In order to use ELRepo's kernel modules (kmod packages) on a system with Secure Boot enabled, system administrators must import the ELRepo Secure Boot public key into their Machine Owner Key (MOK) list. This page explains how this is done. Please note that ELRepo's kernel packages (kernel-ml and kernel-lt) are not signed with the Secure Boot key.

Import the ELRepo key.

If you have installed the elrepo-release package as shown on our HomePage, the secureboot key will be found as /etc/pki/elrepo/ . Or you can download it directly from our site:

wget (external link)

With the key in place, install it by following these steps:
[root@home]# mokutil --import /etc/pki/elrepo/
input password:
input password again:

When prompted, enter a password of your choice. This password will be used when enrolling the key into the MOK list.

Reboot the system.

Upon rebooting, the "Shim UEFI key management" screen appears. Press any key withing 10 seconds to proceed.

Enroll the key.

Select Enroll MOK.
Select View key 0.
ELRepo's Secure Boot Key information is displayed.

Serial Number: 0xe9d471cfb4fe136c

SHA1 Fingerprint: e1:21:a2:f6:07:2e:f2:94:de:20:0e:6b:5d:1b:49:c0:65:dc:e3:e7

Press the Esc key when you are finished.
Select Continue.
Enter the password you used for importing the key.
It will ask "Enrol the key(s)?". Select Yes.

Press a key to reboot system. The key is now enrolled.

Useful commands.

[root@home]# mokutil --sb-state
[root@home]# mokutil --list-enrolled
[root@home]# keyctl list %:.system_keyring

Removing the ELRepo key.

If you wish to remove the ELRepo key from the MOK list, follow the instructions below.

[root@home]# mokutil --delete /etc/pki/elrepo/
[root@home]# mokutil --list-delete (to check the key to be deleted)
Reboot the system and go through the MOK management process to complete the deletion from the MOK list.

Page last modified on Friday 22 of April, 2016 13:03:12 MDT