| View previous topic :: View next topic |
| Author |
Message |
nvaert1986
Tux's lil' helper
Joined: 05 May 2019
Posts: 124
|
 Posted: Fri Jul 26, 2024 1:36 pm Post subject: [SOLVED] Error following the Gentoo Wiki Secure Boot guide |
 |
|
Hello everybody,
I'm trying to set-up Secure Boot on my machine correctly, but I'm receiving an error during the step: Signing the Signature Lists with the command to sign the signature databases.
| Code: |
for db_type in db dbx; do sign-efi-sig-list -k custom_config/${db_type}.key -c custom_config/KEK.crt $db_type ${db_type}.esl ${db_type}.auth ; done
|
| Code: |
Timestamp is 2024-7-26 15:33:38
Authentication Payload size 5991
Enter PEM pass phrase:
40A7E56B1F7F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:../openssl-3.0.13/crypto/x509/x509_cmp.c:408:
40A7E56B1F7F0000:error:1080007F:PKCS7 routines:PKCS7_sign_add_signer:private key does not match certificate:../openssl-3.0.13/crypto/pkcs7/pk7_smime.c:125:
Signature of size 22
Signature at: 40
Timestamp is 2024-7-26 15:33:40
Authentication Payload size 20432
Enter PEM pass phrase:
40F7CB7DB97F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:../openssl-3.0.13/crypto/x509/x509_cmp.c:408:
40F7CB7DB97F0000:error:1080007F:PKCS7 routines:PKCS7_sign_add_signer:private key does not match certificate:../openssl-3.0.13/crypto/pkcs7/pk7_smime.c:125:
Signature of size 22
Signature at: 40
|
I've tried it twice with creating clean keys. What could be the cause of this error?
Last edited by nvaert1986 on Tue Aug 06, 2024 7:59 am; edited 1 time in total |
|
| Back to top |
|
 |
nvaert1986
Tux's lil' helper
Joined: 05 May 2019
Posts: 124
|
| Posted: Mon Aug 05, 2024 11:39 am Post subject: |
|
|
| Bump: Anyone? |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 556
|
| Posted: Mon Aug 05, 2024 10:53 pm Post subject: |
|
|
I think that article has a few error has a few error. The DB and DBX values should not have their own keys, rather, they should be signed by your KEK. So the line should be:
| Code: | | for db_type in db dbx; do sign-efi-sig-list -k custom_config/KEK.key -c custom_config/KEK.crt $db_type ${db_type}.esl ${db_type}.auth ; done |
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5090
Location: Bavaria
|
|
| Back to top |
|
|
nvaert1986
Tux's lil' helper
Joined: 05 May 2019
Posts: 124
|
| Posted: Tue Aug 06, 2024 7:59 am Post subject: |
|
|
| After doing some more searching on the internet (facing issues with TPM), using grub and checking other available options, I have decided not to use custom secure boot keys, but to go the Shim / MOK route using a combination of the following articles: https://wiki.gentoo.org/wiki/Shim and https://www.setphaserstostun.org/posts/secure-boot-on-gentoo-with-shim-grub/ with some custom scripting as this leaves the default Secure Boot keys intact and I'm still able to automate the process using the "secureboot" USE flag which will automatically sign the kernel and kernel modules and enhance the security this way. |
|
| Back to top |
|
|
|
Networking & Security
