Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.9. Using a Beta Release with UEFI Secure Boot


This section only concerns Beta releases of Red Hat Enterprise Linux 7.
The UEFI Secure Boot technology requires that the operating system kernel must be signed with a recognized private key in order to be able to boot. In every beta release of Red Hat Enterprise Linux 7, the kernel is signed with a Red Hat Beta-specific private key, which is different from the more common Red Hat key used to sign kernels in a General Availability (non-Beta) releases.
The Beta private key will likely not be recognized by your hardware, which means that any Beta release of Red Hat Enterprise Linux 7 will not be able to boot. In order to use a Beta release with UEFI Secure Boot enabled, you need to add the Red Hat Beta public key to your system using the Machine Owner Key (MOK) facility.
The procedure to add the Red Hat Beta key to your system is below.

Procedure 5.1. Adding a Custom Private Key for UEFI Secure Boot

  1. First, disable UEFI Secure Boot on the system, and install Red Hat Enterprise Linux 7 normally.
  2. After the installation finishes, the system will reboot. Secure Boot should still be disabled at this point. Reboot the system, log in and, if applicable, go through the Initial Setup screens as described in Chapter 30, Initial Setup.
  3. After finishing the first boot and going through Initial Setup, install the kernel-doc package if not installed already:
    # yum install kernel-doc
    This package provides a certificate file which contains the Red Hat CA public Beta key, located in /usr/share/doc/kernel-keys/kernel-version/kernel-signing-ca.cer, where kernel-version is the kernel version string without the platform architecture suffix - for example, 3.10.0-686.el7.
  4. Execute the following commands to enroll the public key into the system Machine Owner Key (MOK) list:
    # kr=$(uname -r)
    # mokutil --import /usr/share/doc/kernel-keys/${kr%.$(uname -p)}/kernel-signing-ca.cer
    Enter a password of your choosing when prompted.


    Make sure to remember the password. It is required to finish this procedure as well as to remove the imported key when it is no longer needed.
  5. Reboot the system again. During startup you will be prompted to confirm that you want to complete the pending key enrollment request. Select yes, and provide the password which you set earlier using the mokutil command in the previous step. The system will reboot again after you do so, and the key will be imported into the system firmware. You can turn on Secure Boot on this or any subsequent reboot.


Remove the imported Beta public key when you no longer need it.
If you install a final (General Availability) release of Red Hat Enterprise Linux 7, or when you install a different operating system, you should remove the imported key. If you have only imported this public key, you can use the following command to reset the MOK:
# mokutil --reset
After the next reboot, the firmware will prompt you for a confirmation and the password you created when importing the key. The key will be removed from the MOK after providing the correct password, and the system will revert to its original state.