Automatically Sign Kernels After Installation

$README.md

This script goes into /etc/kernel/postinst.d. You have to make it executable by root, e.g. chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing. It assists you with automatically signing freshly installed kernel images using the machine owner key in a way similar to what dkms does. This is mainly useful if you want to use mainline kernels on Ubuntu on Secure Boot enabled systems. This needs shim-signed to be set up. If you have questions this one might help you: https://wiki.ubuntu.com/UEFI/SecureBoot#MOK_generation_and_signing_process While I made this for Ubuntu 20.04, it should work on current Debian based distributions. YMMV.

00-signing

#!/bin/sh

set -e

KERNEL_IMAGE="$2"
MOK_DIRECTORY="/var/lib/shim-signed/mok"

if [ "$#" -ne "2" ] ; then
	echo "Wrong count of command line arguments. This is not meant to be called directly." >&2
	exit 1
fi

if [ ! -x "$(command -v sbsign)" ] ; then
	echo "sbsign not executable. Bailing." >&2
	exit 1
fi


if [ ! -r "$MOK_DIRECTORY/MOK.der" ] ; then
	echo "$MOK_DIRECTORY/MOK.der is not readable." >&2
	exit 1
fi

if [ ! -r "$MOK_DIRECTORY/MOK.priv" ] ; then
	echo "$MOK_DIRECTORY/MOK.priv is not readable." >&2
	exit 1
fi

if [ ! -w "$KERNEL_IMAGE" ] ; then
	echo "Kernel image $KERNEL_IMAGE is not writable." >&2
	exit 1
fi

if [ ! -r "$MOK_DIRECTORY/MOK.pem" ] ; then
	echo "MOK.pem missing. Generating from MOK.der."
	if [ ! -x "$(command -v openssl)" ] ; then
		echo "openssl could not be found. Bailing." >&2
		exit 1
	fi

	openssl x509 -in "$MOK_DIRECTORY/MOK.der" -inform DER -outform PEM -out "$MOK_DIRECTORY/MOK.pem" || { echo "Conversion failed. Bailing." >&2; exit 1 ; }
fi

echo "Signing $KERNEL_IMAGE..."
sbsign --key "$MOK_DIRECTORY/MOK.priv" --cert "$MOK_DIRECTORY/MOK.pem" --output "$KERNEL_IMAGE" "$KERNEL_IMAGE"

Hi @berglh ,

Thank you very much for your research, and for sharing it. This sounds really cool, I'll soon look into it!

Regards,
Max