HomeSecureBootKey
In order to use ELRepo's kernel modules (kmod packages) on a system with Secure Boot enabled, system administrators must import the ELRepo Secure Boot public key into their Machine Owner Key (MOK) list. This page explains how this is done. Please note that ELRepo's kernel packages (kernel-ml and kernel-lt) are not signed with the Secure Boot key.Import the ELRepo key.
If you have installed the elrepo-release package as shown on our HomePage, the secureboot key will be found as /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der . Or you can download it directly from our site:
wget https://elrepo.org/SECURE-BOOT-KEY-elrepo.org.der
With the key in place, install it by following these steps:
[root@home]# mokutil --import /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der
input password:
input password again:
input password:
input password again:
When prompted, enter a password of your choice. This password will be used when enrolling the key into the MOK list.
[Note: if you get "Failed to enroll new keys", be sure to enable SecureBoot. See this Red Hat solution article
for details.]Reboot the system.
Upon rebooting, the "Shim UEFI key management" screen appears. Press any key withing 10 seconds to proceed.[Note: It was reported that, on a CentOS 7.4 system, the UEFI key management screen does not appear upon reboot. See this CentOS bug report
for details.]Enroll the key.
 | Select Enroll MOK. |
 | Select View key 0. |
 | ELRepo's Secure Boot Key information is displayed. Serial Number: 0xe9d471cfb4fe136c SHA1 Fingerprint: e1:21:a2:f6:07:2e:f2:94:de:20:0e:6b:5d:1b:49:c0:65:dc:e3:e7 Press the Esc key when you are finished. |
 | Select Continue. |
 | Enter the password you used for importing the key. |
 | It will ask "Enrol the key(s)?". Select Yes. |
Press a key to reboot system. The key is now enrolled.
Useful commands.
[root@home]# mokutil --sb-state[root@home]# mokutil --list-enrolled
[root@home]# keyctl list %:.system_keyring
Removing the ELRepo key.
If you wish to remove the ELRepo key from the MOK list, follow the instructions below.[root@home]# mokutil --delete /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der
[root@home]# mokutil --list-delete (to check the key to be deleted)
Reboot the system and go through the MOK management process to complete the deletion from the MOK list.
Page last modified on Monday 13 of August, 2018 16:34:58 MDT
The ELRepo Project would like to thank Red Hat for their support of the Open Source Community.