155 lines
4.3 KiB
Groff
155 lines
4.3 KiB
Groff
.TH ksigner 8 "@MONTH@ @YEAR@" "ksigner @VERSION@" "System Administration"
|
|
|
|
.SH NAME
|
|
ksigner \- Secure Boot kernel signing utility
|
|
|
|
.SH SYNOPSIS
|
|
.B ksigner
|
|
.RI { setup | sign | sign-all | version | status }
|
|
.RI [ vmlinuz_kernel_filepath ]
|
|
|
|
.SH DESCRIPTION
|
|
.B ksigner
|
|
is a utility for signing Linux kernels with custom keys for Secure Boot environments.
|
|
It supports signing individual kernels or all available kernels.
|
|
The utility includes libdnf5-plugin-actions integration for automatic kernel signing.
|
|
|
|
.SH COMMANDS
|
|
.TP
|
|
.B setup
|
|
Create and install signing keys. This must be run before any signing operations.
|
|
The command generates RSA-4096 keys, converts them to appropriate formats,
|
|
installs them in the system directories, and imports them to the Machine Owner Key (MOK) database.
|
|
After running this command, you must reboot and enroll the keys through the MOK management interface.
|
|
|
|
.TP
|
|
.B sign
|
|
Sign a single kernel file. If no kernel filepath is provided, signs the latest available kernel.
|
|
|
|
.TP
|
|
.B sign-all
|
|
Sign all available kernels in /boot that match the pattern vmlinuz-*.
|
|
Excludes rescue kernels.
|
|
|
|
.TP
|
|
.B version
|
|
Display version information.
|
|
|
|
.TP
|
|
.B status
|
|
Show the current status of signing keys and MOK enrollment.
|
|
|
|
.SH FILES
|
|
.TP
|
|
.I /etc/ksigner/ksigner.conf
|
|
Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions.
|
|
|
|
.TP
|
|
.I /etc/pki/sbsign/certs/MOK.pem
|
|
Public signing key in PEM format.
|
|
|
|
.TP
|
|
.I /etc/pki/sbsign/private/MOK.priv
|
|
Private signing key.
|
|
|
|
.TP
|
|
.I /etc/pki/sbsign/certs/MOK.der
|
|
Public signing key in DER format for MOK import.
|
|
|
|
.TP
|
|
.I /var/log/ksigner.log
|
|
Log file for automatic signing operations.
|
|
|
|
.TP
|
|
.I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions
|
|
Kernel update hook script for automatic signing.
|
|
|
|
.SH CONFIGURATION
|
|
The behavior of ksigner can be customized through the configuration file
|
|
.IR /etc/ksigner/ksigner.conf .
|
|
|
|
.TP
|
|
.B AUTO_SIGN
|
|
Enable or disable automatic kernel signing when kernels are installed via package manager.
|
|
Set to "true" to enable, "false" to disable (default: true). Only works on DNF5 systems.
|
|
|
|
.SH SYSTEMD INTEGRATION
|
|
The package includes systemd service files for integration with the system:
|
|
|
|
.SH AUTOMATIC KERNEL SIGNING
|
|
When AUTO_SIGN (AUTO_SIGN=true) is enabled in the configuration, new kernels are automatically signed
|
|
when they are installed through the package manager. The kernel update hook script
|
|
.I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions
|
|
is executed after kernel package installation and performs the configured signing operation.
|
|
|
|
.SH EXAMPLES
|
|
.TP
|
|
Set up signing keys for the first time:
|
|
.B ksigner setup
|
|
|
|
.TP
|
|
Sign the latest kernel:
|
|
.B ksigner sign
|
|
|
|
.TP
|
|
Sign a specific kernel:
|
|
.B ksigner sign /boot/vmlinuz-6.1.0-13-amd64
|
|
|
|
.TP
|
|
Sign all kernels:
|
|
.B ksigner sign-all
|
|
|
|
.TP
|
|
Check the status of signing keys:
|
|
.B ksigner status
|
|
|
|
.SH AUTOMATIC KERNEL SIGNING
|
|
On systems using DNF5, ksigner can automatically sign newly installed kernels
|
|
through a post-transaction hook. This feature is controlled by the
|
|
.B AUTO_SIGN
|
|
setting in the configuration file.
|
|
|
|
Note: Automatic signing requires that signing keys have been set up previously using
|
|
.B ksigner setup
|
|
and that the MOK has been enrolled.
|
|
|
|
.SH REQUIREMENTS
|
|
The following packages must be installed for ksigner to function:
|
|
.IP \(bu 4
|
|
openssl - for key generation and certificate operations
|
|
.IP \(bu 4
|
|
mokutil - for Machine Owner Key management
|
|
.IP \(bu 4
|
|
sbsigntools - for signing kernels (provides sbsign command)
|
|
.IP \(bu 4
|
|
hmaccalc - for generating kernel HMAC files
|
|
.IP \(bu 4
|
|
sudo - for privilege escalation
|
|
.IP \(bu 4
|
|
bash (version 4.0 or later) - for shell scripting features
|
|
.IP \(bu 4
|
|
libdnf5-plugin-actions - for automatic kernel signing (Fedora systems only)
|
|
|
|
.SH SECURITY CONSIDERATIONS
|
|
.IP \(bu 4
|
|
Private keys are stored with restrictive permissions (600) in /etc/pki/sbsign/private/
|
|
.IP \(bu 4
|
|
The setup process requires manual MOK enrollment to prevent unauthorized key installation
|
|
.IP \(bu 4
|
|
All operations require root privileges
|
|
.IP \(bu 4
|
|
HMAC files are generated for signed kernels to maintain integrity
|
|
|
|
.SH EXIT STATUS
|
|
.B ksigner
|
|
exits with status 0 on success, and non-zero on error.
|
|
|
|
.SH BUGS
|
|
Report bugs to your distribution's bug tracking system or the project repository.
|
|
|
|
.SH SEE ALSO
|
|
.BR mokutil (8),
|
|
.BR sbsign (1),
|
|
.BR openssl (1),
|
|
.BR systemctl (1)
|