Gentoo 配置安全启动(以shim+grub为例)
2026/6/13大约 1 分钟
参考 make.conf
WARNING_FLAGS="-Werror=odr -Werror=strict-aliasing"
COMMON_FLAGS="-march=raptorlake -O2 -pipe -flto=thin ${WARNING_FLAGS}"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
LDFLAGS="${COMMON_FLAGS} ${LDFLAGS}"
CC="clang"
CXX="clang++"
CPP="clang-cpp"
AR="llvm-ar"
NM="llvm-nm"
RANLIB="llvm-ranlib"
RUSTFLAGS="${RUSTFLAGS} -C target-cpu=raptorlake -Clinker-plugin-lto"
MAKEOPTS="-j16 -l18"
ACCEPT_LICENSE="*"
ACCEPT_KEYWORDS="amd64"
FEATURES="${FEATURES} candy ccache parallel-fetch parallel-install -ebuild-locks -merge-wait"
EMERGE_DEFAULT_OPTS="--keep-going --with-bdeps=y"
# Optionally, to use custom signing keys.
MODULES_SIGN_KEY="/home/yoimiya/dotfiles/gentoo-openrc-hyprland/kernel_key.pem"
MODULES_SIGN_CERT="/home/yoimiya/dotfiles/gentoo-openrc-hyprland/kernel_key.pem" # Only required if the MODULES_SIGN_KEY does not also contain the certificate.
MODULES_SIGN_HASH="sha512" # Defaults to sha512.
# Optionally, to boot with secureboot enabled, may be the same or different signing key.
SECUREBOOT_SIGN_KEY="/home/yoimiya/dotfiles/gentoo-openrc-hyprland/kernel_key.pem"
SECUREBOOT_SIGN_CERT="/home/yoimiya/dotfiles/gentoo-openrc-hyprland/kernel_key.pem"
LC_MESSAGES=C.UTF-8创建 key
openssl req -new -nodes -utf8 -sha256 -x509 -outform PEM -out kernel_key.pem -keyout kernel_key.pem
chown root:root kernel_key.pem
chmod 400 kernel_key.pem然后内核模块和 efi 文件都会自动签名
自己编译的内核 vmlinuz 需要手动签名
emerge --ask app-crypt/sbsigntools
sbsign /usr/src/linux-x.y.z/path/to/kernel-image --cert /path/to/kernel_key.pem --key /path/to/kernel_key.pem --output /usr/src/linux-x.y.z/path/to/kernel-image配置 mok
emerge sys-boot/grub sys-boot/shim sys-boot/mokutil sys-boot/efibootmgr
cp /usr/share/shim/BOOTX64.EFI /efi/EFI/Gentoo/shimx64.efi
cp /usr/share/shim/mmx64.efi /efi/EFI/Gentoo/mmx64.efi
cp /usr/lib/grub/grub-x86_64.efi.signed /efi/EFI/Gentoo/grubx64.efi
openssl x509 -in /path/to/kernel_key.pem -inform PEM -out /path/to/kernel_key.der -outform DER
mokutil --import /path/to/kernel_key.der
efibootmgr --create --disk /dev/boot-disk --part boot-partition-id --loader '\EFI\Gentoo\shimx64.efi' --label 'GRUB via Shim' --unicode