English Persian
After you have created the configuration file, you can create an X.509 public and private key pair. The public key will be written to the `pass:attributes[{blank}]_public_key_.der` file and the private key will be written to the `pass:attributes[{blank}]_private_key_.priv` file.
~]#{nbsp}openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \
> -batch -config configuration_file.config -outform DER \
> -out public_key.der \
> -keyout private_key.priv
Enroll your public key on all systems where you want to authenticate and load your kernel module.
Take proper care to guard the contents of your private key. In the wrong hands, the key could be used to compromise any system which has your public key.
Enrolling Public Key on Target System
When Fedora boots on a UEFI-based system with Secure Boot enabled, all keys that are in the Secure Boot db key database, but not in the dbx database of revoked keys, are loaded onto the system keyring by the kernel. The system keyring is used to authenticate kernel modules.
====== Factory Firmware Image Including Public Key
To facilitate authentication of your kernel module on your systems, consider requesting your system vendor to incorporate your public key into the UEFI Secure Boot key database in their factory firmware image.
====== Executable Key Enrollment Image Adding Public Key
It is possible to add a key to an existing populated and active Secure Boot key database. This can be done by writing and providing an EFI executable *enrollment* image. Such an enrollment image contains a properly formed request to append a key to the Secure Boot key database. This request must include data that is properly signed by the private key that corresponds to a public key that is already in the system's Secure Boot Key Exchange Key (KEK) database. Additionally, this EFI image must be signed by a private key that corresponds to a public key that is already in the key database.
It is also possible to write an enrollment image that runs under Fedora. However, the Fedora image must be properly signed by a private key that corresponds to a public key that is already in the KEK database.
The construction of either type of key enrollment images requires assistance from the platform vendor.
====== System Administrator Manually Adding Public Key to the MOK List
The Machine Owner Key (MOK) facility is a feature that is supported by Fedora and can be used to augment the UEFI Secure Boot key database. When Fedora boots on a UEFI-enabled system with Secure Boot enabled, the keys on the MOK list are also added to the system keyring in addition to the keys from the key database. The MOK list keys are also stored persistently and securely in the same fashion as the Secure Boot key database keys, but these are two separate facilities. The MOK facility is supported by shim.efi, MokManager.efi, grubx64.efi, and the Fedora [command]#mokutil# utility.
The major capability provided by the MOK facility is the ability to add public keys to the MOK list without needing to have the key chain back to another key that is already in the KEK database. However, enrolling a MOK key requires manual interaction by a *physically present* user at the UEFI system console on each target system. Nevertheless, the MOK facility provides an excellent method for testing newly generated key pairs and testing kernel modules signed with them.
Follow these steps to add your public key to the MOK list:
Request addition of your public key to the MOK list using a Fedora userspace utility:
~]#{nbsp}mokutil --import my_signing_key_pub.der
You will be asked to enter and confirm a password for this MOK enrollment request.
Reboot the machine.