Secure Boot

Red Hat 8 and CentOS 8 support secure boot to prevent unauthorized kernel modules to be loaded. The Blueworx DTNA, shipped as part of the Blueworx BVR, is not a recognized kernel module. If secure boot is enabled the kernel will refuse to load the DTNA which will cause BVR to fail to start. Generally stand alone machines will have secure boot enabled and virtual/instance machines will have secure boot disabled.

The first step it so establish if secure boot is enabled using Machine Owner Keys utility (mokutil).

To install mokutil use:

To check if secure boot is enabled use:

If the command returns "SecureBoot enabled" then follow the instructions below, otherwise nothing else is required.

Enrolling the DTNA secure key

Before the Linux kernel will allow the Blueworx DTNA kernel module to be loaded a key must be uploaded into the boot loader. Once the machine is rebooted the key has to be confirmed after which it is enrolled with the kernel.

To enroll the key use:

This will prompt for a password, this can be anything and is used during boot time enrollment. For example using the password of mypassword:

input password: mypassword
input password again: mypassword

The next step is to reboot to complete the enrollement procedure:

The MOK management occurs during boot time before the Linux kernel has been started. A direct connection or virtual console is required. It is not possible to ssh into the machine at this point. Once the Shim UEFI key management screen is present a key must be pressed to enter MOK management. If this opportunity is missed the key must be enrolled again (once Linux has booted up) using the instructions above.



Once MOK management has been entered the Enroll MOK option should be taken.



Then select Continue.



Then select Yes on the Enroll the key(s)? page.



After this the password that was used during the import must be used, for example mypassword.



Finally select Reboot and the machine will restart with the key enrolled.



Checking the key is enrolled

To check the key is successfully enrolled the following command can be used:

A correctly enrolled key will output:

Issuer: C=US, ST=Tulsa, O=Blueworx, CN=www.blueworx.com/emailAddress=info@blueworx.com
Subject: C=US, ST=Tulsa, O=Blueworx, CN=www.blueworx.com/emailAddress=info@blueworx.com