Table of Contents

SecureBootKey

In order to use ELRepo's kernel modules (kmod packages) on a system with Secure Boot enabled, system administrators must import the ELRepo Secure Boot public key into their Machine Owner Key (MOK) list. This page explains how this is done. Please note that ELRepo's kernel packages (kernel-ml and kernel-lt) are not signed with the Secure Boot key.

Import the ELRepo key

If you have installed the elrepo-release package as shown on our HomePage, the secureboot key will be found as /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der . Or you can download it directly from our site:

wget https://elrepo.org/SECURE-BOOT-KEY-elrepo.org.der

With the key in place, install it by following these steps: 

[root@home]# mokutil --import /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der
input password:
input password again:

When prompted, enter a password of your choice. This password will be used when enrolling the key into the MOK list. [Note: if you get “Failed to enroll new keys”, be sure to enable SecureBoot. See this Red Hat solution article] for details.

Reboot the system

Upon rebooting, the “Shim UEFI key managemen” screen appears. Press any key withing 10 seconds to proceed. [Note: It was reported that, on a CentOS 7.4 system, the UEFI key management screen does not appear upon reboot. This was resolved in CentOS 7.6. See CentOS bug #14050 for details.]

Enroll the key

Select Enroll MOK.

Select View key 0.




ELRepo's Secure Boot Key information is displayed.

Serial Number: 0xe9d471cfb4fe136c
SHA1 Fingerprint: e1:21:a2:f6:07:2e:f2:94:de:20:0e:6b:5d:1b:49:c0:65:dc:e3:e7

Press the Esc key when you are finished.

Select Continue.

Enter the password you used for importing the key.

It will ask “Enrol the key(s)?”. Select Yes.

Select Reboot. (Older versions may say 'Continue boot')

The key is now enrolled.

Useful commands

[root@home]# mokutil --sb-state
[root@home]# mokutil --list-enrolled
[root@home]# keyctl list %:.system_keyring

Removing the ELRepo key

If you wish to remove the ELRepo key from the MOK list, follow the instructions below.

[root@home]# mokutil --delete /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der
[root@home]# mokutil --list-delete (to check the key to be deleted)

Reboot the system and go through the MOK management process to complete the deletion from the MOK list.