======SecureBootKey======

In order to use ELRepo's kernel modules (kmod packages) on a system with Secure Boot enabled, system administrators must import the ELRepo Secure Boot public key into their Machine Owner Key (MOK) list. This page explains how this is done. Please note that ELRepo's kernel packages (kernel-ml and kernel-lt) are not signed with the Secure Boot key.

=====Import the ELRepo key=====

If you have installed the elrepo-release package as shown on our HomePage, the secureboot key will be found as /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der . Or you can download it directly from our site:

wget https://elrepo.org/SECURE-BOOT-KEY-elrepo.org.der

With the key in place, install it by following these steps:
<code>
[root@home]# mokutil --import /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der
input password:
input password again:
</code>
When prompted, enter a password of your choice. This password will be used when enrolling the key into the MOK list.
[Note: if you get "Failed to enroll new keys", be sure to enable SecureBoot. See this [[https://access.redhat.com/solutions/2278861|Red Hat solution article] for details.]]

=====Reboot the system=====
Upon rebooting, the "**Shim UEFI key managemen**" screen appears. ''Press any key'' withing 10 seconds to proceed.
[Note: It was reported that, on a CentOS 7.4 system, the UEFI key management screen does not appear upon reboot. This was resolved in CentOS 7.6. See [[https://bugs.centos.org/view.php?id=14050|CentOS bug #14050]] for details.]

=====Enroll the key=====

{{wiki:mok-enroll.jpg?314x241}}  Select **Enroll MOK**.

{{wiki:mok-view-key.jpg?314x241}} Select **View key 0**.

| {{wiki:mok-key.png}} | \\ \\ \\ ELRepo's Secure Boot Key information is displayed.  \\ \\ Serial Number: 0xe9d471cfb4fe136c \\ SHA1 Fingerprint: e1:21:a2:f6:07:2e:f2:94:de:20:0e:6b:5d:1b:49:c0:65:dc:e3:e7 \\ \\ Press the Esc key when you are finished. |
 
{{wiki:mok-continue.jpg?314x241}} Select **Continue**.

{{wiki:mok-passwd.jpg?314x241}} Enter the password you used for importing the key.

{{wiki:mok-ok.jpg?314x241}} It will ask "Enrol the key(s)?". Select **Yes**.

{{wiki:mok-reboot.png?314x241}} Select **Reboot**. (Older versions may say 'Continue boot')

The key is now enrolled.

===== Useful commands=====
[root@home]# mokutil %%--%%sb-state \\
[root@home]# mokutil %%--%%list-enrolled \\
[root@home]# keyctl list %:.system_keyring \\

===== Removing the ELRepo key=====
If you wish to remove the ELRepo key from the MOK list, follow the instructions below.

[root@home]# mokutil %%--%%delete /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der  \\
[root@home]# mokutil %%--%%list-delete (to check the key to be deleted) \\  \\
Reboot the system and go through the MOK management process to complete the deletion from the MOK list.