radon/ksigner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ksigner/README.md
radon 049d519ba6 update readme
2025-09-24 10:25:54 -05:00

160 lines
3.5 KiB
Markdown
Raw Blame History

# KSigner
A secure boot kernel signing utility
## Overview
This package provides a comprehensive solution for signing Linux kernels with custom keys for Secure Boot environments. It includes:
- Automatic key generation and MOK enrollment
- Automatic kernel signing via libdnf5 actions plugin
- Support for signing individual or all kernels
- Configurable through `/etc/ksigner/ksigner.conf`
- Comprehensive logging and status reporting
## Installation
### Building the RPM
1. Install build dependencies:
```bash
# RHEL/CentOS/Rocky/Alma
sudo dnf install rpm-build rpmdevtools
# Create build environment
rpmdev-setuptree
```
2. Build the package:
```bash
# Create source tarball
make dist
# Build RPM
make rpm
# Or build source RPM
make srpm
```
3. Install the package:
```bash
sudo dnf install noarch/ksigner*.rpm
# Alternatively
sudo rpm -ivh ksigner*.rpm
```
### Dependencies
The following packages will be automatically installed as dependencies:
- `openssl` - Key generation and certificate operations
- `mokutil` - Machine Owner Key management
- `sbsigntools` - Kernel signing utilities
- `hmaccalc` - HMAC generation for signed kernels
- `sudo` - Privilege escalation
- `bash` (>= 4.0) - Shell scripting features
- `dnf5` - RPM package management
- `libdnf5-plugin-actions` - DNF transaction actions
## Quick Start
1. **Install the package** (as shown above)
2. **Set up signing keys**:
```bash
sudo ksigner setup
```
3. **Optionally, enable automatic kernel signing**:
```bash
sudo sed -i 's/^# *\(AUTO_SIGN=true\)/\1/' /etc/ksigner/ksigner.conf
```
4. **Reboot and enroll MOK keys**:
- Reboot your system
- In the MOK management interface: Enroll MOK → Continue → Yes → Enter password → OK
5. **Sign kernels**:
```bash
# Sign latest kernel
sudo ksigner sign
# Sign all kernels
sudo ksigner sign-all
# Check status
sudo ksigner status
```
## Configuration
Edit `/etc/ksigner/ksigner.conf` to customize behavior
```conf
# Automatically sign kernels when they are installed
# AUTO_SIGN=true
```
## Commands
- `ksigner setup` - Create and install signing keys
- `ksigner sign [kernel_file]` - Sign a kernel (latest if no file specified)
- `ksigner sign-all` - Sign all available kernels
- `ksigner status` - Show signing key status
- `ksigner version` - Show version information
## File Locations
- **Configuration**: `/etc/ksigner/ksigner.conf`
- **Public Key**: `/etc/pki/sbsign/certs/MOK.pem`
- **Private Key**: `/etc/pki/sbsign/private/MOK.priv`
- **DER Key**: `/etc/pki/sbsign/certs/MOK.der`
- **Log File**: `/var/log/ksigner.log`
- **Action File**: `/etc/dnf/libdnf5-plugins/actions.d/ksigner.action`
## Security Notes
- Private keys are stored with restrictive permissions (600)
- MOK enrollment requires manual confirmation to prevent unauthorized access
- All operations require root privileges
- HMAC files are generated for integrity verification
## Troubleshooting
### Check Status
```bash
sudo ksigner status
```
### View Logs
```bash
sudo tail -f /var/log/ksigner.log
```
### Verify MOK Enrollment
```bash
sudo mokutil --list-enrolled
```
### Re-enroll Keys
If keys become corrupted or lost:
```bash
sudo ksigner setup
# Then reboot and re-enroll MOK
```
## License
This software is released under the MIT License. See LICENSE file for details.
## Contributing
Contributions are welcome! Please submit pull requests or issues through the project repository.
## Support
For support, please:
1. Check the man page: `man ksigner`
2. Review logs in `/var/log/ksigner.log`
3. Use the status command: `sudo ksigner status`
4. File issues in the project repository
Reference in New Issue View Git Blame Copy Permalink