Table of Contents Table of Contents Title and Copyright Information Preface Documentation License Conventions Documentation Accessibility Access to Oracle Support for Accessibility Diversity and Inclusion 1 About UEFI Secure Boot How the Secure Boot Process Works Secure Boot Limitations About Secure Boot Keys Description of the Secure Boot Key Implementation Description of the Shim First Stage Boot Loader How Secure Boot Is Enforced Within Oracle Linux Enabling and Disabling Secure Boot About the MOK Database 2 Tools and Applications for Administering Secure Boot About the pesign Tool About the efibootmgr Application About the mokutil Utility Disabling Secure Boot Validating SBAT Status About the dbxtool Command 3 Signing Kernel Images and Kernel Modules for Use With Secure Boot Requirements for Signing Kernel Images and Kernel Modules Installing Required Packages Generating a Signing Certificate Signing the Kernel for Secure Boot Configuring an NSS Database Signing the Kernel Image Updating the MOK Database Signing the Kernel Module for Secure Boot Signing the Kernel Module Updating the MOK Database with the Kernel Module Certificate Setting Kernel Module Certificate Trust for UEK R6 Signing the Kernel Module Inserting the Module Certificate in the Kernel Image Signing the Kernel Image Updating the MOK Database Validating That a Key Is Trusted UEK R7 Releases UEK R6U3 and Later UEK R6 Updates (Includes RHCK on Oracle Linux 8 and Oracle Linux 9) UEK R6 releases prior to UEK R6U3 UEK R5 UEK R4 and RHCK on Oracle Linux 7