generated from oracle/template-repo
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsign.1
114 lines (107 loc) · 2.87 KB
/
sign.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
.TH SIGN 1 "March 20, 2024"
.SH NAME
sign - signing tool for developers
.SH SYNOPSIS
.B sign <command> [<args>]
.SH DESCRIPTION
Generic signing tool for developers. This is \fBNOT for use in production\fR. All
private keys are stored in the clear. This tool is geared towards a developer
that wants to quickly sign things.
.PP
.SH SIGN COMMANDS
.B backup <backup-name>
.RS
Backup both the public and private keys to move to a different machine. Don't
mix backup files between OL8 and OL9.
.RE
.PP
.B bootloader <efiprogram>
.RS
PE sign a boot loader.
.RE
.PP
.B destroy-setup
.RS
Unenroll all keys and remove them from the machine. Afterwards
you must reboot and unenroll them through the MokManager. When
rebooting, shim will load the MokManager and ask for a password.
The password is the same as root. Console access is required for
this step.
.RE
.PP
.B ima <filename>
.RS
IMA sign a file
.RE
.PP
.B init-setup
.RS
Create all the keys. Afterwards you must reboot and enroll them
through the MokManager. When rebooting, shim will load the
MokManager and ask for a password. The password is the same as
root. Console access is required for this step. If you are using
UEK-NEXT kernels, the "Oracle Linux Test Certificate" will also be
enrolled with this step. Only call this once. If you need to
start over issue the destroy-setup command first.
.RE
.PP
.B kernel <kernel name>
.RS
PE sign a kernel
.RE
.PP
.B module <module name>
.RS
Sign a module
.RE
.PP
.B restore <backup-name>
.RS
Restore a backup generated from a different machine. This can
be used in place of the init-setup command. Afterwards a reboot
is required. Follow the same steps as init-setup to enroll the
keys within the MokManager.
.RE
.PP
.SH CONFIGURATION
The default key values are located in /etc/sign/sign.conf. To override
anything in this file, create a custom file called /etc/sign/local.conf
with the value to be overridden.
.SH IMA KEYS
The sign program will enroll the IMA CA. The leaf cert must be loaded
into the .ima keyring. The leaf cert is available in
/etc/sign/x509_ima.der. This could be added to the initram or loaded
after boot.
.SH PK, KEK, and DB KEYS
The bootloader command signs the file with a DB key. This key must be
added through the UEFI. There is also a KEK and PK key that may be
enrolled into the UEFI too. These keys are located in /etc/sign and are
called db.der, kek.der, and pk.der.
.SH EXAMPLE
Use the sign program for local mainline builds. Where the local build
is done on one machine and the built kernel is tested on another.
.PP
On the development machine:
.PP
.RS
.nf
sign init-setup
reboot and follow the MokManager prompts to enroll keys
.fi
.RE
.PP
Afterwards do a backup on the development machine:
.PP
.RS
.nf
sign backup devkeys
Move the "devkeys" backup to the test machine
.fi
.RE
.PP
On the test machine:
.PP
.RS
.nf
sign restore devkeys
reboot and follow the MokManager prompts to enroll keys