== About UEFI Secure Boot ==

=== UEFI Secure Boot Background ===
A detailed document discussing secure boot is published at: +
http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf

=== UEFI Secure Boot Validation Summary ===

NOTE: If UEFI Secure Boot is NOT enabled then the signing of operating system boot loaders is NOT required to boot.


*If UEFI Secure Boot is enabled* then the following are required to be true in order to boot. +
 
. Signed EFI operating system boot loaders
    
.. +shim+ -- Signed with SL signing certificate

... The signature of shim needs to be validated by either  

**** UEFI CA certificate in the UEFI firmware (installed by hardware vendor)
**** MOK (Machine Owner Key) enrolled manually by Owner

.. +grub2+ -- Signed with SL signing certificate

... shim starts grub2 which validates its trust with shim

.  Signed Linux Kernel -- Signed with SL signing certificate
.  Signed Kernel modules -- Signed

==== Checking the SL Keys ====

Certificate validation can be performed using the following commands:

 sudo yum install curl openssl gnutls-utils
 
 cd /tmp
 curl http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform der  > DigiCertEVCodeSign.pem
 curl http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt  | openssl x509 -inform der >> DigiCertEVCodeSign.pem
 curl http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/os/SECURE-BOOT-KEY-fnal-sl7-exp-2023-09-27 | openssl x509 -inform der > SECURE-BOOT-KEY-fnal-sl7-exp-2023-09-27.pem
 curl http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/os/SECURE-BOOT-KEY-fnal-sl7-exp-2020-08-26 | openssl x509 -inform der > SECURE-BOOT-KEY-fnal-sl7-exp-2020-08-26.pem
 curl http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/os/SECURE-BOOT-KEY-fnal-sl7-exp-2017-07-26 | openssl x509 -inform der > SECURE-BOOT-KEY-fnal-sl7-exp-2017-07-26.pem

 certtool -V --verify --load-ca-certificate=DigiCertEVCodeSign.pem --infile=SECURE-BOOT-KEY-fnal-sl7-exp-2023-09-27.pem 
 certtool -V --verify --load-ca-certificate=DigiCertEVCodeSign.pem --infile=SECURE-BOOT-KEY-fnal-sl7-exp-2020-08-26.pem 
 certtool -V --verify --load-ca-certificate=DigiCertEVCodeSign.pem --infile=SECURE-BOOT-KEY-fnal-sl7-exp-2017-07-26.pem

=== Secure Boot Status in Scientific Linux 7 ===

Booting with Secure Boot enabled works but requires a manual step.  This is because the "shim" has not been signed by the UEFI CA . As seen in the above Secure Boot requirements the UEFI CA is not the only certificate that can be used to validate the "shim".  The SL signing certificate can also be used. The SL signing certificate has to be enrolled in the MOK (Machine Owner Key) database.  This can be accomplished by using the "mokutil" command specifying the SL signing certificate.

CAUTION: The "mokutil" command may ask for a "password".  This "Mokmanager password" will be asked by +mokmanager+ during the MOK key enrollment step. 

NOTE: All +mokutil+ commands must be run by the +root+ user.

.Example mokutil command 
----
    mokutil --import /etc/pki/secure-boot/SECURE-BOOT-KEY-fnal-sl7-exp-2023-09-27
----

IMPORTANT: The system needs to be rebooted for the MOK database to be updated. +
          *On reboot the Mokmanager program will automatically start*.

.Steps To Enroll MOK keys in Mokmanager
----
    Select "Enroll MOK"   

    Select "View Key" if you wish to see the key.  

    Then select "Continue".  

    Select "Yes" to enroll the key (If you really want to enroll it).  

    The "Mokmanager password" will be asked to verify the user has permission to update the MOK database. 
----

link:https://sourceware.org/systemtap/wiki/SecureBoot#line-48[Screenshots are available], thanks to the Systemtap team.

After installation of the MOK key, you may wish to verify it loaded successfully.

.How To Review MOK Keys
[source,shell]
----
    mokutil --list-enrolled
----
The above command will list which MOK keys are enrolled.
   
NOTE: We are currently in negotiations with the UEFI Certificate Authority on agreeable requirements for submitting "shim" for signing. We hope to be able to support this functionality in the future.  

=== More Information on Signing Kernel Modules ===
The upstream documentation on this can be found at the 
link:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html[RHEL 7 System Administrators Guide]


// vim: set syntax=asciidoc: