help adding to moklist and signing grub/kernel

Support for security such as Firewalls and securing linux
Post Reply
chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

help adding to moklist and signing grub/kernel

Post by chassap1 » 2018/03/26 21:39:10

I created secure boot keys and loaded them into firmware. I've signed shimx64.efi and can get into the OS with secure boot enabled. I've found that I will also need to sign grubx64.efi and the kernel. I've created MOK keys and signed the files. I've tried to import the keys using mokutil.

however, it seems when I reboot, I'm not finishing the process. the moklist is empty. What am I doing wrong?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: help adding to moklist and signing grub/kernel

Post by TrevorH » 2018/03/26 22:36:17

You do know that CentOS is already secure boot capable without any of that?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

Re: help adding to moklist and signing grub/kernel

Post by chassap1 » 2018/03/27 12:37:58

yes. but...
a) our customer is VERY security conscience.
b) they want to supply their own secure boot keys.
c) we don't think they would be very happy having only the first stage signed.
d) we think they are going to insist that grub and kernel be signed and checked as well.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: help adding to moklist and signing grub/kernel

Post by TrevorH » 2018/03/27 12:45:47

The kernel and all modules are already signed.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

Re: help adding to moklist and signing grub/kernel

Post by chassap1 » 2018/03/27 13:46:06

we did a test.

we created our own secure boot keys. we loaded them into the firmware and enabled secure boot.

the system tried to load a binary that was not in the database and did not boot.

we signed shimx64.efi with our key only. the system booted normally.

our conclusion was that the system is NOTchecking the second stage boot loader and kernel because they were not signed with the new key.

from my investigation, because grub2 is open source it M$ will not sign it. Therefore, you need to use the MOK.

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: help adding to moklist and signing grub/kernel

Post by toracat » 2018/03/27 22:01:37

As replied in your other post, it is likely that you were hit by CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
CentOS Forum FAQ

Post Reply