Signing your own kernel, because Linux 4.xxxxxxxxxx kernel not valid sig with secure boot -HELP!!!!!

**After trying to install below I got cryptic errors like ‘certificate not found’ and ‘unsupported format errors’ (Secure Boot must be on with new Windows install, digressing…off topic):frowning:

"Booting a custom kernel
**

Secure boot does not prevent you from using your own self compiled kernel. You just have to sign it with your own certificate and make that certificate known to the firmware or MOK.

  1. create a custom X.509 key and certificate used for signing: openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout key.asc -out cert.pem -nodes -days 666 -subj “/CN=$USER/”
  2. package key and cert as PKCS#12 structure: openssl pkcs12 -export -inkey key.asc -in cert.pem -name kernel_cert -out cert.p12
  3. generate NSS database for use by pesign: certutil -d . -N
  4. import key and certificate contained in PKCS#12 into NSS database: pk12util -d . -i cert.p12
  5. bless the kernel with the new signature: pesign -n . -c kernel_cert -i arch/x86/boot/bzImage -o vmlinuz.signed -s
  6. list the signatures on the kernel image: pesign -n . -S -i vmlinuz.signed

At that point you may install the kernel in /boot as usual. Since the kernel now has a custom signature the certificate used for signing needs to be imported into the firmware or MOK.

  1. convert certificate to DER format for import into UEFI firmware or MOK: openssl x509 -in cert.pem -outform der -out cert.der
  2. copy the certificate to the ESP for easier access: sudo cp cert.der /boot/efi/

"

This worked during previous OS install, but stopped working now:'(. Either can you give package install checklist or will it be easier to use different methodlogical means to signing a kernel binary that has a good chance of fixing default-installed kernel version (currently it isn’t signed, I think). This explains my kernel problem if I should use a different approach to attempted solution:P: linux - openSUSE 13.2 kernel upgrade to stable version (4.1) - Super User .

I think you posted this in the wrong place. I’ll see if I can ask to have it moved.

I am signing the kernel for Mint. That is working fine. To be clear, this was in opensuse, but to boot Mint as an additional system. Mint is not signed with the opensuse key, so I created a machine owner key and signed it.

I wrote a blog post on how I did that. It is based on that Wiki page that you list. But maybe I filled in a few more details. Here’s the link: Signing a kernel for secure-boot

I am using Opensuse, what made you think I’m using mint?

@jimon
This forum says at the top:

PLease don’t ask product questions here.

and continues with

This forum is NOT for asking questions, …

I do not quite understand why you start a thread here where you shout:

… HELP

This will be moved to Install/Boot/Login and is CLOSED for the moment.

Moved from Unreviewed Howto and open again.

Signing a mint kernel uses exactly the same procedure as signing an opensuse kernel. But if you don’t actually want help, then I apologize for intruding.

Yes, I understood that you were using opensuse, and you installed a kernel from the kernels repo, which is signed by a different key which isn’t recognized by “shim.efi”.

You could just turn off secure boot. it is just a placebo anyway since any program that can mod the boot stack owns your machine anyway.

I have moved on back to Linux Mint and to my surprise I had almost-out-of-box experience - and the kernel is pre-4 version…finally my luck changes after WEEKS of hellish troubeshooting…distro-hopping on Secure Boot struggle!rotfl! Though one of the guys who gave me a thourough revised howto…I’m grateful and it could come in handy if I have to self-sign a Linux Mint kernel (opensuse didn’t QUITE work)…I saved the webpage as an “offline snapshot” for if that DREADFUL day comes back!:wink: