Sign custom kernel for secure boot

Good evening everybody,

I would like to ask for help regarding custom kernels and secure boot.

I am currently trying to run Tumbleweed on a Microsoft Surface Pro 3. Installation was running well, the system boots up with the default kernel. Up to now, some kernel patches are needed for full functionality, thus I cloned the source from git, patched it, compiled and everything works, as long as I disable secure boot.

I tried to follow the wiki (https://en.opensuse.org/openSUSE:UEFI) and as far as I can see, the approach I used before (Arch Linux, using prebootloader and its hashtool) is not applicable in case of Tumbleweed to sign the compiled kernel.

Theses is where I am currently stuck at:




  1. bless the kernel with the new signature:pesign -n . -c kernel_cert -i arch/x86/boot/bzImage -o vmlinuz.signed -s

  1. list the signatures on the kernel image:pesign -n . -S -i vmlinuz.signed


At that point you may install the kernel in /boot as usual. Since the kernel now has a custom signature the certificate used for signing needs to be imported into the firmware or MOK.


Can I apply these steps after I have installed the rpm package? Or is it necessary to do this before compiling/packaging? arch/x86/boot/bzImage is part of the sources, in my /boot folder, I can only find vmlinuz. When I try to sign this file, I still get “invalid signature”.

I would be very glad, if someone can point me into the right direction to get the kernel signed.

Basically, you can sign any time before you try to boot the kernel.

Here’s how I have been signing kernels:
Signing a kernel for secure-boot

I based that on the same opensuse wiki page that you are using.

Thank you very much, your how-to was very helpful to me. I got confused which file I have to take and where to save it afterwards, etc. but you explained it clearly.

Secure boot works now.

I’m glad you have it working.