![image](https://gist.github.com/user-attachments/assets/b241ca59-fc62-4d67-8251-0bf8560d3b0d) # CachyOS Kernel for Fedora with Secure Boot Did you just install `kernel-cachyos` and got hit by `bad shim signature` when booting? Me too. This is how I fixed it. First, make sure you have Secure Boot with `mokutil --sb-state`. *Note, there's a second way of doing this by using [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didn't want to wipe my Secure Boot keys.* # Installing the CachyOS Kernel Full instructions at https://github.com/CachyOS/copr-linux-cachyos 1. Check your CPU support `/lib64/ld-linux-x86-64.so.2 --help | grep "(supported, searched)"`, my CPU supports v2, v3 and v4. 2. Enable a suitable repo: `sudo dnf copr enable bieszczaders/kernel-cachyos`. 3. Install suitable kernel: `sudo dnf install kernel-cachyos kernel-cachyos-devel-matched`. 4. Let the kernel load modules: `sudo setsebool -P domain_kernel_load_modules on`. 5. Done! If you reboot now you'll get the "bad shim signature" error and have to pick an official Fedora kernel to boot. Don't worry, you didn't break anything. # Signing the CachyOS Kernel We can self-sign the kernel by adding our key as a MOK (Machine Owner Key). *Based on general kernel signing procedures for [Fedora](https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/) and [RHEL](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel#generating-a-public-and-private-key-pair_signing-a-kernel-and-modules-for-secure-boot).* ```bash sudo dnf install pesign openssl kernel-devel mokutil keyutils sudo echo "$USER" >> /etc/pesign/users sudo /usr/libexec/pesign/pesign-authorize openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \ -outform DER -out "cert.der" -nodes -days 36500 \ -subj "/CN=CachyOS Secure Boot/" openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der sudo certutil -A -i cert.der -n "CachyOS Secure Boot" -d /etc/pki/pesign/ -t "Pu,Pu,Pu" sudo pk12util -i key.p12 -d /etc/pki/pesign sudo mokutil --import "cert.der" cd /boot sudo pesign --certificate 'CachyOS Secure Boot' \ --in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \ --sign \ --out vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.x86_64 ``` And reboot and choose enroll the key. The MOK password is only used once so I suggest using "12345678". Replace "CachyOS Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with whatever applies in your case. # Automatically signing kernel updates Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled! Let's make sure that it continues to work across updates! 1. Create and open `sudo nano /etc/kernel/postinst.d/00-signing` 2. Enter the following content: ```bash #!/bin/sh set -e KERNEL_IMAGE="$2" MOK_KEY_NICKNAME="CachyOS Secure Boot" if [ "$#" -ne "2" ] ; then echo "Wrong count of command line arguments. This is not meant to be called directly." >&2 exit 1 fi if [ ! -x "$(command -v pesign)" ] ; then echo "pesign not executable. Bailing." >&2 exit 1 fi if [ ! -w "$KERNEL_IMAGE" ] ; then echo "Kernel image $KERNEL_IMAGE is not writable." >&2 exit 1 fi echo "Signing $KERNEL_IMAGE..." sudo pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out "$KERNEL_IMAGE.signed" sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE" ``` 3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing` ## Fix default kernel after updates Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as the default kernel. One solution is to uninstall the official kernel, and another is to reset the default kernel to CachyOS after each update: 1. Create and open `sudo nano /etc/kernel/postinst.d/99-default` 2. Enter the following content: ```bash #!/bin/sh set -e grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos | sort -V | tail -1) ``` 3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/99-default ; sudo chmod u+rx /etc/kernel/postinst.d/99-default`