Chapter 44. Booting a system with UEFI Secure Boot

To enhance the security of your operating system, use the UEFI Secure Boot feature for signature verification when booting a Red Hat Enterprise Linux release on systems having UEFI Secure Boot enabled.

44.1. UEFI Secure Boot and RHEL releases

UEFI Secure Boot requires that the operating system kernel is signed with a recognized private key. UEFI Secure Boot then verifies the signature using the corresponding public key.

A custom key can be added to the system using the Machine Owner Key (MOK) facility.

44.2. Adding a custom public key for UEFI Secure Boot

This section contains information about how to add an existing custom public key for UEFI Secure Boot.

Prerequisites

  • UEFI Secure Boot is disabled on the system.
  • You are logged in to the system, and the tasks in the Initial Setup window are complete.

Procedure

  1. Generate a public key and store it on a local drive. For example, my_signing_key_pub.der.
  2. Enroll the Red Hat custom public key in the system’s Machine Owner Key (MOK) list:

    # mokutil --import my_signing_key_pub.der
  3. Enter a password when prompted.
  4. Reboot the system and press any key to continue the startup. The Shim UEFI key management utility starts during the system startup.
  5. Select Enroll MOK.
  6. Select Continue.
  7. Select Yes and enter the password.

    The key is imported into the system’s firmware.

  8. Select Reboot.
  9. Enable Secure Boot on the system.

44.3. Removing a custom public key

The procedure describes how to remove a custom public key.

Procedure

  1. Remove the Red Hat custom public key from the system’s Machine Owner Key (MOK) list:

    # mokutil --reset
  2. Enter a password when prompted.
  3. Reboot the system and press any key to continue the startup. The Shim UEFI key management utility starts during the system startup.
  4. Select Reset MOK.
  5. Select Continue.
  6. Select Yes and enter the password that you had specified in step 2. The key is removed from the system’s firmware.
  7. Select Reboot.