When I installed my RL9 system Secure Boot was not enabled. Now I want to enable it but the x509 certificates need to be loaded first. I assume the mokutil is the tool to load the certs but where are they stored?
Rocky Linux secure boot will work with the default (Microsoft) secure boot certificates loaded by your OEM.
There was no OEM or I should say that was me. Or are you saying MB’s are manufactured with MS certs installed? Mokutil only shows the Rocky Cert.
# mokutil -l [key 1] SHA1 Fingerprint: 0e:2a:bf:72:66:32:95:3a:d2:05:b3:cd:c7:eb:24:15:8b:31:b3:bb Certificate: Data: Version: 3 (0x2) Serial Number: 10:6c:57:1c:ee:af:29:24:c0:aa:85:e5:aa:b4:85:42:9a:b1:d8:86 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Delaware, L=Dover, O=Rocky Enterprise Software Foundation, OU=Release engineering team, CN=Rocky Linux Secure Boot Root CA/emailAddressfirstname.lastname@example.org Validity Not Before: Jun 20 15:05:01 2021 GMT Not After : Jun 18 15:05:01 2031 GMT Subject: C=US, ST=Delaware, L=Dover, O=Rocky Enterprise Software Foundation, OU=Release engineering team, CN=Rocky Linux Secure Boot Root CA/emailAddressemail@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e3:c4:6b:0f:5b:08:fd:db:51:fc:e0:49:39:e9: a8:53:9b:1e:f0:57:ae:da:2c:05:33:5f:6f:2d:a4: 76:9e:db:63:40:86:77:a6:20:4b:35:c5:75:ca:dc: 5c:4b:a5:f8:ea:1a:e1:c2:47:fa:d3:c2:ef:fe:52: 83:94:16:42:90:b0:f2:13:2b:aa:73:22:e8:a0:42: 1b:35:02:a8:03:df:10:49:bd:a0:3d:94:35:4e:44: 25:78:08:44:99:c0:23:58:63:cc:56:48:a0:40:8b: cb:eb:a0:fd:fc:93:22:46:df:43:36:69:01:f0:1d: b1:7f:62:31:a0:50:be:56:f7:78:3e:2e:22:84:6f: de:8a:81:c1:49:b1:94:7e:fb:7c:d8:f7:4a:20:1e: 37:9e:91:05:e8:5f:bf:aa:4e:cd:67:c9:cc:9e:5d: 17:90:7f:fd:74:64:c4:a9:e3:1b:03:03:d2:35:a2: 87:2a:e4:e5:74:b8:c3:56:82:71:0c:b3:e3:cc:38: a3:51:bb:58:b9:97:be:36:95:9e:64:32:25:d5:a4: 94:9d:01:34:5e:cf:68:39:9e:56:74:72:d4:22:1b: 34:46:44:14:c2:14:17:88:c3:16:ac:ea:9a:f9:85: f1:00:fb:d9:0e:a0:e0:cf:d1:3d:2c:24:d2:59:94: a4:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 4C:2C:6B:D7:D6:4E:E8:15:81:CA:B8:E9:86:66:1F:65:E2:16:6F:C4 X509v3 Authority Key Identifier: 4C:2C:6B:D7:D6:4E:E8:15:81:CA:B8:E9:86:66:1F:65:E2:16:6F:C4 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption Signature Value: 4f:b2:73:90:ad:13:07:fb:1f:66:05:65:8d:21:7e:a9:48:d3: 92:fc:2e:14:04:9b:ff:48:7d:74:d6:89:12:af:eb:bb:51:91: 43:9a:df:2b:fe:8c:53:9c:4a:86:96:0a:7b:d4:78:b2:b7:bf: c6:61:5f:d9:0c:b6:40:d4:f1:b2:1e:14:74:10:da:42:3f:a5: 95:4b:22:e4:ec:fb:a9:6a:c9:14:c5:eb:02:f9:04:08:f8:6f: 51:ed:48:9d:d6:c0:14:1e:00:42:d5:cb:2c:a5:a8:9e:30:8c: 73:8c:c9:b0:d0:75:82:52:b8:ee:f2:4b:87:18:a0:09:ae:93: 11:61:ed:62:8d:8c:cb:9e:59:05:b2:41:68:67:d6:5b:fd:17: 6e:f4:87:59:bb:bd:d7:14:07:ca:ea:7b:45:1a:f1:fe:f5:6b: 08:78:50:ab:29:a2:d4:41:35:96:ba:76:89:d7:53:5e:46:01: 55:4f:0c:44:2a:7e:7d:78:49:85:2b:08:29:b5:cc:e5:f4:f4: 78:1f:64:32:e0:9d:e3:a2:9f:0d:a6:d3:7f:29:f8:89:bb:e2: 7d:19:65:54:3f:42:e5:a9:4b:2e:31:98:9a:2a:19:0e:b7:ed: c3:f9:4a:ca:63:b8:43:c3:93:7b:bb:24:50:1a:15:48:54:c3: 9a:2a:07:33
Maybe I didn’t click all the proper fields in the firmware.
Yes, pretty much all UEFIs are configured to trust only certificates signed by Microsoft.
This was the cause of much consternation when secure boot was first coming out, because there was the expectation that Microsoft would abuse secure boot by refusing to sign the secure boot certificates of alternative OSs. Fortunately, that didn’t entirely happen, thanks mostly to pushback from the free software community, and Microsoft’s lack of desire to get involved in yet another anticompetition / antitrust case.
Unfortunately, Microsoft is currently trying another play at making Linux more difficult to install. Systems with Microsoft’s Pluton / “secured-core PCs” are prevented from loading anything but Windows by default, and require users to change a firmware setting. See for example Lenovo Secured-core PC unable to boot Linux from a USB stick • The Register