[systemd-devel] Building signed images with SecureBoot option in Systemds mkosi

Willie Wiholm willie.wiholm at gmail.com
Fri Dec 2 15:41:04 UTC 2022 

Hello,

I'm trying to create signed images with Systemd mkosi and need some general
help understanding how to implement it.
If this is not the correct forum for questions regarding mkosi then I
appolgize and humbly ask for directions to the correct forum :-)

My steps:

Host:
Ubuntu 20.04
mkosi 13

Target:
Ubuntu 22.04

1. Build image without SecureBoot.
2. Create custom PK,KEK and db.
3. convert keys and certs to EFI format (auth & esl)
4. Update UEFI Firmware
5. Sign my image with db.key and db.crt
6. active Secure boot

This image boots fine with Secure Boot.
Next I created another image without any SecureBoot options.
Signed bootloader with only db.key and db.crt and activated Secure Boot.

The image boots with Secure Boot.

Next I want to create a signed image:
Add to mkosi.default
SecureBoot=yes
SecureBootKey=/work/mkosi_fork/mkosi/test_keys/db.key
SecureBootCertificate=/work/mkosi_fork/mkosi/test_keys/db.crt

Output from build showing correct binaries are getting signed:
https://pastebin.com/96YTeJSr

When I boot  the image with Secure Boot enabled I get this error:

*Error loading \xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\5.15.0-53-generic\linux:
Access denied
*


*Failed to execute Ubuntu 22.04 LTS
(/xxxxxxxxxxxxxxxx/5.15.0.53-generic/linux access denied*

Which I don't understand.

I re-created a new image with the wrong key and got the expected "Wrong Key"

But my initial error suggests that the image is signed correctly
(which I can verify that it is) but that there is something else it is
trying to do.

I noticed that when I manually signed the binaries the key was added
to /boot/efi/db but not when built with mkosi.

The sbsign section in __init__.py  is the same as when I did it manually.


If anyone has any idea on how to proceed i would be very thankful.

Best Regards,

Willie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20221202/37797c7f/attachment.htm>

More information about the systemd-devel mailing list