On Sat, 28 Nov 2020 11:25:23 +0100 Mattia Monga <monga@debian.org> wrote: > Package: debian-kernel-handbook > Version: 1.0.19 > Severity: wishlist > X-Debbugs-Cc: monga@debian.org > > The procedure needed to produce a signed custom kernel suitable for UEFI Secure > Boot is not documented (although the Debian kernel packages are correctly > signed). Even https://wiki.debian.org/SecureBoot explains how to add a Machine > Owner Key to the system, but not how produce a signed kernel. [...] It should go something like: 1. Generate a certificate and private key 2. Add the certificate to MOK (or db) 3. (Optional) Enable CONFIG_SECURITY_LOCKDOWN_LSM in the kernel config 4. Build the kernel and modules (but not a package) 5. Use sbsigntool to sign the kernel 6. Build the package (make bindeb-pkg) I don't feel like spending the time to test and write precise instructions for this, but if someone else does I'd be happy to review and add them. Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody.
Attachment:
signature.asc
Description: This is a digitally signed message part