Chapter 8. Preparing a system with UEFI Secure Boot enabled to install and boot RHEL beta releases


To enhance the security of your operating system, use the UEFI Secure Boot feature for signature verification when booting a Red Hat Enterprise Linux Beta release on systems having UEFI Secure Boot enabled.

8.1. UEFI Secure Boot and RHEL Beta releases

UEFI Secure Boot requires that the operating system kernel is signed with a recognized private key. UEFI Secure Boot then verifies the signature using the corresponding public key.

For Red Hat Enterprise Linux Beta releases, the kernel is signed with a Red Hat Beta-specific private key. UEFI Secure Boot attempts to verify the signature using the corresponding public key, but because the hardware does not recognize the Beta private key, Red Hat Enterprise Linux Beta release system fails to boot. Therefore, to use UEFI Secure Boot with a Beta release, add the Red Hat Beta public key to your system using the Machine Owner Key (MOK) facility.

8.2. Adding a Beta public key for UEFI Secure Boot

This section contains information about how to add a Red Hat Enterprise Linux Beta public key for UEFI Secure Boot.

Prerequisites

  • The UEFI Secure Boot is disabled on the system.
  • The Red Hat Enterprise Linux Beta release is installed, and Secure Boot is disabled even after system reboot.
  • You are logged in to the system, and the tasks in the Initial Setup window are complete.

Procedure

  1. Begin to enroll the Red Hat Beta public key in the system’s Machine Owner Key (MOK) list:

    # mokutil --import /usr/share/doc/kernel-keys/$(uname -r)/kernel-signing-ca.cer

    $(uname -r) is replaced by the kernel version - for example, 4.18.0-80.el8.x86_64.

  2. Enter a password when prompted.
  3. Reboot the system and press any key to continue the startup. The Shim UEFI key management utility starts during the system startup.
  4. Select Enroll MOK.
  5. Select Continue.
  6. Select Yes and enter the password. The key is imported into the system’s firmware.
  7. Select Reboot.
  8. Enable Secure Boot on the system.

8.3. Removing a Beta public key

If you plan to remove the Red Hat Enterprise Linux Beta release, and install a Red Hat Enterprise Linux General Availability (GA) release, or a different operating system, then remove the Beta public key.

The procedure describes how to remove a Beta public key.

Procedure

  1. Begin to remove the Red Hat Beta public key from the system’s Machine Owner Key (MOK) list:

    # mokutil --reset
  2. Enter a password when prompted.
  3. Reboot the system and press any key to continue the startup. The Shim UEFI key management utility starts during the system startup.
  4. Select Reset MOK.
  5. Select Continue.
  6. Select Yes and enter the password that you had specified in step 2. The key is removed from the system’s firmware.
  7. Select Reboot.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.