| View previous topic :: View next topic |
| Author |
Message |
ermor
n00b
Joined: 05 Jan 2025
Posts: 2
|
 Posted: Sun Jan 05, 2025 7:14 pm Post subject: Secure Boot: Stuck at "signing boot files" |
 |
|
Hello everyone,
I've recently installed Gentoo and I'm currently trying to enable Secure Boot (https://wiki.gentoo.org/wiki/Secure_Boot). Everything seems to have gone well so far, but now I'm trying to sign my boot files and the link doesn't really seem to account for my situation. It expects me to be using a Unified Kernel Image and GPG encrypted keys, but I'm using the distribution kernel with GRUB and symmetrically protected keyfiles, and it's a bit unclear to me what I should be signing, and the exact commands I should use.
I remembered there being a step to sign the distribution kernel in the handbook (https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel#Distribution_kernels) and I tried to follow it by giving the paths to my db.key and db.cer, but the subsequent emerge apparently really wants these to be PEM, and there was no step to create these specific file formats, so I'm not too sure what it's about.
I've also found this link (https://www.reddit.com/r/Gentoo/comments/15w78vw/confusion_with_secure_booting_signing_boot_files/) that seems to indicate I should sign the distribution kernel and GRUB, but it doesn't say how and the emerge I got seemed to imply my Nvidia drivers would also need to be signed, so it doesn't seem to be complete either.
Does anyone have any insight on what I should do? |
|
| Back to top |
|
 |
zen_desu
Tux's lil' helper
Joined: 25 Oct 2024
Posts: 94
|
| Posted: Sun Jan 05, 2025 7:41 pm Post subject: |
|
|
Most sections on the secure boot wiki page should include steps for plain/openssl protected keys as well as GPG ones.
The file extension can be changed, just be sure you're using the cert and key accordingly. The guide uses .key for the key, and .crt for the cert. Portage needs the 'db' key.
_________________
µgRD dev
Wiki writer |
|
| Back to top |
|
|
ermor
n00b
Joined: 05 Jan 2025
Posts: 2
|
| Posted: Mon Jan 06, 2025 8:51 pm Post subject: |
|
|
Thanks for your help! I've gone a bit farther in the process, but for some reason the proprietary Nvidia drivers refuse signing, and I can't emerge them.
According to the log:
| Code: |
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password: ../openssl-3.3.2/pem/pem_pkey.c:159
|
I didn't say earlier, sorry, but I have the "modules-sign" and "secureboot" USE flags and the MODULES_SIGN_KEY, MODULES_SIGN_CERT, SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT paths filled in with my db.key and db.crt (turned into .pem), and MODULES_SIGN_HASH="sha256".
Interestingly enough, the log mentions my key and cert files so it reads the paths given in my make.conf, but I'm not asked for my PEM password, which I assume is the problem. Am I supposed to give it to the install process in some other way?
EDIT: I though of signing the drivers manually, and I found this topic (https://forums.gentoo.org/viewtopic-p-8844330.html) which suggests a possible solution to my problem, but I'm not sure which modules NeddySeagoon is talking about. Sorry if this is a dumb question, I'm just starting, but would anyone know precisely where these modules would be? Hopefully I can still sign them even though the emerge fails. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
