From 511a0918c4139817e62994e1cf8c226446997d14 Mon Sep 17 00:00:00 2001 From: Kamil Aronowski Date: Sun, 23 Jul 2023 19:13:56 +0200 Subject: [PATCH 1/2] How to ELevate CentOS 7 with Secure Boot and AlmaLinux MOK Signed-off-by: Kamil Aronowski --- docs/elevate/ELevate-quickstart-guide.md | 36 ++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/elevate/ELevate-quickstart-guide.md b/docs/elevate/ELevate-quickstart-guide.md index c47aa6799..f97988d97 100644 --- a/docs/elevate/ELevate-quickstart-guide.md +++ b/docs/elevate/ELevate-quickstart-guide.md @@ -85,6 +85,42 @@ sudo reboot * A new entry in GRUB called `ELevate-Upgrade-Initramfs` will appear. The system will be automatically booted into it. See how the update process goes in the console. +**NOTE**: If you're upgrading a CentOS 7 system installed in UEFI mode rather than legacy BIOS mode and Secure Boot is enabled, you may want to disable it - otherwise the upgrade process will not be able to proceed. + +However, there maybe cases where disabling Secure Boot is not possible. For such cases we'll add AlmaLinux Secure Boot CA certificate to the Machine Owner Key List (MokList in short). Let's do so. + +* Download the AlmaLinux Secure Boot CA certificate. + +``` +wget https://git.almalinux.org/rpms/shim/raw/branch/a8_new_sb/SOURCES/almalinuxsecurebootca0.cer +``` + +* Import the certificate to the MokList. + +``` +sudo mokutil --import almalinuxsecurebootca0.cer +import password: password +import password again: password + +* Reboot the machine. + +``` +sudo reboot +``` + +* Once rebooted, a prompt with the message *Press any key to perform MOK management* will appear. Press one of them - e.g. the Enter key. + +* A menu will appear, allowing you to enroll AlmaLinux' certificate by choosing the *Enroll MOK* option. + +* Next, a menu will allow you to *View key 0* or *Continue*. You may choose *View key 0* to verify that the CA certificate is correct indeed. Then choose the *Continue* option. + +* Another prompt will appear, asking you: *Enroll the key(s)?* - choose *Yes*. + +* A window will then pop-up, asking for the password specified during the certificate import procedure. Type it - in our case it was simply: *password*. + +* Once the next menu pops-up, we can use the *Reboot* option. +From now on you can carry on with the ELevate upgrade procedure. + * After reboot, login to the system and check how the migration went. Verify that the current OS is the one you need. Check logs and packages left from previous OS version, consider removing them or update manually. ``` cat /etc/redhat-release From c9b60b1850cce230eda04fc53019462db3cb708c Mon Sep 17 00:00:00 2001 From: Kamil Aronowski Date: Mon, 24 Jul 2023 09:42:19 +0200 Subject: [PATCH 2/2] Small formatting fix Signed-off-by: Kamil Aronowski --- docs/elevate/ELevate-quickstart-guide.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/elevate/ELevate-quickstart-guide.md b/docs/elevate/ELevate-quickstart-guide.md index f97988d97..ff86d1a27 100644 --- a/docs/elevate/ELevate-quickstart-guide.md +++ b/docs/elevate/ELevate-quickstart-guide.md @@ -101,6 +101,7 @@ wget https://git.almalinux.org/rpms/shim/raw/branch/a8_new_sb/SOURCES/almalinuxs sudo mokutil --import almalinuxsecurebootca0.cer import password: password import password again: password +``` * Reboot the machine.