Bug#976015: debian-kernel-handbook: Document how to produce a custom kernel for UEFI Secure Boot
On Sat, 28 Nov 2020 11:25:23 +0100 Mattia Monga wrote: > Package: debian-kernel-handbook > Version: 1.0.19 > Severity: wishlist > X-Debbugs-Cc: mo...@debian.org > > The procedure needed to produce a signed custom kernel suitable for UEFI > Secure > Boot is not documented (although the Debian kernel packages are correctly > signed). Even https://wiki.debian.org/SecureBoot explains how to add a Machine > Owner Key to the system, but not how produce a signed kernel. [...] It should go something like: 1. Generate a certificate and private key 2. Add the certificate to MOK (or db) 3. (Optional) Enable CONFIG_SECURITY_LOCKDOWN_LSM in the kernel config 4. Build the kernel and modules (but not a package) 5. Use sbsigntool to sign the kernel 6. Build the package (make bindeb-pkg) I don't feel like spending the time to test and write precise instructions for this, but if someone else does I'd be happy to review and add them. Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody. signature.asc Description: This is a digitally signed message part
Bug#976015: debian-kernel-handbook: Document how to produce a custom kernel for UEFI Secure Boot
Package: debian-kernel-handbook Version: 1.0.19 Severity: wishlist X-Debbugs-Cc: mo...@debian.org The procedure needed to produce a signed custom kernel suitable for UEFI Secure Boot is not documented (although the Debian kernel packages are correctly signed). Even https://wiki.debian.org/SecureBoot explains how to add a Machine Owner Key to the system, but not how produce a signed kernel. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-3-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled debian-kernel-handbook depends on no packages. Versions of packages debian-kernel-handbook recommends: ii chromium [www-browser] 83.0.4103.116-3.1 ii firefox [www-browser] 83.0-1 ii firefox-esr [www-browser] 78.5.0esr-1 debian-kernel-handbook suggests no packages. -- no debconf information