Hello everyone,
We are missing a serial driver in Rocky Linux 9. It is available via ELrepo, but SecureBoot makes this difficult.
Can it be rebuilt into Rocky 9?
Lenny
Obviously not an option? 
Nope, you have to ask elrepo if they can help with it. Otherwise you have to disable secure boot.
Rocky is based on RHEL, that means if it’s not in RHEL, it’s not in Rocky.
What in Secure Boot is an issue?
ELrepos helped us very quickly, but this causes the signature to be spoken by the kernel and Secure Boot no longer allows the system to boot. Of course, I could sign and distribute certificates manually, but this is not an option for several thousand systems.
ELRepo signs the kernel modules that they build for EL kernels and they distribute their certificate. See secureboot [ELRepo Wiki]
Running mokutil --import remotely is trivial.
Alas, visiting “several thousand systems” to complete the import procedure is obviously not feasible. About as hard as disabling the Secure Boot on them.
1 Like
Ansible could help with that, in terms of distributing the certificate to import.
Yes. ELRepo’s elrepo-release package does provide the /etc/pki/elrepo/SECURE-BOOT-KEY-elrepo.org.der
“Distribute” is thus like ansible all -m dnf -a 'name=elrepo-release'
OK, but how does it get into the “BIOS”?
You run mokutil (which copies key from file to somewhere – to a “ToDo list”) and reboot.
On boot the UEFI does run “Enroll key dialog” (rather than bootloader).
In the dialog you confirm that you really want the certificate into “BIOS”.
That is, the dialog transfers the key from ToDo list into the “BIOS” (and then reboots).
The ELRepo wiki has screenshots from the steps.
The enrollment has to be confirmed “on seat”. Otherwise any remote hacker could inject their certificates.
Compare the above to:
Reboot. Enter UEFI setup. Disable Secure Boot. Reboot.
That too is an “on seat” procedure.
Some motherboards require you to enter the bios to enroll the key. On my Lenovos the procedure is as described but my machine with a Gygabite MB you have to enter the bios to do the enrollment.
So I see Secure boot as a consumer feature that protects individual machines out of the box. For specialized industry applications with unique applications and hardware another security approach needs to be applied.
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.