Updating a Secure Boot enabled system

Edit online
Starting with QRadar® 7.5.0 Update Package 6 (UP6) the kernel modules contained in the SFS are signed using a new certificate. Therefore, any EFI firmware host with Secure Boot enabled that is patched to UP6 or later fails to load the new kernel modules due to the missing public key on the system keyring and might cause the host to become unresponsive. To avoid this problem, you must import the IBM public key contained on the SFS into the system keyring before patching.

Before you begin

On the console download and mount the SFS to the patching mount point. For example, /media/updates.

About this task

The IBM public key is available on the root of the SFS, using the above mount point the path would be: /media/updates/ibm_public_key.cer.

Procedure

  1. Import and enroll the key on the console by completing the following steps:
    1. Import the public key by using the command: mokutil --import /media/updates/ibm_public_key.cer.
      You are required to enter a password to be used during the MOK manager phase.

      When prompted, enter and reenter a password. This password is used during the MOK manager screens when the system is rebooted.

    2. From the console terminal, do not use an SSH session, reboot the host. During the boot the MOK manager window appears, you have only10 seconds to press a key to enter the MOK manager. If the MOK manager window disappears without enrolling the key the system continues to boot and the public key is not enrolled into the system keyring and you must begin this procedure again to import and reboot. See Importing and Enrolling the public key section for details on the MOK manager screen.
    3. After enrolling the public key the system continues the boot process. Once the system is ready you can verify the key is enrolled, see Step 3 of Enabling secure boot.
  2. To import and enroll the key on the rest of your deployment complete the following steps:
    1. From the console copy the public key to all hosts in the deployment using all_servers: 
      /opt/qradar/support/all_servers.sh -Ckp /media/updates/ibm_public_key.cer
      The key is stored on each host under the path: /storetmp/ibm_public_key.cer.
    2. Use SSH to import the key to be enrolled using the command: 
      mokutil --import /storetmp/ibm_public_key.cer
    3. Once the key is imported follow the steps 1.b and 1.c.