Overview #

RELIANOID Enterprise Edition fully supports UEFI Secure Boot through the standard Linux shim + MOK (Machine Owner Key) mechanism.

Due to how Secure Boot trust is established at firmware level, Secure Boot cannot be enabled on first installation. A short, controlled bootstrap process is required.

This article explains the recommended and supported procedure to enable Secure Boot on RELIANOID Enterprise Edition systems.

Important Design Consideration #

Secure Boot trust must be established before the custom RELIANOID kernel can boot.

For this reason:

• The system must first be installed with EFI support but with Secure Boot disabled
• After installation, the RELIANOID Secure Boot certificate is enrolled
• Secure Boot is then enabled in firmware

This is expected, secure, and compliant behavior, aligned with UEFI and shim security requirements.

Prerequisites #

• RELIANOID Enterprise Edition installed
• System booting in UEFI mode
• Secure Boot disabled in firmware during initial installation
• Console access available (local or remote IPMI/iDRAC/iLO)
• RELIANOID Secure Boot certificate already installed at: /usr/local/relianoid/share/secureboot/cert-mok.der (available >= RELIANOID EE v8.5)

Step 1 — Install RELIANOID with EFI (Secure Boot disabled) #

Configure firmware for:

• UEFI boot mode
• Secure Boot disabled

Then, install RELIANOID Enterprise Edition normally.

Finally, boot the system and verify EFI mode with the command:

[ -d /sys/firmware/efi ] && echo "UEFI mode confirmed"

Step 2 — Stage the RELIANOID MOK certificate #

RELIANOID provides a pre-installed Secure Boot certificate that must be enrolled into shim.

Run the following command as root:

mokutil --import /usr/local/relianoid/share/secureboot/cert-mok.der

Password prompt #

You will be asked to set a one-time enrollment password:

input password: (insert one-time password)
input password again: (re-insert one-time password)

This password is temporary and will be used only once during enrollment.

Note: Keep this password available — it is required at the next reboot.

Confirm pending enrollment #

Confirm with the command:

mokutil --list-new

Step 3 — Reboot and enroll the MOK in shim #

Reboot the system with the command:

reboot

During boot, before the operating system loads, the MOK Manager (shim interface) will appear.

Enrollment steps #

1. Select Enroll MOK

   

2. View Key

   

3. Select Continue

   

4. Select Yes

   

5. Enter the password chosen in Step 2
6. Confirm and reboot

   

This action permanently enrolls the RELIANOID Secure Boot certificate into the system’s MOK database.

Step 4 — Verify MOK enrollment #

After the system reboots successfully, verify that the certificate is enrolled:

mokutil --list-enrolled | grep RELIANOID

You should see an entry similar to:

Step 5 — Enable Secure Boot in firmware #

1. Reboot the system
2. Enter the firmware (BIOS/UEFI) setup
3. Enable Secure Boot
4. Save and exit

Step 6 — Final verification #

Once Secure Boot is enabled, boot RELIANOID and confirm Secure Boot state:

mokutil --sb-state

Expected output:

SecureBoot enabled

At this point:

• The RELIANOID kernel is trusted
• The boot chain is fully validated
• Secure Boot is operational

Troubleshooting #

Secure Boot enabled but system fails to boot #

• Ensure the RELIANOID kernel >=6.1.159 was loaded with uname -r
• Verify RELIANOID Certificate enrollment with mokutil --list-enrolled | grep RELIANOID
• Confirm the system boots via shim (not direct GRUB)

MOK Manager screen does not appear #

• Ensure Secure Boot was disabled during enrollment
• Re-run the mokutil --import command
• Confirm console visibility during reboot

Security Notes #

• MOK enrollment cannot be automated without user confirmation
• This behavior is enforced by UEFI Secure Boot and shim
• It prevents unauthorized keys from being silently trusted

This process is compliant with:

• UEFI Secure Boot specifications
• Linux shim security model
• Enterprise Secure Boot best practices