Description
akmods secure boot feature
Installation Instructions
Akmods provides an enroll process to sign third party modules with your own keypair.
You need enable kmodtool copr first (because feature not upstream for now)
dnf copr enable shannara/kmodtool-secureboot
At the first run of the akmods.service, certificate and keypair will be
created with default value using the /usr/lib/rpm/kmodgenca
script.
You may also wish to manually create your own certificate and keypair
with /usr/lib/rpm/kmodgenca
command.
Before executing /usr/lib/rpm/kmodgenca
:
- We suggest to tweak /etc/akmods/cacert.config with your own information for the certificate.
- __signmodules has to be set to "1" (default value) in /etc/akmods/sign-keypair.inc.
Now you need to enroll the public key in MOK, this process is described below.
- Ask MOK to enroll new keypair with certificate with the command
mokutil --import /etc/pki/akmods/keys/public_key.der
. - mokutil asks to generate a password to enroll the public key.
- Rebooting the system is needed for MOK to enroll the new public key.
- On next boot MOK Management is launched and you have to choose "Enroll MOK".
- Choose "Continue" to enroll the key or "View key 0" to show the keys already enrolled.
- Confirm enrollment by selecting "Yes".
- You will be invited to enter the password generated above. WARNING: keyboard is mapped to QWERTY!
- The new key is enrolled, and system ask you to reboot.
You can confirm the enrollment of the new keypair once the system
rebooted with:
mokutil --list-enrolled | grep Issuer
or with:
mokutil --test-key /etc/pki/akmods/keys/public_key.der
Active Releases
The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).
Release | Architectures | Repo Download |
---|---|---|
EPEL 6 | x86_64 (0)* | EPEL 6 (0 downloads) |
EPEL 7 | x86_64 (0)* | EPEL 7 (85 downloads) |
* Total number of downloaded packages.