Secure Boot uses Unified Extensible Firmware Interface (UEFI) technology to verify the
integrity of the boot process. The firmware validates each component in the boot chain and allows
execution only when a trusted key signs the code. When the system detects tampering or an unsigned
component, it stops the boot process.
About this task
Secure Boot blocks unsigned kernel modules. To load custom kernels or kernel modules, you must
create a signing key and enroll the corresponding public certificate in the Machine Owner Key (MOK)
database. After enrollment, the system trusts kernel modules that are signed with the private key.
For more information, see Create an X.509 public and private key pair to sign custom kernel
modules.
The following procedure enables Secure Boot, prepares signing material, enrolls trust keys on
target nodes, and validates the configuration.
Procedure
- Run the following commands to verify whether Secure Boot is enabled on the nodes:
oc debug node/<node>
chroot /host
mokutil --sb-state
Note: All worker nodes in the cluster must be enabled with Secure Boot.
- Create an X.509 public and private key pair to sign kernel modules.
Note: Run the following commands on a RHEL workstation once for every OpenShift® cluster and generate the key pair.
- Install the required
tools:
sudo dnf install -y pesign mokutil openssl
- Generate a self-signed key
pair:
sudo efikeygen --dbdir /etc/pki/pesign --self-sign --module --common-name "CN=KMM SecureBoot Key,O=MyOrg" --nickname "kmm_sb_key"
- Verify that the key is created:
sudo certutil -L -d /etc/pki/pesign
The
output must include kmm_sb_key.
- Export the certificate in PEM
format:
certutil -d /etc/pki/pesign -n 'kmm_sb_key' -Lr > sb_cert.cer
- Export the private key in PKCS#12
format:
pk12util -o sb_cert.p12 -n 'kmm_sb_key' -d /etc/pki/pesign
- Extract the private key in PEM
format:
openssl pkcs12 -in sb_cert.p12 -out sb_cert.priv -nocerts -nodes
- Convert the PEM certificate to DER format for MOK
import:
openssl x509 -in sb_cert.cer -outform DER -out sb_cert.der
- Copy the DER certificate on the nodes where Secure Boot is enabled.
scp sb_cert.der core@worker0.ocp1.vmlocal:/home/core/
- Import the certificate that uses MOK utility.
- Open a debug session to the node:
oc debug node/<node>
- Change the root directory to the host file system:
chroot /host
- Import the certificate:
sudo mokutil --import /home/core/sb_cert.der
- Enter a password when prompted.
Remember: Save this password for use during key
enrollment.
- Restart the node:
systemctl reboot
Note: You must have console access to
the server before the reboot. During the reboot, the BIOS prompts you to manually accept the new
key. Accept the key when prompted.
- Enter the MOK manager and enroll the key.
Note: Enroll the key on all nodes that are part of IBM Fusion Access.
- Verify that the system enrolled the MOK successfully after the node starts.
- Start a debug session on the node:
oc debug node/<node>
- Change the root directory:
chroot /host
- List enrolled MOK keys:
mokutil --list-enrolled
- Verify the platform key ring:
keyctl list %:.platform
The output
includes the Secure Boot signing key.
Results
The environment runs with UEFI Secure Boot enabled.
What to do next
Once the Secure Boot is enabled, follow these steps to use the enrolled signing key and load
kernel modules without interruption:
- Create the
ibm-fusion-access
namespace:oc create ns ibm-fusion-access
Note: This command is allowed to fail
if the ibm-fusion-access namespace already exists.
- Create the following secrets:
- Private key
oc create secret generic secureboot-signing-key \
-n ibm-fusion-access \
--from-file=key=sb_cert.priv
- Public key
oc create secret generic secureboot-signing-key-pub \
-n ibm-fusion-access \
--from-file=cert=sb_cert.der
- Create the
FusionAccess custom resource. For more information, see Creating the FusionAccess custom resource (CR).