blob: 5a6edbbaede2163327f59cbaca6e675c57575e79 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# Secure Boot
## CA
Create Certificate Authority used for Kernel signing. CA is loaded into the
Machine Owner Key store on the target system.
```bash
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
openssl x509 -inform der -in MOK.der -out MOK.pem
```
## Kernel Module Signing Key
We do not make use of ephemeral keys for Kernel module signing. Instead a key
is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
modules during ISO assembly if present.
```bash
openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
```
|
