This script goes into /etc/kernel/postinst.d. You have to make it executable by root, e.g. chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing. It assists you with automatically signing freshly installed kernel images using the machine owner key in a way similar to what dkms does. This is mainly useful if you want to use mainline kernels on Ubuntu on Secure Boot enabled systems. This needs shim-signed to be set up. If you have questions this one might help you: https://wiki.ubuntu.com/UEFI/SecureBoot#MOK_generation_and_signing_process While I made this for Ubuntu 20.04, it should work on current Debian based distributions. YMMV.
Last active
February 16, 2025 15:13
-
-
Save maxried/796d1f3101b3a03ca153fa09d3af8a11 to your computer and use it in GitHub Desktop.
Automatically Sign Kernels After Installation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| set -e | |
| KERNEL_IMAGE="$2" | |
| MOK_DIRECTORY="/var/lib/shim-signed/mok" | |
| if [ "$#" -ne "2" ] ; then | |
| echo "Wrong count of command line arguments. This is not meant to be called directly." >&2 | |
| exit 1 | |
| fi | |
| if [ ! -x "$(command -v sbsign)" ] ; then | |
| echo "sbsign not executable. Bailing." >&2 | |
| exit 1 | |
| fi | |
| if [ ! -r "$MOK_DIRECTORY/MOK.der" ] ; then | |
| echo "$MOK_DIRECTORY/MOK.der is not readable." >&2 | |
| exit 1 | |
| fi | |
| if [ ! -r "$MOK_DIRECTORY/MOK.priv" ] ; then | |
| echo "$MOK_DIRECTORY/MOK.priv is not readable." >&2 | |
| exit 1 | |
| fi | |
| if [ ! -w "$KERNEL_IMAGE" ] ; then | |
| echo "Kernel image $KERNEL_IMAGE is not writable." >&2 | |
| exit 1 | |
| fi | |
| if [ ! -r "$MOK_DIRECTORY/MOK.pem" ] ; then | |
| echo "MOK.pem missing. Generating from MOK.der." | |
| if [ ! -x "$(command -v openssl)" ] ; then | |
| echo "openssl could not be found. Bailing." >&2 | |
| exit 1 | |
| fi | |
| openssl x509 -in "$MOK_DIRECTORY/MOK.der" -inform DER -outform PEM -out "$MOK_DIRECTORY/MOK.pem" || { echo "Conversion failed. Bailing." >&2; exit 1 ; } | |
| fi | |
| echo "Signing $KERNEL_IMAGE..." | |
| sbsign --key "$MOK_DIRECTORY/MOK.priv" --cert "$MOK_DIRECTORY/MOK.pem" --output "$KERNEL_IMAGE" "$KERNEL_IMAGE" |
Hi @berglh ,
Thank you very much for your research, and for sharing it. This sounds really cool, I'll soon look into it!
Regards,
Max
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @maxried,
I've re-adapted your script in my repository to verify that kernel being signed is actually being installed by
mainline, which will prevent any other kernels from being signed.The script:
mainlineYou will need to adjust the path to the MOK file accordingly.
In addition to that, I've figured out to generate the Machine Owner Key that works with signing kernels for Ubuntu 21.04 and newer. It is not possible to use the Ubuntu generated MOK key, as it has the module signing Extended Key Usage code, which
shimfails to validate on loading a kernel image. It expects anything other than1.3.6.1.4.1.2312.16.1.2, if this code is present in the MOK, it cannot be used to sign kernels to be loaded by shim. The creation of a kernel signing MOK is accomplished using the following script.I've tested this using
mainlineand Ubuntu kernel version v5.13.13 on Ubuntu 21.04. It is possible that earlier version of the debs will usexzcompression for thedatafile inside themainlinedeb file, which will cause this script to fail, but anything new should usezstdcompression. Could be useful for others.Cheers,
Berg