Good evening everybody,
I would like to ask for help regarding custom kernels and secure boot.
I am currently trying to run Tumbleweed on a Microsoft Surface Pro 3. Installation was running well, the system boots up with the default kernel. Up to now, some kernel patches are needed for full functionality, thus I cloned the source from git, patched it, compiled and everything works, as long as I disable secure boot.
I tried to follow the wiki (https://en.opensuse.org/openSUSE:UEFI) and as far as I can see, the approach I used before (Arch Linux, using prebootloader and its hashtool) is not applicable in case of Tumbleweed to sign the compiled kernel.
Theses is where I am currently stuck at:
1. bless the kernel with the new signature:pesign -n . -c kernel_cert -i arch/x86/boot/bzImage -o vmlinuz.signed -s
1. list the signatures on the kernel image:pesign -n . -S -i vmlinuz.signed
At that point you may install the kernel in /boot as usual. Since the kernel now has a custom signature the certificate used for signing needs to be imported into the firmware or MOK.
Can I apply these steps after I have installed the rpm package? Or is it necessary to do this before compiling/packaging? arch/x86/boot/bzImage is part of the sources, in my /boot folder, I can only find vmlinuz. When I try to sign this file, I still get “invalid signature”.
I would be very glad, if someone can point me into the right direction to get the kernel signed.