Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1362681 - grubx64.efi in grub2-efi-2.02-0.41.el7.x86_64 is signed with Red Hat test key
Summary: grubx64.efi in grub2-efi-2.02-0.41.el7.x86_64 is signed with Red Hat test key
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: grub2
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Peter Jones
QA Contact: Release Test Team
Depends On:
TreeView+ depends on / blocked
Reported: 2016-08-02 20:45 UTC by Lenny Szubowicz
Modified: 2019-03-29 08:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Lenny Szubowicz 2016-08-02 20:45:42 UTC
Description of problem:

grubx64.efi is signed with a Red Hat Test key

[root@intel-s1200v3rps-01 ~]# pesign -v -S -i /boot/efi/EFI/redhat/grubx64.efi
certificate address is 0x7f63b7aab608
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Wed Jul 13, 2016
There were certs or crls included.

This adds unnecessary extra steps for anyone wanting to test RHEL 7.3 Beta with UEFI Secure Boot enabled.

grubx64.efi and gcdx64.efi should be signed with the same Red Hat Beta key that's used for the the kernel. The RHEL 7.3 Beta Release Notes are expected to include information how to enroll the Red Hat Beta Public key for use with UEFI Secure Boot.

Version-Release number of selected component (if applicable):


How reproducible: Always when UEFI Secure Boot is enabled

Steps to Reproduce:

1. Install any recent RHEL 7.3 nightly build which includes this
   grub2-efi rpm.
2. Enroll the Red Hat Beta key via MOK
3. Enable UEFI Secure Boot
4. On reboot, shim.efi will fail to authenticate grubx64.efi

Comment 2 Lenny Szubowicz 2016-08-23 16:44:03 UTC
To enable UEFI Secure Boot authentication of the grubx64.efi in RHEL 7.3 Beta:

1. Get a key db with the Red Hat Test CA public key.

   # yum install pesign

   Note that this is in the optional repo and you may need to enable it.

2. Make sure the required utility certutil is available.
   # yum install nss-tools

3. Extract the Red Hat Test CA public key.

   # certutil -d /etc/pki/pesign/ -L -n "Red Hat Test CA" -r > RedHatTestCA.cer

4. Request enrollment of the Red Hat Test CA public key into MOK

   # mokutil --import RedHatTestCA.cer

To save steps and time, you can just propagate the RedHatTestCA.cer file to other systems and just perform step 4.

Note that during Beta the RHEL kernel is signed with a different key. You also have to enroll that key via MOK.

1. # yum install kernel-doc

2. # kr=$(uname -r)
   # mokutil --import /usr/share/doc/kernel-keys/${kr%.$(uname -p)}/kernel-signing-ca.cer


Note You need to log in before you can comment on or make changes to this bug.