(Custom) Secure Boot for Centos 9 Stream
Posted: 2023/10/24 22:41:45
Dear CentOS Forum,
I am attempting to setup CentOS Stream 9 with secure boot on my laptop. I am failing terribly with this. These are the 2 situations I am dealing with. I am hoping that someone here can help me or point me to a valuable tutorial to solve this problem.
Situation 1: I am using a USB stick to install CentOS Stream 9 on my new laptop. I cannot get the install to start due to a secure boot error. I have dd'ed the image several times and verified the image with the information from the official website. It just does not work. I am using the latest official image from the website. I can install Windows 11 without any secure boot errors. As far as my research goes, CentOS and Secure Boot should not be an issue. (is this different for stream?) Although I could find some other people with the same problem without a solution, there doesn't seem to be a solution for this on the internet except for accepting, that some systems just do not seem to support secure boot with CentOS.
Situation 2: I have now installed CentOS Stream 9 Minimal Install, while disabling secure boot. Now I am attempting to sign my system with a custom key, as my factory keys do not seem to work with this installation. I followed this tutorial for rhel: https://access.redhat.com/documentation ... the-kernel Everything worked except for the secure boot. I am still running into the secure boot error at boot. My Key is imported and my kernel, modules and efi files should all be signed with my key. I signed BOOTX64 and shimx64.efi, which is supposed to be loaded according to bootctl. I also signed some others, but cannot get it to work.
I am pretty hopeless now to get my CentOS Stream 9 System to work with Secure Boot. I am suspecting, that I might also have to sign initramfs, which is not further described in the above tutorial. I could not find any information on how to do this, as pesign does not work on initramfs and sbsigntools are not available for centos. There is one tutorial signing the initramfs with gpg, but the tutorial does not provide information on how to generate the gpg keys and how to import them into efi.
Has anyone here achieved this before? Could someone please help me or point me into the right direction?
with kind regards,
Mark Sch
I am attempting to setup CentOS Stream 9 with secure boot on my laptop. I am failing terribly with this. These are the 2 situations I am dealing with. I am hoping that someone here can help me or point me to a valuable tutorial to solve this problem.
Situation 1: I am using a USB stick to install CentOS Stream 9 on my new laptop. I cannot get the install to start due to a secure boot error. I have dd'ed the image several times and verified the image with the information from the official website. It just does not work. I am using the latest official image from the website. I can install Windows 11 without any secure boot errors. As far as my research goes, CentOS and Secure Boot should not be an issue. (is this different for stream?) Although I could find some other people with the same problem without a solution, there doesn't seem to be a solution for this on the internet except for accepting, that some systems just do not seem to support secure boot with CentOS.
Situation 2: I have now installed CentOS Stream 9 Minimal Install, while disabling secure boot. Now I am attempting to sign my system with a custom key, as my factory keys do not seem to work with this installation. I followed this tutorial for rhel: https://access.redhat.com/documentation ... the-kernel Everything worked except for the secure boot. I am still running into the secure boot error at boot. My Key is imported and my kernel, modules and efi files should all be signed with my key. I signed BOOTX64 and shimx64.efi, which is supposed to be loaded according to bootctl. I also signed some others, but cannot get it to work.
I am pretty hopeless now to get my CentOS Stream 9 System to work with Secure Boot. I am suspecting, that I might also have to sign initramfs, which is not further described in the above tutorial. I could not find any information on how to do this, as pesign does not work on initramfs and sbsigntools are not available for centos. There is one tutorial signing the initramfs with gpg, but the tutorial does not provide information on how to generate the gpg keys and how to import them into efi.
Has anyone here achieved this before? Could someone please help me or point me into the right direction?
with kind regards,
Mark Sch