[elrepo-devel] How to avoid the "tainting kernel" message?
Akemi Yagi
amyagi at gmail.com
Fri Feb 26 11:43:05 EST 2016
On Thu, Feb 25, 2016 at 6:29 PM, Sang, Oliver <oliver.sang at intel.com> wrote:
> Thanks Akemi,
>
>
>
> Then how I sign my modules? I found kmod(s) from
> http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/ are normally signed. And
> also in kmod rpm spec file -
>
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> # Sign the modules(s)
>
> %if %{?_with_modsign:1}%{!?_with_modsign:0}
>
> # If the module signing keys are not defined, define them here.
>
> %{!?privkey: %define privkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.priv}
>
> %{!?pubkey: %define pubkey %{_sysconfdir}/pki/SECURE-BOOT-KEY.der}
>
> for module in $(find %{buildroot} -type f -name \*.ko);
>
> do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
>
> sha256 %{privkey} %{pubkey} $module;
>
> done
>
> %endif
>
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> But I don’t know how to get these secure-boot key for my local build. Any
> help doc? Thanks!
>
>
>
> BR
>
> Oliver
>
If you are interested in signing modules for Secure Boot, this doc will
help:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html
For signing rpm packages, you should be able to find informative pages by
Googling for it.
Akemi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo-devel/attachments/20160226/c11801f1/attachment.html>
More information about the elrepo-devel
mailing list