For customers who have enabled UEFI Secure Boot on their hardware, understanding how Secure Boot works can help when updating the Linux Kernel or adding third-party vendor supplied modules. Oracle Linux documentation now includes a Working with UEFI Secure Boot guide that provides a thorough overview of the Secure Boot process, including steps to sign modules and to insert the keys used to validate modules and kernels into the correct key database. This information is also useful when trying to make sense of the Oracle Linux: UEFI Secure Boot Update Notices that are posted when kernel and shim signing keys are updated.
The guide explains the different components and keys used in the Secure Boot process and how these are chained together to create a trust model:
“At the UEFI firmware level, a Platform Key is used to validate a Key Exchange Key which is, in turn used to validate all Database Keys (DB) and all DBX Keys (DBX). The DB keys are used in conjunction with the DBX keys, to validate a Shim binary which is signed using the Oracle public key. The Oracle public key is signed by Microsoft and the DB keys are able to validate this chain of trust. After the Shim is validated, keys stored within the MOK list and loaded by the Shim can be trusted to perform validation for subsequent operations. The GRUB2 secondary bootloader is validated by using a key within the MOK (Machine Owner Key) list. Equally, when GRUB2 loads the kernel, validation of the kernel image binary is performed against the keys in the MOK list before the kernel can be loaded. Finally, after the kernel is loaded, the Linux kernel modules or Linux kernel images that are used for kexec operations can be validated, either against the MOK list or against any public keys that are compiled directly into the Linux kernel”.
Operations to update the MOK database for alternate keys used to sign kernel images or modules vary depending on the kernel version. Notably, UEK R6 has a different trust model that only allows modules to run if the key that is used to sign the module is available within the compiled kernel image. Instructions are provided on how to insert a key into the kernel image, re-sign the kernel and finally add the key that was used to sign the kernel into the MOK list. For other kernels, it is sufficient to insert the key used to sign the module into the MOK database. Instructions are also provided for the module signing process as different kernels may require a different key signature type.
Finally, instructions are also provided on how to disable UEFI Secure Boot at the Shim level, in case you are unable to do this in your system firmware.
As Oracle continues to develop UEFI Secure Boot support, this guide and/or other documentation will be updated accordingly.
Oracle Linux downloads
Individual RPM packages are available on the Unbreakable Linux Network (ULN) and the Oracle Linux yum server. ISO installation images are available for download from the Oracle Linux yum server and container images are available via Oracle Container Registry, GitHub Container Registry and Docker Hub.
Oracle Linux can be downloaded, used, and distributed free of charge and all updates and errata are freely available. Customers decide which of their systems require a support subscription. This makes Oracle Linux an ideal choice for development, testing, and production systems. The customer decides which support coverage is best for each individual system while keeping all systems up to date and secure.