Secure Boot¶
In less then 48 hours from RHEL-8.5 being released, we had successful tests on our ISOs and just before we were about to pull the string to go GA with 8.5, Microsoft countersigned our Secure Boot shim. We quickly deliberated and decided to backtrack and incorporate that into the 8.5 release.
There were some things that we had to get in order and resolved, but it is with great pleasure that this release includes the official Rocky Linux signed shim. Here is the full thread to the shim review: Shim 15.4 for Rocky Linux 8 · Issue #194 · rhboot/shim-review · GitHub
As with any security related diligence, it is important to be able to validate the Secure Boot shim is exactly what you expect and that it is properly activated. After installing Rocky Linux 8.5, please log in and run these commands to validate our secure boot shim:
$ sudo dnf install -y keyutils
$ sudo keyctl show %:.platform
$ sudo mokutil --sb
These commands should produce output similar to the following:
[user@localhost ~]# sudo keyctl show %:.platform
Keyring
600127374 ---lswrv 0 0 keyring: .platform
659510804 ---lswrv 0 0 \\_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
716742579 ---lswrv 0 0 \\_ asymmetric: Rocky Enterprise Software Foundation: Rocky Linux Secure Boot Root CA: 4c2c6bd7d64ee81581cab8e986661f65e2166fc4
346375346 ---lswrv 0 0 \\_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
[user@localhost ~]# sudo mokutil --sb
SecureBoot enabled