pesign/pesign-authorize
openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
        -outform DER -out "cert.der" -nodes -days 36500 \
        -subj "/CN=mikaeldui Secure Boot/"
sudo mokutil --import "cert.der"
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
sudo certutil -A -i cert.der -n "mikaeldui Secure Boot" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
sudo pk12util -i key.p12 -d /etc/pki/pesign

Then started the process of signing the kernel again like in the Red Hat guide:

cd /boot
sudo dnf reinstall kernel-cachyos-core
sudo pesign --certificate 'mikaeldui Secure Boot' \
         --in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \
         --sign \
         --out vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed
sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.x86_64

Re-enable validation with sudo mokutil --enable-validation.

And it worked!

I made it all into a guide: CachyOS Kernel for Fedora with Secure Boot · GitHub