Debian Signed Boot

Debian can be configured to sign the installed kernel/initrd automatically. This setup is done using the root user.

Dependencies

apt install gpg

Generate the signing key

gpg --full-gen-key

Use RSA (sign only)
Use 4096 bits
Set the key to never expire

# Export your GPG key
# This will be used by other software to verify the integrity of the kernel/initrd
gpg --export > boot.key

Setup auto-signing

mkdir -p /etc/initramfs/post-update.d/
vim /etc/initramfs/post-update.d/sign_image

#!/bin/sh

image=$2

if [ -f "${image}.sig" ]; then
	echo "Removing ${image}.sig"
	rm ${image}.sig
fi

echo "Signing ${image}"
/usr/bin/gpg --detach-sign ${image} || exit

mkdir -p /boot/latest
cp -v ${image} /boot/latest/initrd.img
cp -v ${image}.sig /boot/latest/initrd.img.sig

chmod +x /etc/initramfs/post-update.d/sign_image

vim /etc/kernel/postinst.d/sign_image

#!/bin/sh

image=$2

if [ -f "${image}.sig" ]; then
	echo "Removing ${image}.sig"
	rm ${image}.sig
fi

echo "Signing ${image}"
/usr/bin/gpg --detach-sign ${image} || exit

mkdir -p /boot/latest
cp -v ${image} /boot/latest/vmlinuz
cp -v ${image}.sig /boot/latest/vmlinuz.sig

chmod +x /etc/kernel/postinst.d/sign_image

Reinstall your kernel

# Find your kernel package
dpkg --list | grep linux-image
# Reinstall your kernel, ie:
apt install --mark-auto --reinstall linux-image-6.12.63+deb13-amd64

You should find these messages in the output if everything is setup correctly:

Signing /boot/initrd.img-6.12.63+deb13-amd64
'/boot/initrd.img-6.12.63+deb13-amd64' -> '/boot/latest/initrd.img'
'/boot/initrd.img-6.12.63+deb13-amd64.sig' -> '/boot/latest/initrd.img.sig'

Signing /boot/vmlinuz-6.12.63+deb13-amd64
'/boot/vmlinuz-6.12.63+deb13-amd64' -> '/boot/latest/vmlinuz'
'/boot/vmlinuz-6.12.63+deb13-amd64.sig' -> '/boot/latest/vmlinuz.sig'

Debian Signed Boot

Navigation menu

Search