I created secure boot keys and loaded them into firmware. I've signed shimx64.efi and can get into the OS with secure boot enabled. I've found that I will also need to sign grubx64.efi and the kernel. I've created MOK keys and signed the files. I've tried to import the keys using mokutil.
however, it seems when I reboot, I'm not finishing the process. the moklist is empty. What am I doing wrong?
help adding to moklist and signing grub/kernel
Re: help adding to moklist and signing grub/kernel
You do know that CentOS is already secure boot capable without any of that?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: help adding to moklist and signing grub/kernel
yes. but...
a) our customer is VERY security conscience.
b) they want to supply their own secure boot keys.
c) we don't think they would be very happy having only the first stage signed.
d) we think they are going to insist that grub and kernel be signed and checked as well.
a) our customer is VERY security conscience.
b) they want to supply their own secure boot keys.
c) we don't think they would be very happy having only the first stage signed.
d) we think they are going to insist that grub and kernel be signed and checked as well.
Re: help adding to moklist and signing grub/kernel
The kernel and all modules are already signed.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: help adding to moklist and signing grub/kernel
we did a test.
we created our own secure boot keys. we loaded them into the firmware and enabled secure boot.
the system tried to load a binary that was not in the database and did not boot.
we signed shimx64.efi with our key only. the system booted normally.
our conclusion was that the system is NOTchecking the second stage boot loader and kernel because they were not signed with the new key.
from my investigation, because grub2 is open source it M$ will not sign it. Therefore, you need to use the MOK.
we created our own secure boot keys. we loaded them into the firmware and enabled secure boot.
the system tried to load a binary that was not in the database and did not boot.
we signed shimx64.efi with our key only. the system booted normally.
our conclusion was that the system is NOTchecking the second stage boot loader and kernel because they were not signed with the new key.
from my investigation, because grub2 is open source it M$ will not sign it. Therefore, you need to use the MOK.
Re: help adding to moklist and signing grub/kernel
As replied in your other post, it is likely that you were hit by CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
CentOS Forum FAQ