Configuring Secure Boot for RELIANOID Enterprise Edition

  • Blog
  • Configuring Secure Boot for RELIANOID Enterprise Edition

Knowledge Base

Site Reliability Experience

View Categories

Configuring Secure Boot for RELIANOID Enterprise Edition

4 min read

Table of Contents

Overview #

RELIANOID Enterprise Edition fully supports UEFI Secure Boot through the standard Linux shim + MOK (Machine Owner Key) mechanism.

Due to how Secure Boot trust is established at firmware level, Secure Boot cannot be enabled on first installation. A short, controlled bootstrap process is required.

This article explains the recommended and supported procedure to enable Secure Boot on RELIANOID Enterprise Edition systems.

Important Design Consideration #

Secure Boot trust must be established before the custom RELIANOID kernel can boot.

For this reason:

  • The system must first be installed with EFI support but with Secure Boot disabled
  • After installation, the RELIANOID Secure Boot certificate is enrolled
  • Secure Boot is then enabled in firmware

This is expected, secure, and compliant behavior, aligned with UEFI and shim security requirements.

Prerequisites #

  • RELIANOID Enterprise Edition installed
  • System booting in UEFI mode
  • Secure Boot disabled in firmware during initial installation
  • Console access available (local or remote IPMI/iDRAC/iLO)
  • Tools installed mokutil and sbsigntool in every RELIANOID Load Balancer with 
    apt install mokutil sbsigntool
  • RELIANOID Secure Boot certificate already installed at: /usr/local/relianoid/share/secureboot/cert-mok.der (available >= RELIANOID EE v8.5)

Step 1 — Install RELIANOID with EFI (Secure Boot disabled) #

Configure firmware for:

  • UEFI boot mode
  • Secure Boot disabled

Then, install RELIANOID Enterprise Edition normally.

Finally, boot the system and verify EFI mode with the command:

[ -d /sys/firmware/efi ] && echo "UEFI mode confirmed"

Step 2 — Stage the RELIANOID MOK certificate #

RELIANOID provides a pre-installed Secure Boot certificate that must be enrolled into shim.

Run the following command as root:

mokutil --ignore-keyring --import /usr/local/relianoid/share/secureboot/cert-mok.der

Password prompt #

You will be asked to set a one-time enrollment password:

input password: (insert one-time password)
input password again: (re-insert one-time password)

This password is temporary and will be used only once during enrollment.

Note: Keep this password available — it is required at the next reboot.

Confirm pending enrollment #

Confirm with the command:

mokutil --list-new

Step 3 — Reboot and enroll the MOK in shim #

Reboot the system with the command:

reboot

During boot, before the operating system loads, the MOK Manager (shim interface) will appear.

Enrollment steps #

  1. Select Enroll MOK

    relianoid_secure_boot_enroll_mok

  2. View Key

    relianoid_secure_boot_view_key

  3. Select Continue

    relianoid_secure_boot_enroll_mok_continue

  4. Select Yes

    relianoid_secure_boot_enroll_mok_confirm

  5. Enter the password chosen in Step 2
  6. Confirm and reboot

    relianoid_secure_boot_enroll_mok_reboot

This action permanently enrolls the RELIANOID Secure Boot certificate into the system’s MOK database.

Step 4 — Verify MOK enrollment #

After the system reboots successfully, verify that the certificate is enrolled:

mokutil --list-enrolled | grep RELIANOID

You should see an entry similar to:

relianoid_secure_boot_mok_list_enrolled

Step 5 — Enable Secure Boot in firmware #

  1. Reboot the system
  2. Enter the firmware (BIOS/UEFI) setup
  3. Enable Secure Boot
  4. Save and exit

Step 6 — Final verification #

Once Secure Boot is enabled, boot RELIANOID and confirm Secure Boot state:

mokutil --sb-state

Expected output:

SecureBoot enabled

At this point:

  • The RELIANOID kernel is trusted
  • The boot chain is fully validated
  • Secure Boot is operational

Troubleshooting #

Secure Boot enabled but system fails to boot #

  • Ensure the RELIANOID kernel >=6.1.159 was loaded with uname -r
  • Verify RELIANOID Certificate enrollment with mokutil --list-enrolled | grep RELIANOID
  • Confirm the system boots via shim (not direct GRUB)

MOK Manager screen does not appear #

  • Ensure Secure Boot was disabled during enrollment
  • Re-run the mokutil --import command
  • Confirm console visibility during reboot

Security Notes #

  • MOK enrollment cannot be automated without user confirmation
  • This behavior is enforced by UEFI Secure Boot and shim
  • It prevents unauthorized keys from being silently trusted

This process is compliant with:

  • UEFI Secure Boot specifications
  • Linux shim security model
  • Enterprise Secure Boot best practices

Removing a MOK certificate from the system #

A previously enrolled RELIANOID Machine Owner Key (MOK) can be scheduled for removal using the following command:

mokutil --delete /usr/local/relianoid/share/secureboot/cert-mok.der

After executing this command:

  1. You will be prompted to set a one-time password
  2. Reboot the system
  3. The MOK Manager (shim) screen will appear during boot
  4. Select Delete MOK
  5. Confirm the deletion using the password you defined

Once completed, the certificate will be permanently removed from the system’s MOK database, and binaries signed with that key will no longer be trusted under Secure Boot.

Important: This operation requires Secure Boot to be enabled and physical or console access to complete the confirmation during reboot.

📄 Download this document in PDF format #

    EMAIL: *

    Powered by BetterDocs