Configuring UEFI Secure Boot in RHEL (CentOS)

DataControl Policy Agent provides helper scripts to facilitate driver signing based on the Machine Owner Key (MOK) facility provided by Red Hat. For more information on MOK, see Signing Kernel Modules for Secure Boot. The helper script is located at /opt/hcs/bin/htdrv and helps the administrator sign the online encryption driver, htcrypt. The htcrypt driver needs to be signed when it is built for the first time or when it is rebuilt after installing a new Linux kernel.

To sign a driver as part of the MOK facility, you must create a Entrust driver signing key and register it with the MOK database, then perform a virtual machine reboot. We recommend that you use a password for the Entrust signing key.

Before You Begin 

Procedure 

  1. Log into the VM as root.

  2. Run the htdrv secure-boot command as follows:

    [root@uefi-rhel8 ~]# htdrv secure-boot
Preparing system for signing HyTrust online encryption driver with Machine owner key (MOK)

Creating HyTrust signing key for UEFI secure boot

The signing key can, optionally, be protected with a PEM pass phrase
If the signing key is protected with PEM pass phrase then the driver can not be automatically signed
The new driver is created when the online driver RPM is installed, or a new kernel is installed on the system
If signing key is PEM pass phrase protected then administrator has to manually sign the htcrypt driver
every time that the new driver module is built. This can be done using command "htdrv sign"

Please refer the Admin Guide for details

Do you want to proceed without PEM pass phrase? (yes/no) no

Generating a RSA private key
...................++++
...............................................................++++
writing new private key to '/opt/hcs/etc/htsecboot.priv'
Enter PEM pass phrase: #############
Verifying - Enter PEM pass phrase: #############
-----

Successfully created HyTrust signing key

We need to enroll HyTrust signing key to Machine owner key (MOK) list
The system will have to be rebooted for this operation

Plese enter a "One Time use Password (OTP)" for MOK enrollment request
input password: #############   
input password again: #############
					 
The system will be rebooted to complete MOK enrollment request

Please make sure that you are in hold of active system console, before proceeding to reboot
Enter the password at the system console when asked

Press Enter to reboot 
Rebooting...
  3. Quickly access the VM system console to use the MOK database enrollment screen. The MOK database enrollment screen is only available for approximately 10 seconds after the reboot. If you miss the screen, you can run the htdrv secure-boot command again.
  4. On the main screen, press any key to enter the MOK database enrollment screen.
  5. Select Enroll MOK.
  6. Select Yes.

  7. Run the following command again to ensure that the Entrust signing key has been successfully created and enrolled in the MOK database: 

    [root@uefi-rhel8 ~]# htdrv secure-boot
Preparing system for signing HyTrust online encryption driver with Machine owner key (MOK)

HyTrust signing key already present on the system

HyTrust signing key already enrolled in Machine owner key (MOK) list

  8. Run the htdrv sign command to sign the driver. If you entered a password for the Entrust signing key, you have to enter that same password twice. The Signing key is located at /opt/hcs/etc/htsecboot.priv. 

    # htdrv sign
Signing HyTrust online encryption driver with Machine owner key (MOK)

Please give Machine Owner Key's passphrase for HyTrust signing key: #############
Enter pass phrase for /opt/hcs/etc/htsecboot.priv: #############
Successfully signed /lib/modules/3.10.0-1062.12.1.el7.x86_64/extra/htcrypt.ko with HyTrust signing key
Rebuilding initrd

    If you did not enter a password for the Entrust signing key when you ran the htdrv secure-boot command, this is provided internally, you will not be prompted for any passwords, and you will not need to run this command after initial configuration.

    Otherwise, you will need to run htdrv sign command to resign the driver at the following times: 

    • When the DataControl Policy Agent is upgraded.
    • When the Red Hat/CentOS kernel is upgraded.

  9. Run the following command to check the status of the htcrypt driver: 

    [root@uefi-rhel8 ~]# htdrv status
--------------------------------------------------------------------
HyTrust online encryption driver status
--------------------------------------------------------------------
Name        : htcrypt
Version     : 5.1
Release     : 510001412
Architecture: noarch
Install Date: Thu 26 Dec 2019 03:23:42 AM EST
Group       : System/Kernel
Size        : 99657
License     : GPLv2
Signature   : DSA/SHA1, Tue 24 Dec 2019 09:49:45 PM EST, Key ID 4a1ed78762b480bf
Source RPM  : htcrypt-5.1-510001412.src.rpm
Build Date  : Tue 24 Dec 2019 09:43:57 PM EST
Build Host  : htcrypt-centos7.dc.hytrust.com
Relocations : (not relocatable)
Packager    : HYTRUST <htdc-devel@hytrust.com>
Summary     : htcrypt 5.1 dkms package
Description :
Kernel modules for htcrypt 5.1 in a DKMS wrapper.

>>> htcrypt driver is installed on this VM

--------------------------------------------------------------------
UEFI Secure boot status
--------------------------------------------------------------------
This system is setup with UEFI boot
Secure boot option is only supported with UEFI boot
SecureBoot enabled
HyTrust signing key is present on the system
HyTrust signing key is enrolled in Machine owner key (MOK) list

Note: If you want to delete the Entrust signing key, log into the VM as root and run htdrv secure-boot cleanup. This will remove the signing key from MOK as well as delete the signing key file.