Hello !
I am using Centos 7.9.2009. For hardware compatility purpose, I use elrepo kernel (kernel-ml-5.17.9-1.el7.elrepo.x86_64).
I need to enable Secure Boot, so I am trying to sign the kernel my self. I did it succefully by creating my own Secure Boot key.
All was working great, secure boot was enabled and CentOS was booting correctly.
But on an other computer, I have issues. After enrolling my Secure Boot key, CentOS is not booting by itself (secure boot is off at this point).
I need to manually boot from \EFI\centos\grubx64.efi through the BIOS to boot successfully on CentOS.
When the Secure Boot is on, the computer tell me that something is not signed and secure boot is blocking boot.
I think the secure boot key is not loaded correctly and I can't figure out why.
The command "mokutil -l" confirms that no key is loaded.
This is the exact same computer model as the first computer, the OS is the same and I did the exact same steps with the same key.
I did try multiple times to enroll again the key with mokutil, it seems to enroll fine, but the computer is still not booting.
Sometimes the MokManager don't pop-up after enrolling with mokutil and rebooting, so I did go manually in \EFI\centos\mokmanager.efi through BIOS to do so.
I reinstalled the first working computer, I did clean the Secure boot keys in the BIOS. And I had the same problem on this one too. But, after multiple enroll mok, it worked again. I really don't understand.
I found on internet that some people have issues with shim and CentOS.
The versions I use :
Mokutil version : 15.8
Shim version : 15.8
Do you have any idea please ?
Thanks for the help
Secure Boot / Mokutil
Re: Secure Boot / Mokutil
ELRepo kernels are already signed by their key so there is no need to re-sign anything.
Did you read http://elrepo.org/tiki/SecureBootKey ?
Did you read http://elrepo.org/tiki/SecureBootKey ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Secure Boot / Mokutil
Concerning the kernel I use (https://elrepo.org/tiki/kernel-lt).
It is said "These packages are not signed for SecureBoot".
It is said "These packages are not signed for SecureBoot".
Re: Secure Boot / Mokutil
In that case you cannot use Secure Boot.ipabLEce wrote: ↑2022/06/13 06:49:21Concerning the kernel I use (https://elrepo.org/tiki/kernel-lt).
It is said "These packages are not signed for SecureBoot".
Re: Secure Boot / Mokutil
Why can't I ?
I used this tutorial : https://gloveboxes.github.io/Ubuntu-for ... -boot.html
to sign it myself.
I already used successfully this method on an other computer.
I used this tutorial : https://gloveboxes.github.io/Ubuntu-for ... -boot.html
to sign it myself.
I already used successfully this method on an other computer.