Did you just install kernel-cachyos and got hit by bad shim signature when booting? Me too. This is how I fixed it.
First, make sure you have Secure Boot with mokutil --sb-state.
Note, there's a second way of doing this by using sbctl, but I didn't want to wipe my Secure Boot keys.
Need help? Feel free to leave a comment below, contact me (@mikaeldui) on the CachyOS Discord, or send me an email.
Full instructions at https://github.com/CachyOS/copr-linux-cachyos
- Check your CPU support
/lib64/ld-linux-x86-64.so.2 --help | grep "(supported, searched)", my CPU supports v2, v3 and v4. - Enable a suitable repo:
sudo dnf copr enable bieszczaders/kernel-cachyos. - Install suitable kernel:
sudo dnf install kernel-cachyos kernel-cachyos-devel-matched. - Let the kernel load modules:
sudo setsebool -P domain_kernel_load_modules on. - Done!
If you reboot now you'll get the "bad shim signature" error and have to pick an official Fedora kernel to boot. Don't worry, you didn't break anything.
We can self-sign the kernel by adding our key as a MOK (Machine Owner Key).
Based on general kernel signing procedures for Fedora and RHEL.
# Install required packages
sudo dnf install pesign openssl kernel-devel mokutil keyutils
# Allow our user to sign kernels
sudo echo "$USER" | sudo tee -a /etc/pesign/users
sudo /usr/libexec/pesign/pesign-authorize
# Generate a certificate to sign the kernel with
openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
-outform DER -out "cert.der" -nodes -days 36500 \
-subj "/CN=CachyOS Secure Boot/"
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
sudo certutil -A -i cert.der -n "CachyOS Secure Boot" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
# Import the certificate
sudo pk12util -i key.p12 -d /etc/pki/pesign
sudo mokutil --import "cert.der"
# Sign the kernel, replace "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with the current version.
cd /boot
sudo pesign --certificate 'CachyOS Secure Boot' \
--in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \
--sign \
--out vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed
# Manually replace the unsigned kernel with the signed one (pesign can't overwrite files right now).
sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.x86_64And reboot and choose enroll the key. The MOK password is only used once so I suggest using "12345678". Replace "CachyOS Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with whatever applies in your case.
Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled! Let's make sure that it continues to work across updates!
- Create and open
sudo nano /etc/kernel/postinst.d/00-signing - Enter the following content:
#!/bin/sh
set -e
KERNEL_IMAGE="$2"
MOK_KEY_NICKNAME="CachyOS Secure Boot"
if [ "$#" -ne "2" ] ; then
echo "Wrong count of command line arguments. This is not meant to be called directly." >&2
exit 1
fi
if [ ! -x "$(command -v pesign)" ] ; then
echo "pesign not executable. Bailing." >&2
exit 1
fi
if [ ! -w "$KERNEL_IMAGE" ] ; then
echo "Kernel image $KERNEL_IMAGE is not writable." >&2
exit 1
fi
echo "Signing $KERNEL_IMAGE..."
pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out "$KERNEL_IMAGE.signed"
mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"- Correct the permissions with:
sudo chown root:root /etc/kernel/postinst.d/00-signing ; sudo chmod u+rx /etc/kernel/postinst.d/00-signing
Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as the default kernel. One solution is to uninstall the official kernel, and another is to reset the default kernel to CachyOS after each update:
- Create and open
sudo nano /etc/kernel/postinst.d/99-default - Enter the following content:
#!/bin/sh
set -e
grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachy | sort -V | tail -1)- Correct the permissions with:
sudo chown root:root /etc/kernel/postinst.d/99-default ; sudo chmod u+rx /etc/kernel/postinst.d/99-default
@msmafra It's a copy paste of some "kernel install hook" script that I found, that I modified for pesign. I'm far from a bash expert. There are more checks to be added, e.g. it shouldn't re-sign the official Fedora kernels. π I'll check and test your code tomorrow. Perhaps this should be turned into a general MOK kernel signing tool in a normal Git repo.
If you can't wait for the next update then you can trigger a reinstall with
sudo dnf reinstall kernel-cachyos-coreapparently. I don't know what happens if you reinstall the running kernel though.