[opensuse-factory] Searching for command to check if a kernel is signed - openSUSE Factory - openSUSE Mailing Lists

newer
[opensuse-factory] GNOME Repo...

[opensuse-factory] Searching for command to check if a kernel is signed

older
[opensuse-factory] Status: Tests

Roman Bysh

29 Jul 2014 29 Jul '14

19:05

Hello All, What is the command to check if my kernel is signed? -- Cheers! Roman -------------------------------------------- openSUSE -- Get it! Discover it! Share it! -------------------------------------------- http://linuxcounter.net/ #179293 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Reply

Sign in to reply online Use email software

Show replies by date

Patrick Shanahan

29 Jul 29 Jul

21:59

* Roman Bysh [07-29-14 15:06]:

What is the command to check if my kernel is signed?

rpm -qi <kernel> -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Reply

Sign in to reply online Use email software

Roman Bysh

23:50

On 07/29/2014 05:59 PM, Patrick Shanahan wrote:

* Roman Bysh [07-29-14 15:06]:

...
What is the command to check if my kernel is signed?

rpm -qi <kernel>

Ah yes. Signature: RSA/SHA256, Wed 25 Jun 2014 02:24:55 AM EDT, Key ID b88b2fd43dbdc284 Thanks Patrick. -- Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Reply

Sign in to reply online Use email software

Andrey Borzenkov

30 Jul 30 Jul

04:59

On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh wrote:

Hello All,

What is the command to check if my kernel is signed?

Do you mean kernel RPM or kernel binary (EFI secure boot)? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Reply

Sign in to reply online Use email software

Roman Bysh

19:07

On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:

On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh wrote:

...
Hello All,

What is the command to check if my kernel is signed?

Do you mean kernel RPM or kernel binary (EFI secure boot)?

It's for secure boot. -- Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Reply

Sign in to reply online Use email software

Shawn W Dunn

20:41

On Wednesday 30 July 2014 15:07:42 Roman Bysh wrote:

On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:

...
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh wrote:

...
Hello All,

What is the command to check if my kernel is signed?

Do you mean kernel RPM or kernel binary (EFI secure boot)?

It's for secure boot.

Roman: This is probably worth a read: http://en.opensuse.org/openSUSE:UEFI#Booting_a_Tumbleweed_kernel

Reply

Sign in to reply online Use email software

Andrey Borzenkov

31 Jul 31 Jul

02:32

В Wed, 30 Jul 2014 15:07:42 -0400 Roman Bysh пишет:

On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:

...
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh wrote:

...
Hello All,

What is the command to check if my kernel is signed?

Do you mean kernel RPM or kernel binary (EFI secure boot)?

It's for secure boot.

bor@opensuse:/tmp/x> certutil -d . -N bor@opensuse:/tmp/x> pesign -n . -S -i /boot/vmlinuz --------------------------------------------- certificate address is 0x7fd82572a238 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Tue Jun 17, 2014 There were certs or crls included. --------------------------------------------- bor@opensuse:/tmp/x> But I do not know where to get openSUSE certificate to validate signature against. Also you must init (empty) NSS store, otherwise pesign fails, it looks into /etc/nss/pesign by default. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Reply

Sign in to reply online Use email software

Gary Ching-Pang Lin

03:00

On Thu, Jul 31, 2014 at 06:32:36AM +0400, Andrey Borzenkov wrote:

В Wed, 30 Jul 2014 15:07:42 -0400 Roman Bysh пишет:

...
On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:

...
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh wrote:

...
Hello All,

What is the command to check if my kernel is signed?

Do you mean kernel RPM or kernel binary (EFI secure boot)?

It's for secure boot.

bor@opensuse:/tmp/x> certutil -d . -N bor@opensuse:/tmp/x> pesign -n . -S -i /boot/vmlinuz --------------------------------------------- certificate address is 0x7fd82572a238 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Tue Jun 17, 2014 There were certs or crls included. --------------------------------------------- bor@opensuse:/tmp/x>

But I do not know where to get openSUSE certificate to validate signature against. Also you must init (empty) NSS store, otherwise pesign fails, it looks into /etc/nss/pesign by default.

The openSUSE certificates is available in several projects in OBS, ex: https://build.opensuse.org/package/show/openSUSE:Factory/shim You will see two openSUSE CA: openSUSE-UEFI-CA-Certificate-4096.crt openSUSE-UEFI-CA-Certificate.crt The 4096 one is for EFI images before 13.1(included). openSUSE-UEFI-CA-Certificate.crt was created because some UEFI firmware didn't support a 4096bit key, so we created a new 2048bit key. For openSUSE 13.2+, we will use openSUSE-UEFI-CA-Certificate.crt. BTW, the newer pesign gets rid of the NSS requirement for some commands. If you are using pesign in Factory, "pesign -S -i /boot/vmlinuz" is sufficient. Cheers, Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Reply

Sign in to reply online Use email software

Roman Bysh

20:06

On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:

On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh wrote:

...
Hello All,

What is the command to check if my kernel is signed?

Do you mean kernel RPM or kernel binary (EFI secure boot)?

The kernel binary (EFI secure boot). -- Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

Reply

Sign in to reply online Use email software

3566

Age (days ago)

3568

Last active (days ago)

Download

8 comments

5 participants

tags

participants (5)

Andrey Borzenkov
Gary Ching-Pang Lin
Patrick Shanahan
Roman Bysh
Shawn W Dunn