[systemd-devel] Fedora 38 and signed PCR binding
Lennart Poettering
lennart at poettering.net
Mon Sep 11 11:57:17 UTC 2023
On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi at redhat.com) wrote:
> Hi again. I tried to boot from UKI to no avail.
>
> First created a "db" certificate
> > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > openssl x509 -outform DER -in db.pem -out db.crt
>
> Then uploaded it to secure boot trust VIA USB drive and the UEFI seup.
>
> Then created UKI:
> > /usr/lib/systemd/ukify \
> > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > --phases='enter-initrd' \
> > --pcr-banks=sha1,sha256 \
> > --secureboot-private-key=/etc/secure_boot/db.key \
> > --secureboot-certificate=/etc/secure_boot/db.pem \
> > --sign-kernel \
> > --cmdline='ro rhgb'
>
> Then added a boot entry:
> > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
>
> Unfortunately when trying to boot this I get:
> > Bad kernel image: Load Error
That suggests the kernel you picked does not carry a correct PE/MZ
signature. i.e. we generate that error typically if we can#t jump into
it because it doesn't come with the right PE headers.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list