11.0 Deploying OES in a UEFI Secure Boot Environment

The signature of the kernel modules is used when OES is running in a UEFI Secure Boot environment. To ensure the integrity of the running kernel, the kernel will only load modules signed with trusted keys. The key is considered trusted once the corresponding Secure Boot certificate is loaded into a UEFI key database.

The OES installation imports the Micro Focus Secure Boot certificate under /etc/uefi/certs and prepares it to be enrolled into the Machine Owner Keys (MOK) database of the firmware. You need to complete the enrolling of the certificate by following Step 4 in the UEFI prompt.

If the key is not enrolled when the UEFI prompts during the OES installation stage, the following pop-up is displayed during the OES configuration:

Click OK to continue with the configuration.

Whether using YaST or AutoYaST, reboot the server after the configuration is completed. Then, enroll the key in the Shim UEFI Key Management screen by following Step 4 to Step 10.

If for any reason the key is not enrolled properly during the OES installation process, you must manually import the certificate and enroll it in the MOK database.

NOTE:During the OES installation, ensure to select Yes for Enable Secure Boot in the Installation Settings > Booting tab before the packages are installed.

The steps to manually import and then enroll the certificates in the MOK database is as follows:

  1. Import the Micro Focus Secure Boot Certificates to the MOK database using the following command:

    ~# mokutil --root-pw --import /etc/uefi/certs/55E46AAF.crt

    The --root-pw option enables usage of the root user directly.

  2. Ensure that the imported certificate is listed among the certificates that are prepared to be enrolled using the following command:

    ~# mokutil --list-new

  3. Reboot the system. Shim launches the MokManager.

  4. In the Shim UEFI Key Management screen, press any key (in 10 secs) to enroll certificates in the MOK database.

  5. In the Perform MOK Management screen, click Enroll MOK.

  6. In the Enroll MOK screen, click Continue.

  7. In the Enroll the Key(s) screen, click Yes.

  8. In the Enroll the Key(s) screen, specify the root password.

  9. In the Perform MOK management screen, click Reboot to complete the enrollment process.

  10. Verify the enrolled key in the kernel messages after the reboot. The Micro Focus Open Enterprise Secure Boot Signkey is in the list of loaded certs.

    or

    Verify the enrolled key using the following command:

    ~# mokutil --list-enrolled