There are multiple issues under linux kernel package build scripts, which prevent kernel module sign process, resulting fail to do secure boot.
Using original package build script under vyos-build repo branch current, until latest update.
First obviously issue is in build-kernel.sh, line 44 pointing to wrong path, which result key will not import to environment.
Second is also in build-kernel.sh, line 52, it looks like previous CONFIG_SYSTEM_TRUSTED_KEYS=“” preset will override the script gerenated option, make will not sign kernel module files.
Please note that Kernel module signing is different then Secure-Boot signing. We will sign all modules on a CI run using an ephemeral key. This key is embedded in the Kernel binary to verify that the Kernel modules can be loaded.
The Kernel itself is later signed by sbsign so ig can be validated by SHIM/GRUB if it was signed with a key trusted by the local UEFI - hence the interim MOK.
sry, I confused something here. But the issue is clear, the wrong path resulting Kernel Module Signing. the path should be CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok/ -name "*.pem" -type f || true)
, this snippet will never work as the script enter to linux folder in previous cd line.
and could you run this process to see whats goes wrong? the script not working even after I fixed it
I got the reason why it not working in actual build, some function relaies on module signature to work. Seems like need add sbsigntool and modutil to the package list.
It seems like modutil is also required for proper working, otherwise when I tried to run show version, the OS showing modutilis missing/no such file.
I think it should be added to vyos-utils.list.chroot or architectures. Also the script in build-kernel.sh, otherwise the custom MOK.pem will not be trusted in kernel(is it a better practice?)
Ok, I see why this two packages is not be installed, vyos-1x should remove arch amd64 only depend relationship, as it will complete not working without them.
