Signing kernel
Dmitry Kasatkin
dmitry.kasatkin at gmail.com
Wed Sep 25 14:11:57 UTC 2013
On Wed, Sep 25, 2013 at 4:47 PM, Andy Whitcroft <apw at canonical.com> wrote:
> On Wed, Sep 25, 2013 at 01:50:58PM +0300, Dmitry Kasatkin wrote:
>> Hello,
>>
>> How Ubuntu kernel signing is done?
>>
>> I am able to use "sbsing" to sign the kernel and boot it from UEFI
>> boot manager or from other one like gummitboot.
>>
>> But my Ubuntu grub does not want to boot it..
>> Just hangs..
>>
>> Any advises?
>
> As far as I know that is the same proceedure as used to sign the
> kernels. They are signed using sbsign thought obviously using a secret
> key that is specific to Ubuntu. How does gummitboot allow you to add
> your personal secret key for your kernels?
>
> -apw
I took ownership of the platform by enrolling my own keys: PK, KEK and db.
http://blog.hansenpartnership.com/
http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/
And I do signing using sbsign.
UEFI is able to boot my kernel directly or using UEFI bootloaders such
as gummiboot.
But Ubuntu grub does not want to boot it.
I thought it should use "db" keys to verify.
Or does it use only Canonical key?
--
Thanks,
Dmitry
More information about the kernel-team
mailing list