On Thu, Jul 31, 2014 at 06:32:36AM +0400, Andrey Borzenkov wrote:
В Wed, 30 Jul 2014 15:07:42 -0400 Roman Bysh
пишет: On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh
wrote: Hello All,
What is the command to check if my kernel is signed?
Do you mean kernel RPM or kernel binary (EFI secure boot)?
It's for secure boot.
bor@opensuse:/tmp/x> certutil -d . -N bor@opensuse:/tmp/x> pesign -n . -S -i /boot/vmlinuz --------------------------------------------- certificate address is 0x7fd82572a238 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Tue Jun 17, 2014 There were certs or crls included. --------------------------------------------- bor@opensuse:/tmp/x>
But I do not know where to get openSUSE certificate to validate signature against. Also you must init (empty) NSS store, otherwise pesign fails, it looks into /etc/nss/pesign by default.
The openSUSE certificates is available in several projects in OBS, ex: https://build.opensuse.org/package/show/openSUSE:Factory/shim You will see two openSUSE CA: openSUSE-UEFI-CA-Certificate-4096.crt openSUSE-UEFI-CA-Certificate.crt The 4096 one is for EFI images before 13.1(included). openSUSE-UEFI-CA-Certificate.crt was created because some UEFI firmware didn't support a 4096bit key, so we created a new 2048bit key. For openSUSE 13.2+, we will use openSUSE-UEFI-CA-Certificate.crt. BTW, the newer pesign gets rid of the NSS requirement for some commands. If you are using pesign in Factory, "pesign -S -i /boot/vmlinuz" is sufficient. Cheers, Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org