On Thu, Jul 31, 2014 at 06:32:36AM +0400, Andrey Borzenkov wrote:
В Wed, 30 Jul 2014 15:07:42 -0400 Roman Bysh firstname.lastname@example.org пишет:
On 07/30/2014 12:59 AM, Andrey Borzenkov wrote:
On Tue, Jul 29, 2014 at 11:05 PM, Roman Bysh email@example.com wrote:
What is the command to check if my kernel is signed?
Do you mean kernel RPM or kernel binary (EFI secure boot)?
It's for secure boot.
bor@opensuse:/tmp/x> certutil -d . -N bor@opensuse:/tmp/x> pesign -n . -S -i /boot/vmlinuz
certificate address is 0x7fd82572a238 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is firstname.lastname@example.org Signing time: Tue Jun 17, 2014 There were certs or crls included.
But I do not know where to get openSUSE certificate to validate signature against. Also you must init (empty) NSS store, otherwise pesign fails, it looks into /etc/nss/pesign by default.
The openSUSE certificates is available in several projects in OBS, ex: https://build.opensuse.org/package/show/openSUSE:Factory/shim
You will see two openSUSE CA: openSUSE-UEFI-CA-Certificate-4096.crt openSUSE-UEFI-CA-Certificate.crt
The 4096 one is for EFI images before 13.1(included). openSUSE-UEFI-CA-Certificate.crt was created because some UEFI firmware didn't support a 4096bit key, so we created a new 2048bit key. For openSUSE 13.2+, we will use openSUSE-UEFI-CA-Certificate.crt.
BTW, the newer pesign gets rid of the NSS requirement for some commands. If you are using pesign in Factory, "pesign -S -i /boot/vmlinuz" is sufficient.