[systemd-devel] Fedora 38 and signed PCR binding
Aleksandar Kostadinov
akostadi at redhat.com
Fri Sep 15 09:02:43 UTC 2023
Will appreciate any pointers about debugging and fixing this!
On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
<akostadi at redhat.com> wrote:
>
> On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> <lennart at poettering.net> wrote:
> >
> > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi at redhat.com) wrote:
> >
> > > Hi again. I tried to boot from UKI to no avail.
> > >
> > > First created a "db" certificate
> > > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > > > openssl x509 -outform DER -in db.pem -out db.crt
> > >
> > > Then uploaded it to secure boot trust VIA USB drive and the UEFI seup.
> > >
> > > Then created UKI:
> > > > /usr/lib/systemd/ukify \
> > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > > > /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > > > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > > --phases='enter-initrd' \
> > > > --pcr-banks=sha1,sha256 \
> > > > --secureboot-private-key=/etc/secure_boot/db.key \
> > > > --secureboot-certificate=/etc/secure_boot/db.pem \
> > > > --sign-kernel \
> > > > --cmdline='ro rhgb'
> > >
> > > Then added a boot entry:
> > > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
> > >
> > > Unfortunately when trying to boot this I get:
> > > > Bad kernel image: Load Error
> >
> > That suggests the kernel you picked does not carry a correct PE/MZ
> > signature. i.e. we generate that error typically if we can#t jump into
> > it because it doesn't come with the right PE headers.
>
> This is just a standard kernel coming with Fedora 38. I didn't modify
> it. Also initrd as generated by dracut.
>
> > $ hexdump -C -n4 < /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > 00000000 4d 5a ea 07 |MZ..|
> > $ file /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz: Linux kernel x86 boot executable bzImage, version 6.4.12-200.fc38.x86_64 (mockbuild at 30894952d3244f1ab967aeda9ed417f6) #1 SMP PREEMPT_DYNAMIC Wed Aug 23 17:46:49 UTC 2023, RO-rootFS, swap_dev 0XD, Normal VGA
>
> Any suggestions on how to fix it?
>
> If it matters -- ukify 253 (253.7-1.fc38)
More information about the systemd-devel
mailing list