help adding to moklist and signing grub/kernel

Support for security such as Firewalls and securing linux
chassap1
Posts: 13
Joined: 2017/10/24 14:23:59

help adding to moklist and signing grub/kernel

Postby chassap1 » 2018/03/26 21:39:10

I created secure boot keys and loaded them into firmware. I've signed shimx64.efi and can get into the OS with secure boot enabled. I've found that I will also need to sign grubx64.efi and the kernel. I've created MOK keys and signed the files. I've tried to import the keys using mokutil.

however, it seems when I reboot, I'm not finishing the process. the moklist is empty. What am I doing wrong?

User avatar
TrevorH
Forum Moderator
Posts: 22330
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: help adding to moklist and signing grub/kernel

Postby TrevorH » 2018/03/26 22:36:17

You do know that CentOS is already secure boot capable without any of that?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

chassap1
Posts: 13
Joined: 2017/10/24 14:23:59

Re: help adding to moklist and signing grub/kernel

Postby chassap1 » 2018/03/27 12:37:58

yes. but...
a) our customer is VERY security conscience.
b) they want to supply their own secure boot keys.
c) we don't think they would be very happy having only the first stage signed.
d) we think they are going to insist that grub and kernel be signed and checked as well.

User avatar
TrevorH
Forum Moderator
Posts: 22330
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: help adding to moklist and signing grub/kernel

Postby TrevorH » 2018/03/27 12:45:47

The kernel and all modules are already signed.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

chassap1
Posts: 13
Joined: 2017/10/24 14:23:59

Re: help adding to moklist and signing grub/kernel

Postby chassap1 » 2018/03/27 13:46:06

we did a test.

we created our own secure boot keys. we loaded them into the firmware and enabled secure boot.

the system tried to load a binary that was not in the database and did not boot.

we signed shimx64.efi with our key only. the system booted normally.

our conclusion was that the system is NOTchecking the second stage boot loader and kernel because they were not signed with the new key.

from my investigation, because grub2 is open source it M$ will not sign it. Therefore, you need to use the MOK.

User avatar
toracat
Forum Moderator
Posts: 7252
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: help adding to moklist and signing grub/kernel

Postby toracat » 2018/03/27 22:01:37

As replied in your other post, it is likely that you were hit by CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
CentOS Forum FAQ