129 lines
3.0 KiB
Groff
129 lines
3.0 KiB
Groff
.TH KSIGNER 8 "September 2025" "ksigner @VERSION@" "System Administration"
|
|
|
|
.SH NAME
|
|
ksigner \- Secure Boot kernel signing utility
|
|
|
|
.SH SYNOPSIS
|
|
.B ksigner
|
|
.RI { setup | sign | sign-all | version | status }
|
|
.RI [ vmlinuz_kernel_filepath ]
|
|
|
|
.SH DESCRIPTION
|
|
.B ksigner
|
|
is a utility for signing Linux kernels with custom keys for Secure Boot environments.
|
|
It supports signing individual kernels or all available kernels.
|
|
|
|
.SH COMMANDS
|
|
.TP
|
|
.B setup
|
|
Create and install signing keys. This must be run before any signing operations.
|
|
The command generates RSA-4096 keys, converts them to appropriate formats,
|
|
installs them in the system directories, and imports them to the Machine Owner Key (MOK) database.
|
|
After running this command, you must reboot and enroll the keys through the MOK management interface.
|
|
|
|
.TP
|
|
.B sign
|
|
Sign a single kernel file. If no kernel filepath is provided, signs the latest available kernel.
|
|
|
|
.TP
|
|
.B sign-all
|
|
Sign all available kernels in /boot that match the pattern vmlinuz-*.
|
|
Excludes rescue kernels.
|
|
|
|
.TP
|
|
.B version
|
|
Display version information.
|
|
|
|
.TP
|
|
.B status
|
|
Show the current status of signing keys and MOK enrollment.
|
|
|
|
.SH FILES
|
|
.TP
|
|
.I /etc/ksigner/ksigner.conf
|
|
Main configuration file.
|
|
|
|
.TP
|
|
.I /etc/pki/sbsign/certs/MOK.pem
|
|
Public signing key in PEM format.
|
|
|
|
.TP
|
|
.I /etc/pki/sbsign/private/MOK.priv
|
|
Private signing key.
|
|
|
|
.TP
|
|
.I /etc/pki/sbsign/certs/MOK.der
|
|
Public signing key in DER format for MOK import.
|
|
|
|
.TP
|
|
.I /var/log/ksigner.log
|
|
Log file.
|
|
|
|
.SH CONFIGURATION
|
|
The behavior of ksigner can be customized through the configuration file
|
|
.IR /etc/ksigner/ksigner.conf .
|
|
Key configuration options include:
|
|
|
|
.TP
|
|
.B KEY_LIFETIME_DAYS
|
|
Number of days the signing keys should remain valid (default: 36500, approximately 100 years).
|
|
|
|
.SH EXAMPLES
|
|
.TP
|
|
Set up signing keys for the first time:
|
|
.B ksigner setup
|
|
|
|
.TP
|
|
Sign the latest kernel:
|
|
.B ksigner sign
|
|
|
|
.TP
|
|
Sign a specific kernel:
|
|
.B ksigner sign /boot/vmlinuz-6.1.0-13-amd64
|
|
|
|
.TP
|
|
Sign all kernels:
|
|
.B ksigner sign-all
|
|
|
|
.TP
|
|
Check the status of signing keys:
|
|
.B ksigner status
|
|
|
|
.SH REQUIREMENTS
|
|
The following packages must be installed for ksigner to function:
|
|
.IP \(bu 4
|
|
openssl - for key generation and certificate operations
|
|
.IP \(bu 4
|
|
mokutil - for Machine Owner Key management
|
|
.IP \(bu 4
|
|
sbsigntools - for signing kernels (provides sbsign command)
|
|
.IP \(bu 4
|
|
hmaccalc - for generating kernel HMAC files
|
|
.IP \(bu 4
|
|
sudo - for privilege escalation
|
|
.IP \(bu 4
|
|
bash (version 4.0 or later) - for shell scripting features
|
|
|
|
.SH SECURITY CONSIDERATIONS
|
|
.IP \(bu 4
|
|
Private keys are stored with restrictive permissions (600) in /etc/pki/sbsign/private/
|
|
.IP \(bu 4
|
|
The setup process requires manual MOK enrollment to prevent unauthorized key installation
|
|
.IP \(bu 4
|
|
All operations require root privileges
|
|
.IP \(bu 4
|
|
HMAC files are generated for signed kernels to maintain integrity
|
|
|
|
.SH EXIT STATUS
|
|
.B ksigner
|
|
exits with status 0 on success, and non-zero on error.
|
|
|
|
.SH BUGS
|
|
Report bugs to your distribution's bug tracking system or the project repository.
|
|
|
|
.SH SEE ALSO
|
|
.BR mokutil (8),
|
|
.BR sbsign (1),
|
|
.BR openssl (1),
|
|
.BR systemctl (1)
|