View previous topic :: View next topic |
Author |
Message |
nvaert1986 Tux's lil' helper
Joined: 05 May 2019 Posts: 124
|
Posted: Fri Jul 26, 2024 1:36 pm Post subject: [SOLVED] Error following the Gentoo Wiki Secure Boot guide |
|
|
Hello everybody,
I'm trying to set-up Secure Boot on my machine correctly, but I'm receiving an error during the step: Signing the Signature Lists with the command to sign the signature databases.
Code: |
for db_type in db dbx; do sign-efi-sig-list -k custom_config/${db_type}.key -c custom_config/KEK.crt $db_type ${db_type}.esl ${db_type}.auth ; done
|
Code: |
Timestamp is 2024-7-26 15:33:38
Authentication Payload size 5991
Enter PEM pass phrase:
40A7E56B1F7F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:../openssl-3.0.13/crypto/x509/x509_cmp.c:408:
40A7E56B1F7F0000:error:1080007F:PKCS7 routines:PKCS7_sign_add_signer:private key does not match certificate:../openssl-3.0.13/crypto/pkcs7/pk7_smime.c:125:
Signature of size 22
Signature at: 40
Timestamp is 2024-7-26 15:33:40
Authentication Payload size 20432
Enter PEM pass phrase:
40F7CB7DB97F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:../openssl-3.0.13/crypto/x509/x509_cmp.c:408:
40F7CB7DB97F0000:error:1080007F:PKCS7 routines:PKCS7_sign_add_signer:private key does not match certificate:../openssl-3.0.13/crypto/pkcs7/pk7_smime.c:125:
Signature of size 22
Signature at: 40
|
I've tried it twice with creating clean keys. What could be the cause of this error?
Last edited by nvaert1986 on Tue Aug 06, 2024 7:59 am; edited 1 time in total |
|
Back to top |
|
|
nvaert1986 Tux's lil' helper
Joined: 05 May 2019 Posts: 124
|
Posted: Mon Aug 05, 2024 11:39 am Post subject: |
|
|
Bump: Anyone? |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Mon Aug 05, 2024 10:53 pm Post subject: |
|
|
I think that article has a few error has a few error. The DB and DBX values should not have their own keys, rather, they should be signed by your KEK. So the line should be:
Code: | for db_type in db dbx; do sign-efi-sig-list -k custom_config/KEK.key -c custom_config/KEK.crt $db_type ${db_type}.esl ${db_type}.auth ; done |
|
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5094 Location: Bavaria
|
|
Back to top |
|
|
nvaert1986 Tux's lil' helper
Joined: 05 May 2019 Posts: 124
|
Posted: Tue Aug 06, 2024 7:59 am Post subject: |
|
|
After doing some more searching on the internet (facing issues with TPM), using grub and checking other available options, I have decided not to use custom secure boot keys, but to go the Shim / MOK route using a combination of the following articles: https://wiki.gentoo.org/wiki/Shim and https://www.setphaserstostun.org/posts/secure-boot-on-gentoo-with-shim-grub/ with some custom scripting as this leaves the default Secure Boot keys intact and I'm still able to automate the process using the "secureboot" USE flag which will automatically sign the kernel and kernel modules and enhance the security this way. |
|
Back to top |
|
|
|