Enable secure boot

Issues related to hardware problems
Post Reply
User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Enable secure boot

Post by KernelOops » 2019/10/21 08:53:19

I installed centos 8 on a system with a AMD Ryzen 7 3700X cpu, with secure boot disabled in the bios.

Now, I enabled secure boot in the bios, but booting centos clearly shows that secure boot is not in use. So how do I tell both the bios and centos to use secure boot on an already installed system?

Thank you.
--
R.I.P. CentOS :cry:
--

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Enable secure boot

Post by lightman47 » 2019/10/21 19:48:18

My (very weak) understanding of 'secure boot' is that it prevents 'aliens' from altering the boot record. I wonder how one knows it's not working.
I have mine turned off because I have a number of programs whose updates (VirtualBox, I think is one) will fail if they are unable to write to the boot record.

How can you tell it isn't working?
Thank you.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Enable secure boot

Post by KernelOops » 2019/10/21 20:14:13

secure boot allows us to key sign the uefi bios part and what actually boots, including the kernel and all modules.

since virtualbox loads custom modules, they would need to be signed, so on every update you need to sign them all over again.

to see if secure boot is working, you can just "dmesg | grep -i secureboot", in mine it says disabled. If there is no secure boot feature in the bios then it may not say anything.
--
R.I.P. CentOS :cry:
--

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Enable secure boot

Post by lightman47 » 2019/10/21 20:16:44

Ahhh! Thank you.

chemal
Posts: 776
Joined: 2013/12/08 19:44:49

Re: Enable secure boot

Post by chemal » 2019/10/21 20:46:26

KernelOops wrote:
2019/10/21 08:53:19
I installed centos 8 ...
In Legacy or in UEFI mode?

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Enable secure boot

Post by KernelOops » 2019/10/22 15:35:34

I installed in UEFI mode.

Code: Select all

# efibootmgr
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0003
Boot0000* CentOS Linux
Boot0003  UEFI OS
--
R.I.P. CentOS :cry:
--

chemal
Posts: 776
Joined: 2013/12/08 19:44:49

Re: Enable secure boot

Post by chemal » 2019/10/22 16:58:12

I was asking because I expected a secure-boot enabled UEFI firmware to simply not boot a secure-boot disabled OS. Isn't this the whole point of secure boot?

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Enable secure boot

Post by KernelOops » 2019/10/23 07:19:27

I don't know how its supposed to work with this bios, the settings are quite different from what I'm used to.

For example, I've setup several DELL laptops with CentOS or Fedora and secure boot worked great there, without doing anything in particular. Here is an example from those laptops:

Code: Select all

[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7

Maybe there is something different in this Ryzen board... hmm...
--
R.I.P. CentOS :cry:
--

Post Reply