Signing boot files and modules with your own key

Edit online

You can sign Linux boot files and kernel modules with your private keys.

Before you begin

Ensure that the openssl package is installed on your system.

About this task

Signing with your own key can be useful in certain scenarios, such as:
  • Strict control of what Linux OS level is allowed to run in an LPAR or z/VM guest.
  • Secure boot of custom-built Linux kernels, modules, and boot loaders.
Remember: Using your own signatures adds a constant maintenance effort because signatures need to be refreshed whenever a binary file that needs to be signed is updated. This includes the Linux kernel and s390-tools updates.

The following sections demonstrate the basic procedure to manually sign Linux boot files and kernel modules. Additional aspects and security best practices outside the scope of this document must be followed for the resulting signatures to be considered secure.

At a minimum, ensure that all security updates are applied on the system used for signing, and that the private key is protected from unauthorized access, for example through encryption, or by storing it in hardware-protected key-management systems.