[opensuse-factory] Searching for command to check if a kernel is signed
Hello All, What is the command to check if my kernel is signed? -- Cheers! Roman -------------------------------------------- openSUSE -- Get it! Discover it! Share it! -------------------------------------------- http://linuxcounter.net/ #179293 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
* Roman Bysh
What is the command to check if my kernel is signed?
rpm -qi <kernel> -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 07/29/2014 05:59 PM, Patrick Shanahan wrote:
* Roman Bysh
[07-29-14 15:06]: What is the command to check if my kernel is signed?
rpm -qi <kernel>
Ah yes. Signature: RSA/SHA256, Wed 25 Jun 2014 02:24:55 AM EDT, Key ID b88b2fd43dbdc284 Thanks Patrick. -- Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh
Hello All,
What is the command to check if my kernel is signed?
Do you mean kernel RPM or kernel binary (EFI secure boot)? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh
wrote: Hello All,
What is the command to check if my kernel is signed?
Do you mean kernel RPM or kernel binary (EFI secure boot)?
It's for secure boot. -- Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 30 July 2014 15:07:42 Roman Bysh wrote:
On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh
wrote: Hello All,
What is the command to check if my kernel is signed?
Do you mean kernel RPM or kernel binary (EFI secure boot)?
It's for secure boot.
Roman: This is probably worth a read: http://en.opensuse.org/openSUSE:UEFI#Booting_a_Tumbleweed_kernel
В Wed, 30 Jul 2014 15:07:42 -0400
Roman Bysh
On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh
wrote: Hello All,
What is the command to check if my kernel is signed?
Do you mean kernel RPM or kernel binary (EFI secure boot)?
It's for secure boot.
bor@opensuse:/tmp/x> certutil -d . -N bor@opensuse:/tmp/x> pesign -n . -S -i /boot/vmlinuz --------------------------------------------- certificate address is 0x7fd82572a238 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Tue Jun 17, 2014 There were certs or crls included. --------------------------------------------- bor@opensuse:/tmp/x> But I do not know where to get openSUSE certificate to validate signature against. Also you must init (empty) NSS store, otherwise pesign fails, it looks into /etc/nss/pesign by default. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Jul 31, 2014 at 06:32:36AM +0400, Andrey Borzenkov wrote:
В Wed, 30 Jul 2014 15:07:42 -0400 Roman Bysh
пишет: On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh
wrote: Hello All,
What is the command to check if my kernel is signed?
Do you mean kernel RPM or kernel binary (EFI secure boot)?
It's for secure boot.
bor@opensuse:/tmp/x> certutil -d . -N bor@opensuse:/tmp/x> pesign -n . -S -i /boot/vmlinuz --------------------------------------------- certificate address is 0x7fd82572a238 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Tue Jun 17, 2014 There were certs or crls included. --------------------------------------------- bor@opensuse:/tmp/x>
But I do not know where to get openSUSE certificate to validate signature against. Also you must init (empty) NSS store, otherwise pesign fails, it looks into /etc/nss/pesign by default.
The openSUSE certificates is available in several projects in OBS, ex: https://build.opensuse.org/package/show/openSUSE:Factory/shim You will see two openSUSE CA: openSUSE-UEFI-CA-Certificate-4096.crt openSUSE-UEFI-CA-Certificate.crt The 4096 one is for EFI images before 13.1(included). openSUSE-UEFI-CA-Certificate.crt was created because some UEFI firmware didn't support a 4096bit key, so we created a new 2048bit key. For openSUSE 13.2+, we will use openSUSE-UEFI-CA-Certificate.crt. BTW, the newer pesign gets rid of the NSS requirement for some commands. If you are using pesign in Factory, "pesign -S -i /boot/vmlinuz" is sufficient. Cheers, Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh
wrote: Hello All,
What is the command to check if my kernel is signed?
Do you mean kernel RPM or kernel binary (EFI secure boot)?
The kernel binary (EFI secure boot). -- Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Andrey Borzenkov
-
Gary Ching-Pang Lin
-
Patrick Shanahan
-
Roman Bysh
-
Shawn W Dunn