radon/ksigner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ksigner/README.md
Radon d882455619 update readme
2025-09-23 19:09:31 -05:00

159 lines
3.7 KiB
Markdown
Raw Blame History

# Enable/disable automatic signing on kernel updates# Kernel Signer
A secure boot kernel signing utility for Red Hat based systems (RHEL, CentOS, Fedora, Rocky Linux, AlmaLinux, etc.).
## Overview
This package provides a comprehensive solution for signing Linux kernels with custom keys for Secure Boot environments. It includes:
- Automatic key generation and MOK enrollment
- Support for signing individual or all kernels
- Configurable through `/etc/ksigner/ksigner.conf`
- Comprehensive logging and status reporting
## Installation
### Building the RPM
1. Install build dependencies:
```bash
# RHEL/CentOS/Rocky/Alma
sudo dnf install rpm-build rpmdevtools
# Create build environment
rpmdev-setuptree
```
2. Build the package:
```bash
# Create source tarball
make dist
# Build RPM
make rpm
# Or build source RPM
make srpm
```
3. Install the package:
```bash
sudo rpm -ivh ksigner*.rpm
```
### Dependencies
The following packages will be automatically installed as dependencies:
- `openssl` - Key generation and certificate operations
- `mokutil` - Machine Owner Key management
- `sbsigntools` - Kernel signing utilities
- `hmaccalc` - HMAC generation for signed kernels
- `sudo` - Privilege escalation
- `bash` (>= 4.0) - Shell scripting features
## Quick Start
1. **Install the package** (as shown above)
2. **Set up signing keys**:
```bash
sudo ksigner setup
```
3. **Reboot and enroll MOK keys**:
- Reboot your system
- In the MOK management interface: Enroll MOK → Continue → Yes → Enter password → OK
4. **Sign kernels**:
```bash
# Sign latest kernel
sudo ksigner sign
# Sign all kernels
sudo ksigner sign-all
# Check status
sudo ksigner status
```
## Configuration
Edit `/etc/ksigner/ksigner.conf` to customize behavior:
```bash
# Enable/disable automatic signing on kernel updates
SIGN_ON_UPDATE=true
# Type of automatic signing (sign, sign-all)
AUTO_SIGN_TYPE="sign-all"
```
## Commands
- `ksigner setup` - Create and install signing keys
- `ksigner sign [kernel_file]` - Sign a kernel (latest if no file specified)
- `ksigner sign-all` - Sign all available kernels
- `ksigner status` - Show signing key status
- `ksigner version` - Show version information
## Automatic Kernel Signing
When `SIGN_ON_UPDATE=true` in the configuration, kernels are automatically signed when installed via package manager. The hook script `/etc/kernel/postinst.d/zz-ksigner` handles this process.
Logs are written to `/var/log/ksigner.log`.
## File Locations
- **Configuration**: `/etc/ksigner/ksigner.conf`
- **Public Key**: `/etc/pki/sbsign/certs/MOK.pem`
- **Private Key**: `/etc/pki/sbsign/private/MOK.priv`
- **DER Key**: `/etc/pki/sbsign/certs/MOK.der`
- **Log File**: `/var/log/ksigner.log`
- **Update Hook**: `/etc/kernel/postinst.d/zz-ksigner`
## Security Notes
- Private keys are stored with restrictive permissions (600)
- MOK enrollment requires manual confirmation to prevent unauthorized access
- All operations require root privileges
- HMAC files are generated for integrity verification
## Troubleshooting
### Check Status
```bash
sudo ksigner status
```
### View Logs
```bash
sudo tail -f /var/log/ksigner.log
```
### Verify MOK Enrollment
```bash
sudo mokutil --list-enrolled
```
### Re-enroll Keys
If keys become corrupted or lost:
```bash
sudo ksigner setup
# Then reboot and re-enroll MOK
```
## License
This software is released under the MIT License. See LICENSE file for details.
## Contributing
Contributions are welcome! Please submit pull requests or issues through the project repository.
## Support
For support, please:
1. Check the man page: `man ksigner`
2. Review logs in `/var/log/ksigner.log`
3. Use the status command: `sudo ksigner status`
4. File issues in the project repository
Reference in New Issue View Git Blame Copy Permalink