2.2 Restricting the Binaries Used to Boot the System

Secure Boot supports a chain of trust that goes down to the kernel module level.

Secure Boot leverages the UEFI boot architecture to restrict which binaries can boot the system, only allowing boot loaders that carry the cryptographic signature of trusted entities. In other words, anything run in the UEFI boot sequence must be signed with a key that the system recognizes as trustworthy. During each system reboot, every component in the boot sequence is verified, preventing malware from hiding embedded code in the boot sequence.

Loadable kernel modules must be signed with a trusted key or they cannot be loaded into the kernel.

The following trusted keys are maintained under the UEFI boot framework:

• Database (DB) - Signature database that contains well-known keys. Only binaries that can be verified against the DB are allowed.

• Forbidden Database (DBX) - Keys that are blocked. Attempting to load an object with a key that matches an entry in the DBX will be denied. This is a list of keys that are bad.

• Machine Owner Key (MOK) - User added keys for kernel modules you want to install.

• Platform Key (PK) - The key installed by the system vendor. This key is installed by the vendor and is in the ILOM firmware. This key is not accessible from the host.

• Key Exchange Key (KEK) - The key required to update the signature database.

The user must have access to the system console to add keys, modify keys, or enable and disable Secure Boot through the UEFI configuration menu. The default boot loader on most UEFI-enabled servers running Linux is grub2. With Secure Boot enabled, an additional shim boot loader is needed. When booting in Secure Boot mode, the shimloader is called first because it contains a trusted signature. The shimloader then loads grub2, which then loads the OS kernel, which is also signed.

The minimum system requirement for Secure Boot on Exadata system hardware is Oracle Exadata X7-2 with Oracle Exadata System Software release 19.1.0. Secure Boot is enabled by default on Exadata storage servers, bare metal database servers, and KVM hosts meeting the minimum system requirement.

Oracle Exadata System Software release 24.1.0 extends Secure Boot to Oracle Linux KVM guests.

Secure Boot is not supported on Xen-based Oracle VM Servers (Dom0) and Oracle VM guests (DomU).

• Enabling Secure Boot on Exadata System Hardware
  Secure Boot is enabled by default on supported Exadata storage servers, bare metal database servers, and KVM hosts.
• Enabling KVM Guest Secure Boot
  Oracle Exadata System Software release 24.1.0 extends Secure Boot to Oracle Linux KVM guests.
• Managing Keys and Certificates Used with Secure Boot
  You can use the mokutil command to manage the keys and certificates used with Secure Boot.
• Troubleshooting Secure Boot
  You might encounter the following problems when Secure Boot is enabled.