[systemd-devel] Fedora 38 and signed PCR binding
Aleksandar Kostadinov
akostadi at redhat.com
Mon Sep 11 11:48:36 UTC 2023
Hi again. I tried to boot from UKI to no avail.
First created a "db" certificate
> openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> openssl x509 -outform DER -in db.pem -out db.crt
Then uploaded it to secure boot trust VIA USB drive and the UEFI seup.
Then created UKI:
> /usr/lib/systemd/ukify \
> /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> --phases='enter-initrd' \
> --pcr-banks=sha1,sha256 \
> --secureboot-private-key=/etc/secure_boot/db.key \
> --secureboot-certificate=/etc/secure_boot/db.pem \
> --sign-kernel \
> --cmdline='ro rhgb'
Then added a boot entry:
> efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
Unfortunately when trying to boot this I get:
> Bad kernel image: Load Error
It seems like trying to boot because momentarily I see a mouse cursor
and then terminal resets back and I see the error message. Actually I
see it twice before the grub bootloader entry gets picked up.
Any ideas what I might be doing wrong? This is on Fedora 38.
On Tue, Sep 5, 2023 at 1:20 PM Lennart Poettering
<lennart at poettering.net> wrote:
>
> On Sa, 02.09.23 22:22, Aleksandar Kostadinov (akostadi at redhat.com) wrote:
>
> > Looking at the PR [1] it looks like I need to do a lot of things at
> > each update manually. Is the thing in the comment the only thing I
> > need to do or are there other things as well?
>
> There's nowadays "ukify" that does all of this for you in one
> relatively easy step, it's our recommended approach to building UKIs
> these days.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
>
More information about the systemd-devel
mailing list