[CentOS-devel] testing SecureBoot

Sun Jun 22 23:04:13 UTC 2014
Anssi Johansson <centos at miuku.net>

23.6.2014 1:01, Akemi Yagi kirjoitti:
> On Sun, Jun 22, 2014 at 2:48 PM, Anssi Johansson <centos at miuku.net> wrote:
>> I'm currently testing this boot.iso from the secureboot directory:
>> 362807296 Jun 21 00:59 /tmp/boot.iso
>
>> When I enter the boot menu with F12 and select my USB stick, I get a
>> nasty "Invalid signature detected. Check Secure Boot Policy in Setup".
>> RHEL7rc1 doesn't boot with these settings either. Disabling Secure Boot
>> lets me boot from the USB stick, and the media check passes. Please advice.
>
> How did you write to the USB stick? By using the dd command?
>
> Just to be sure, the boot.iso file that worked for me has this hash value:
>
> $ sha256sum boot.iso
> 4860e0deb8d8b6b02ce644bae208fc6973d94155beaa0885b8f865303d730067  boot.iso

Yes, that's what I have, and I indeed dd'ed it to the USB stick.

I now changed the Secure Boot Mode from Standard to Custom, and changed 
Default Key Provisioning from Enabled to Disabled. That gave me an 
option to Clear Secure Boot keys, which I did.

A consequence of that was that the System Boot State changed from User 
to Setup, and Secure Boot Mode State changed to Disabled. Secure Boot 
was still left Enabled.

THIS setting allowed me to boot from the USB sticks (C7 secureboot and 
RHEL7rc1). Perhaps this is actually the way it's supposed to work.

I have now successfully installed C7 on that system with Secure Boot 
enabled, and the system boots afterwards with Secure Boot still enabled.

Apologies for the noise, but perhaps this info is useful for someone who 
stumbles on this same problem.