Skip to content

Instantly share code, notes, and snippets.

@ly4096x

ly4096x/CentOS-8-Secure-Boot-Sign-Wireguard

Created March 30, 2020 04:53
Show Gist options
  • Save ly4096x/7874791d056edfa234a9ee56f7ed3503 to your computer and use it in GitHub Desktop.
Save ly4096x/7874791d056edfa234a9ee56f7ed3503 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CentOS-8-Secure-Boot-Sign-Wireguard
# if updating, use line 28-32 only
cat << EOF > req.in
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = local_kmod
CN = local_kmod CN
emailAddress = local@local
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config req.in -outform DER -out public_key.der -keyout private_key.priv
# create a password and write it down - this is required when rebooting
sudo mokutil --import public_key.der
cp /lib/modules/$(uname -r)/extra/wireguard.ko.xz .
unxz wireguard.ko.xz
/usr/src/kernels/$(uname -r)/scripts/sign-file sha256 private_key.priv public_key.der wireguard.ko
xz wireguard.ko
sudo cp wireguard.ko.xz /lib/modules/$(uname -r)/extra/wireguard.ko.xz
sudo dracut -fv
# Reboot now
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment