summaryrefslogtreecommitdiff
path: root/data/live-build-config/includes.chroot/var/lib
diff options
context:
space:
mode:
Diffstat (limited to 'data/live-build-config/includes.chroot/var/lib')
-rw-r--r--data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md13
1 files changed, 1 insertions, 12 deletions
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
index 5a6edbba..abaaa97a 100644
--- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
+++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
@@ -6,17 +6,6 @@ Create Certificate Authority used for Kernel signing. CA is loaded into the
Machine Owner Key store on the target system.
```bash
-openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
+openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
openssl x509 -inform der -in MOK.der -out MOK.pem
```
-
-## Kernel Module Signing Key
-
-We do not make use of ephemeral keys for Kernel module signing. Instead a key
-is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
-modules during ISO assembly if present.
-
-```bash
-openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
-openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
-```
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-03 08:52:08 +0000