Comments (9)
sbctl
signs EFI executables, kernel modules uses a different method and something the tool doesn't support.
Grub requires modules being built into the bootloader and not sideloaded, along with some different flags. Please check the ArchWiki or the documentation your distribution has on this.
https://wiki.archlinux.org/title/GRUB#Secure_Boot_support
from sbctl.
When I try to sign my kernel using sbctl sign -s I'm receiving the following error:
/boot/kernel-6.1.19-gentoo: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x5ea.
This error makes me think you have built your kernel without the required EFISTUB support. So effectively the kernel is not an EFI binary. But you need to check your distro and/or build options for that.
from sbctl.
I compiled my kernel without EFISTUB support indeed, because I load the kernel via grub and disable everything that I do not need in my kernel. For size, performance and security reasons. This should solve the issue of not being able to sign the kernel. Will I be required to sign my kernel modules too (will my system fully load if I do not sign my kernel modules)?
from sbctl.
Secure Boot and kernel module signing are two separate things. You machine will boot regardless of what you do.
However if you enable lockdown mode, or build with CONFIG_IMA_ARCH_POLICY
, the kernel will demand signed modules. This can only be achieved by controlling the built-in key in the kernel or using a shim
to load a MOK into the keyring of the kernel.
But since you build your own kernel it will just be guess work on my end what you support and don't support.
from sbctl.
Secure Boot and kernel module signing are two separate things. You machine will boot regardless of what you do.
However if you enable lockdown mode, or build with
CONFIG_IMA_ARCH_POLICY
, the kernel will demand signed modules. This can only be achieved by controlling the built-in key in the kernel or using ashim
to load a MOK into the keyring of the kernel.But since you build your own kernel it will just be guess work on my end what you support and don't support.
Thank you, I understand what I need to do here as I use the built-in key in the kernel for signing the kernel modules, which I will keep using then.
from sbctl.
When I try to sign my kernel using sbctl sign -s I'm receiving the following error:
/boot/kernel-6.1.19-gentoo: failed to fetch signatures slice: could not get datadirectory: couldn't parse PE file: unrecognized PE machine: 0x5ea.This error makes me think you have built your kernel without the required EFISTUB support. So effectively the kernel is not an EFI binary. But you need to check your distro and/or build options for that.
I'm running Gentoo, but from what I quickly understood from the Arch documentation, I basically need to use grub-mkstandalone to make a standalone EFI file if I'm correct?
from sbctl.
I'm running Gentoo, but from what I quickly understood from the Arch documentation, I basically need to use grub-mkstandalone to make a standalone EFI file if I'm correct?
Sounds correct. I don't use grub so you need to figure that our on your own.
from sbctl.
I'm running Gentoo, but from what I quickly understood from the Arch documentation, I basically need to use grub-mkstandalone to make a standalone EFI file if I'm correct?
Sounds correct. I don't use grub so you need to figure that our on your own.
What is the boot manager that I should be using to easily be able to generate bundles (including kernel cmd line arugments; that's all I'd need. I don't even use a initramfs except for microcode). Does this happen to be systemd-boot (as this wouldn't be a problem, as I'm running gentoo with systemd).
from sbctl.
I just use systemd-boot and happy with that. You'll have to check if it fits your needs.
from sbctl.
Related Issues (20)
- sbctl skips signing remaining items if one is not found HOT 1
- create-keys fails with "mkdir : no such file or directory" HOT 7
- Pacman hook doesn't work while installing wireless-regdb HOT 1
- Mkinitcpio post hook not included in Arch package HOT 3
- Move code to GitLab or Codeberg HOT 1
- Why does sbctl return "‼ /boot/efi/EFI/systemd/systemd-bootx64.efi does not exist" HOT 1
- Current minimum required go version is at least 1.20 HOT 4
- The point of the create-keys -e and -d options? HOT 2
- `sbctl verify` different output everytime HOT 2
- Enabling Secure Boot with enroll-keys HOT 3
- Automatic signing mkinitcpio post hook not working in latest archlinux package HOT 1
- Mkinitcpio post hook error HOT 4
- In the README the Ubuntu package link is not available, it takes the reader to the OpenSUSE package HOT 3
- Implement sbctl debug HOT 1
- Multiple displays and resolution doesn't work HOT 9
- Cannot re-enroll keys after upgrading system HOT 4
- Kernel removal fails if image file is already removed, resulting in multiple installed kernels on fedora HOT 2
- Unable to make secure boot to work on Surface Go 1st Gen and Arch Linux
- sbctl sign-all does not sign all efi binaries HOT 8
- `sbctl reset` when in setup mode results in PC hang
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbctl.