5.9. Using a Beta Release with UEFI Secure Boot

Note

This section only concerns Beta releases of Red Hat Enterprise Linux 7.
The UEFI Secure Boot technology requires that the operating system kernel must be signed with a recognized private key in order to be able to boot. In every beta release of Red Hat Enterprise Linux 7, the kernel is signed with a Red Hat Beta-specific private key, which is different from the more common Red Hat key used to sign kernels in a General Availability (non-Beta) releases.
The Beta private key will likely not be recognized by your hardware, which means that any Beta release of Red Hat Enterprise Linux 7 will not be able to boot. In order to use a Beta release with UEFI Secure Boot enabled, you need to add the Red Hat Beta public key to your system using the Machine Owner Key (MOK) facility.
The procedure to add the Red Hat Beta key to your system is below.

Procedure 5.1. Adding a Custom Private Key for UEFI Secure Boot

  1. First, disable UEFI Secure Boot on the system, and install Red Hat Enterprise Linux 7 normally. The installation will not be able to proceed with Secure Boot enabled.
  2. After the installation finishes, the system will reboot. Secure Boot should still be disabled at this point. Reboot the system, log in and, if applicable, go through the Initial Setup screens as described in Chapter 29, Initial Setup.
  3. Open a terminal and log in as root. Then, execute the following command:
    # mokutil --import /lib/modules/$(uname -r)/kernel-signing-ca.cer
    Enter a password of your choosing when prompted.

    Note

    Make sure to remember the password. It will be required to finish this procedure as well as to remove the imported key when it is no longer needed.
  4. Reboot the system again, and enable UEFI Secure Boot. Then, continue with the boot process; before the system starts, you will be prompted to confirm that you want to complete the pending key enrollment request. Select yes, and provide the password which you set earlier using the mokutil command.
After finishing this procedure, the Red Hat Beta key will be added to your system. Any subsequent installations of Red Hat Enterprise Linux 7 Beta will not require you to perform this procedure again unless you manually remove the key.

Warning

Remove the imported Beta public key when you no longer need it.
If you install a final (General Availability) release of Red Hat Enterprise Linux 7, or when you install a different operating system, you should remove the imported key. If you have only imported this public key, you can use the following command to reset the MOK:
# mokutil --reset
After the next reboot, you will be prompted for a confirmation and the password you created when importing the key. The key will be removed from the MOK after providing the correct password, and the system will revert to its original state.