Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Secure Boot #59

Open
hanthor opened this issue Dec 27, 2024 · 2 comments
Open

Add Secure Boot #59

hanthor opened this issue Dec 27, 2024 · 2 comments
Assignees
@hanthor

Comments

@hanthor
Copy link
Contributor

hanthor commented Dec 27, 2024

No description provided.

@hanthor hanthor self-assigned this Dec 27, 2024
@hanthor
Copy link
Contributor Author

hanthor commented Dec 27, 2024
edited
Loading

Stream 10 does have a shim but it seems out of date. https://issues.redhat.com/browse/RHEL-69544

If we ever enable kernel modules we will have to sign our own kernel

If we want to enable secure boot right now
we also need to sign the kernel with our MOK key:

# Sign the kernel with the MOK
sbsign --key MOK.key --cert MOK.crt /boot/vmlinuz-$(uname -r) --output /boot/vmlinuz-$(uname -r).signed

Ok so ublue currently does this signing in the kernel-cache CI. We can do something similar, but it would be nice to avoid making another repo just for handling kernels.

Not sure what other alternatives there are, short of using a ctx or some other kind of container to mount the filesystem of the image and sign from there. It would be nice if this was part of bib

@tulilirockz
Copy link
Member

Needs to get fixed on main, too

@tulilirockz tulilirockz transferred this issue from centos-workstation/achillobator Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hanthor hanthor

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hanthor @tulilirockz