Post Install Enabling Secure Boot

When I installed my RL9 system Secure Boot was not enabled. Now I want to enable it but the x509 certificates need to be loaded first. I assume the mokutil is the tool to load the certs but where are they stored?

Rocky Linux secure boot will work with the default (Microsoft) secure boot certificates loaded by your OEM.

There was no OEM or I should say that was me. Or are you saying MB’s are manufactured with MS certs installed? Mokutil only shows the Rocky Cert.

# mokutil -l
[key 1]
SHA1 Fingerprint: 0e:2a:bf:72:66:32:95:3a:d2:05:b3:cd:c7:eb:24:15:8b:31:b3:bb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            10:6c:57:1c:ee:af:29:24:c0:aa:85:e5:aa:b4:85:42:9a:b1:d8:86
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Delaware, L=Dover, O=Rocky Enterprise Software Foundation, OU=Release engineering team, CN=Rocky Linux Secure Boot Root CA/emailAddress=security@rockylinux.org
        Validity
            Not Before: Jun 20 15:05:01 2021 GMT
            Not After : Jun 18 15:05:01 2031 GMT
        Subject: C=US, ST=Delaware, L=Dover, O=Rocky Enterprise Software Foundation, OU=Release engineering team, CN=Rocky Linux Secure Boot Root CA/emailAddress=security@rockylinux.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e3:c4:6b:0f:5b:08:fd:db:51:fc:e0:49:39:e9:
                    a8:53:9b:1e:f0:57:ae:da:2c:05:33:5f:6f:2d:a4:
                    76:9e:db:63:40:86:77:a6:20:4b:35:c5:75:ca:dc:
                    5c:4b:a5:f8:ea:1a:e1:c2:47:fa:d3:c2:ef:fe:52:
                    83:94:16:42:90:b0:f2:13:2b:aa:73:22:e8:a0:42:
                    1b:35:02:a8:03:df:10:49:bd:a0:3d:94:35:4e:44:
                    25:78:08:44:99:c0:23:58:63:cc:56:48:a0:40:8b:
                    cb:eb:a0:fd:fc:93:22:46:df:43:36:69:01:f0:1d:
                    b1:7f:62:31:a0:50:be:56:f7:78:3e:2e:22:84:6f:
                    de:8a:81:c1:49:b1:94:7e:fb:7c:d8:f7:4a:20:1e:
                    37:9e:91:05:e8:5f:bf:aa:4e:cd:67:c9:cc:9e:5d:
                    17:90:7f:fd:74:64:c4:a9:e3:1b:03:03:d2:35:a2:
                    87:2a:e4:e5:74:b8:c3:56:82:71:0c:b3:e3:cc:38:
                    a3:51:bb:58:b9:97:be:36:95:9e:64:32:25:d5:a4:
                    94:9d:01:34:5e:cf:68:39:9e:56:74:72:d4:22:1b:
                    34:46:44:14:c2:14:17:88:c3:16:ac:ea:9a:f9:85:
                    f1:00:fb:d9:0e:a0:e0:cf:d1:3d:2c:24:d2:59:94:
                    a4:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                4C:2C:6B:D7:D6:4E:E8:15:81:CA:B8:E9:86:66:1F:65:E2:16:6F:C4
            X509v3 Authority Key Identifier: 
                4C:2C:6B:D7:D6:4E:E8:15:81:CA:B8:E9:86:66:1F:65:E2:16:6F:C4
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        4f:b2:73:90:ad:13:07:fb:1f:66:05:65:8d:21:7e:a9:48:d3:
        92:fc:2e:14:04:9b:ff:48:7d:74:d6:89:12:af:eb:bb:51:91:
        43:9a:df:2b:fe:8c:53:9c:4a:86:96:0a:7b:d4:78:b2:b7:bf:
        c6:61:5f:d9:0c:b6:40:d4:f1:b2:1e:14:74:10:da:42:3f:a5:
        95:4b:22:e4:ec:fb:a9:6a:c9:14:c5:eb:02:f9:04:08:f8:6f:
        51:ed:48:9d:d6:c0:14:1e:00:42:d5:cb:2c:a5:a8:9e:30:8c:
        73:8c:c9:b0:d0:75:82:52:b8:ee:f2:4b:87:18:a0:09:ae:93:
        11:61:ed:62:8d:8c:cb:9e:59:05:b2:41:68:67:d6:5b:fd:17:
        6e:f4:87:59:bb:bd:d7:14:07:ca:ea:7b:45:1a:f1:fe:f5:6b:
        08:78:50:ab:29:a2:d4:41:35:96:ba:76:89:d7:53:5e:46:01:
        55:4f:0c:44:2a:7e:7d:78:49:85:2b:08:29:b5:cc:e5:f4:f4:
        78:1f:64:32:e0:9d:e3:a2:9f:0d:a6:d3:7f:29:f8:89:bb:e2:
        7d:19:65:54:3f:42:e5:a9:4b:2e:31:98:9a:2a:19:0e:b7:ed:
        c3:f9:4a:ca:63:b8:43:c3:93:7b:bb:24:50:1a:15:48:54:c3:
        9a:2a:07:33

Maybe I didn’t click all the proper fields in the firmware.

Yes, pretty much all UEFIs are configured to trust only certificates signed by Microsoft.

This was the cause of much consternation when secure boot was first coming out, because there was the expectation that Microsoft would abuse secure boot by refusing to sign the secure boot certificates of alternative OSs. Fortunately, that didn’t entirely happen, thanks mostly to pushback from the free software community, and Microsoft’s lack of desire to get involved in yet another anticompetition / antitrust case.

Unfortunately, Microsoft is currently trying another play at making Linux more difficult to install. Systems with Microsoft’s Pluton / “secured-core PCs” are prevented from loading anything but Windows by default, and require users to change a firmware setting. See for example Lenovo Secured-core PC unable to boot Linux from a USB stick • The Register

To elaborate, that mokutil command only lists the Rocky CA that is embedded in our shim.

To see the ones in your UEFI’s db and kek databases, use: mokutil --db and mokutil --kek .

Unless your hardware is very unusual, you will have Microsoft issued certificates included in these databases on your motherboard. Rocky Linux’s shimx64.efi loader binary is signed by a Microsoft certificate. The shim includes a Rocky Linux CA, and it in turn loads the Rocky-signed grub2 , kernel, and so forth.

Turning on secure boot shouldn’t affect anything, unless you’ve put a custom-built kernel on your system or 3rd-party drivers.

Of the latter, at least the kernel modules from ELRepo are signed, (but with ELRepo’s key so one has to install ELRepo’s CA with mokutil).

I have Secure Boot enabled now on my Rocky server. I don’t have elrepo kernels or external modules. The biggest hurdle is fathoming the firmware routine. Once the platform key and rocky key are enrolled all worked as expected. The rocky cert is embedded in the shimx64.efi file that you need to point your boot loader to in the esp partition. This is done automatically on install to a gpt partition on a UEFI machine.