Secure Boot Certificate
NOTE: Prior to November 12, 2013 the “SUSE SolidDriver Program” was known as the “Partner Linux Driver Program” (PLDP). Though the signing key still reflects the old name, it remains valid as described here.
The kernel module signatures are used when running SUSE Linux Enterprise in UEFI Secure Boot environment. To ensure the integrity of the running kernel, the kernel will only load modules signed with trusted keys.
The key is considered trusted once the user loads the corresponding Secure Boot certificate into a UEFI key database
UEFI Key Database (key db)
The recommended way to enroll a trusted key into the system is to load the certificate into the UEFI firmwares key db. Reference your system documentation or contact your system manufacture for options to add certificates to the key db. Find the SolidDriver certificate here:
If there is no user option to maintain keys in the UEFI key db, the next option is to use the Machine Owner Keys database described in the following section.
Machine Owner Keys (MOK) database.
For systems that do not allow user (system admin) control over the UEFI key database, the Machine Owner Key (MOK) database option can be used. Note: it’s recommended to use the key db if at all possible
The certificate can be enrolled into the MOK by installing the following package:
This package contains the UEFI Secure Boot certificate used to sign modules built in SUSE’s Partner Linux Driver Program. It will install the certificate under /etc/uefi/certs as well as prepare it to be enrolled into the MOK database of the firmware.
Note: The kernel will only load the MOK database when the system is booted in UEFI Secure Boot mode. When not in Secure Boot mode, SolidDriver kernel modules will load, but since the module is signed with a key unknown to the kernel, the kernel will emit a “module verification failed” message and a kernel taint will occur. To prevent that taint, the certificate must be loaded into the UEFI key db manually using the firmware UI.
Install the package using zypper or YaST as you would any other rpm package. After package installation, the system must be rebooted to complete the process of enrolling the key into the UEFI MOK database. At reboot the following UEFI prompt will be displayed on the system console:
This prompt will timeout after 10 seconds and reboot without enrolling the key. Press any key to enter the enrollment process.
Select Enroll MOK in the menu
Select View Key 0 to view the details of the certificate to be enrolled
Verify the key details and press any key to continue
When ready to enroll the key, select Continue
Select Yes to confirm enrollment of the key
Enter the systems root password to authorize the enrollment.
Select Reboot to reboot the system.
The key is now enrolled. To verify this, check the kernel messages after reboot:
# dmesg | grep "Loaded UEFI" [ 3.155012]Loaded UEFI:db cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f' linked to secondary sys keyring [ 3.155310]Loaded UEFI:MokListRT cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f' linked to secondary sys keyring [ 3.155556]Loaded UEFI:MokListRT cert 'SUSE Linux Products GmbH: PLDP Secure Boot Signing Key: ced5e22b63eee758a2e16663a4c2c35bbb54e54f' linked to secondary sys keyring
The PLDP Secure Boot Signing Key is in the list of loaded certs. If not, then the key was not enrolled properly.
Using mokutil to list enrolled keys
One can also verify that the certificate is loaded in the MOK
database by using the
# mokutil --list-enrolled [key 2]SHA1 Fingerprint: f3:c0:a7:32:8b:b7:1b:cb:e6:58:16:04:7a:d4:ba:78:ca:52:7c:d2 Certificate: Data: Version: 3 (0x2) Serial Number: 56:30:3d:80:72:ef:02:ac:a1:b3:26:6d:41:cb:31:52:16:5e:6d:bd Signature Algorithm: sha256WithRSAEncryption Issuer: CN=PLDP Secure Boot Signing Key, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=PLDP Team/emailAddressfirstname.lastname@example.org Validity Not Before: Jul 8 14:10:27 2013 GMT Not After : Jan 7 10:03:42 2027 GMT Subject: CN=PLDP Secure Boot Signing Key, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=PLDP Team/emailAddressemail@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a3:f8:f8:b0:4d:2a:00:5c:0a:39:6c:86:87:e6: 9c:a7:dd:7b:9a:a4:20:a0:60:50:7b:34:57:0d:7d: 2d:03:26:20:9b:28:28:74:f3:7e:55:29:7e:76:4e: 12:fc:e4:a1:9c:27:77:4a:9b:25:e2:50:02:bf:0d: 53:bd:81:6a:2d:50:19:07:a3:db:c1:86:93:b2:83: 25:84:7f:64:47:9e:d4:80:09:16:1c:2f:f7:df:ca: 49:74:42:34:66:f5:d5:17:e7:fd:1a:8f:a1:fd:38: 8d:25:b0:f2:27:4a:49:1f:5f:4e:04:86:68:72:b5: d2:bc:74:f1:ca:94:1d:52:a0:11:98:d0:44:57:63: f8:26:7d:7a:7b:ed:dc:a2:b0:1d:55:9c:e7:87:1d: 69:da:83:a8:72:9d:44:81:b1:e9:d8:52:80:6c:ed: 36:58:35:e6:ad:f7:77:25:2c:e5:a2:b0:7d:6c:42: 74:b8:04:1e:75:9f:a4:6d:2b:2d:48:ac:0f:02:5d: db:3b:a6:b1:5d:0c:a8:0d:e1:88:a7:1a:51:8d:57: 10:c6:70:cf:6b:0b:bc:84:fa:f9:7f:5a:a8:17:60: c2:92:cf:61:aa:f8:7a:cc:be:81:ab:c7:5c:5d:78: d8:57:71:e0:8d:87:ee:82:4e:64:73:ce:1d:16:dd: 55:3b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: CE:D5:E2:2B:63:EE:E7:58:A2:E1:66:63:A4:C2:C3:5B:BB:54:E5:4F X509v3 Authority Key Identifier: keyid:CE:D5:E2:2B:63:EE:E7:58:A2:E1:66:63:A4:C2:C3:5B:BB:54:E5:4F X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing Signature Algorithm: sha256WithRSAEncryption 4f:c2:67:c8:80:68:a8:f1:97:38:67:96:1d:ad:26:e6:37:64: a3:f3:38:41:e5:a6:bf:d5:f9:97:d5:6b:d2:2b:bd:95:2e:e8: 68:bb:1c:a4:9f:0a:2a:2f:1b:07:13:c2:32:17:62:8a:1f:5c: a9:f3:86:8e:86:71:b1:30:48:89:a0:b4:32:c7:23:a2:31:de: 8a:7c:c5:af:a8:2b:e0:7e:de:51:82:78:21:d8:ad:a4:db:cf: b1:e4:04:0b:83:14:01:2d:86:bb:b5:9c:d9:ec:27:f8:36:8c: ed:e8:e9:cc:73:94:6b:eb:d5:ee:dd:57:4d:54:ac:db:0c:8e: 13:80:7f:d7:4f:52:ba:69:52:6b:2d:ac:ab:7f:9f:e8:ef:e0: ec:b5:69:a1:3c:8d:09:92:a4:66:a5:b0:c6:2b:f2:e7:c9:ff: d4:a1:2a:41:7c:2f:d9:e9:1f:b3:0c:78:bb:97:8f:30:aa:e2: 45:7e:82:53:4a:21:0a:d6:8e:76:94:98:10:ec:f8:b0:cd:3d: 86:23:e6:f1:2e:9a:d6:ea:87:cd:b0:ec:4f:44:ce:e1:42:73: 6b:b1:73:aa:b3:f0:62:c1:4d:74:bb:0b:f1:2b:be:b5:5f:78: c7:a3:85:e1:01:89:0f:09:d3:ec:e0:e8:06:5f:89:c1:40:78: 54:6d:71:45
Removing the certificate is similar process to installing it. To remove the certificate from the system, remove the package using zypper or YaST and then reboot the system. At the system console the following UEFI prompt will be displayed:
Shim UEFI key management Continue Boot _ Delete MOK Enroll key from disk Enroll hash from disk
Move cursor to Delete MOK and hit Enter
[Delete MOK] Input the key number to show the details of the key or type '0' to continue 1 keys(s) in the key list
Type 1 Enter to view the key details and after confirming that the details match the key to be deleted, type 0 Enter
Delete the key(s)? (y/n):
Type y Enter to delete…
Enter the root password of the SUSE Linux Enterprise OS that the Secure Boot certificate package was removed from.
Press a key to reboot system
Now the key should be removed from the MOK database.
The following video is a demonstration of using the
mokutil package to manage the Machine Owner Keys.
MOK Blacklist (MOKx)
Note: The MOK Blacklist functionality is only supported in SUSE Linux Enterprise Server/Desktop 12 and later.
The MOK blacklist allows the user to forbid particular kernel modules from being loaded as identified by the public key of the module signature.
The usage of MOK blacklist is similar to MOK. Just add
-X to indicate that it’s a MOK
To add a key:
- Create the request with mokutil and type a password (or use the root password with “-P”)
# mokutil -X --import <key>
Reboot the system and enter the MokManger UI. Select
Enroll MOKXand type the password. MokManager will reboot the system again.
Boot the system and check the MOK blacklist with mokutil
# mokutil -X --list-enrolled