Skip to content

How to ELevate CentOS 7 with Secure Boot and AlmaLinux MOK #287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

How to ELevate CentOS 7 with Secure Boot and AlmaLinux MOK #287

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
511a091
How to ELevate CentOS 7 with Secure Boot and AlmaLinux MOK
aronowski Jul 23, 2023
c9b60b1
Small formatting fix
aronowski Jul 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions docs/elevate/ELevate-quickstart-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,43 @@ sudo reboot
* A new entry in GRUB called `ELevate-Upgrade-Initramfs` will appear. The system will be automatically booted into it.
See how the update process goes in the console.

**NOTE**: If you're upgrading a CentOS 7 system installed in UEFI mode rather than legacy BIOS mode and Secure Boot is enabled, you may want to disable it - otherwise the upgrade process will not be able to proceed.

However, there maybe cases where disabling Secure Boot is not possible. For such cases we'll add AlmaLinux Secure Boot CA certificate to the Machine Owner Key List (MokList in short). Let's do so.

* Download the AlmaLinux Secure Boot CA certificate.

```
wget https://git.almalinux.org/rpms/shim/raw/branch/a8_new_sb/SOURCES/almalinuxsecurebootca0.cer
```

* Import the certificate to the MokList.

```
sudo mokutil --import almalinuxsecurebootca0.cer
import password: password
import password again: password
```

* Reboot the machine.

```
sudo reboot
```

* Once rebooted, a prompt with the message *Press any key to perform MOK management* will appear. Press one of them - e.g. the Enter key.

* A menu will appear, allowing you to enroll AlmaLinux' certificate by choosing the *Enroll MOK* option.

* Next, a menu will allow you to *View key 0* or *Continue*. You may choose *View key 0* to verify that the CA certificate is correct indeed. Then choose the *Continue* option.

* Another prompt will appear, asking you: *Enroll the key(s)?* - choose *Yes*.

* A window will then pop-up, asking for the password specified during the certificate import procedure. Type it - in our case it was simply: *password*.

* Once the next menu pops-up, we can use the *Reboot* option.
From now on you can carry on with the ELevate upgrade procedure.

* After reboot, login to the system and check how the migration went. Verify that the current OS is the one you need. Check logs and packages left from previous OS version, consider removing them or update manually.
```
cat /etc/redhat-release
Expand Down