(Optional) Enroll Arcserve UDP Public Key for Secure Boot Enabled Oracle Linux UEK6 Kernel

This section provides information about how to enroll Arcserve public key for Secure Boot enabled Oracle Linux UEK6 kernel.

Prerequisites:

• Verify that you have root credentials.
• Verify that you have access to Arcserve public key.
• Verify that you have access to Arcserve Platform Key file (PKCS12).
• Verify if your system has the related package of mmx64.efi file that is located at the following location:
• /boot/efi/EFI/redhat
• Install the following packages as needed:
• Oracle Linux 7.x
• sudo yum install kernel-uek-devel
• sudo yum update
• sudo yum-config-manager –enable ol7_optional_latest
• sudo yum install keyutils mokutil pesign
• Oracle Linux 8.x
• sudo dnf install kernel-uek-devel
• sudo dnf update
• sudo dnf install keyutils mokutil pesign

Follow these steps:

1. Log into the shell environment of the backup source node.
2. Locate Arcserve public key at the following location:

   /tmp/arcserve_public_key_for_secureboot.der

3. Locate Arcserve Platform key file (PKCS12) at the following location:

   /tmp/arcserve_p12key_for_secureboot.p12

4. From the Oracle Linux documentation on inserting the module certificate in kernel and signing the kernel image for UEK6 kernel, follow these steps:
• To change to the directory where Arcserve public key and platform key file (s) exist, run the following command:

# cd /tmp

• To insert the module certificate in the kernel image using the insert-sys-cert utility, run the following command:

# /usr/src/kernels/$(uname -r)/scripts/insert-sys-cert -s /boot/System.map-$(uname -r) -z /boot/vmlinuz-$(uname -r) -c arcserve_public_key_for_secureboot.der

• To configure the NSS database, which is designed for storing complete set of keys, run the following command:

# certutil -d . -N

• 
• You are prompted to enter a password for NSS database. Enter a password for the database, which is required while signing the kernel.
• Add the PKCS#12 version of kernel signing key to the new database. You are first prompted for the password of the NSS database that is created in the above step, and then you are prompted for the password, which is used while exporting the PKCS#12 key file (‘cad2d’ is the password used for PKCS#12 key).
• # pk12util -d . -i arcserve_p12key_for_secureboot.p12
• 
• Sign the kernel image using the pesign utility.
• 
• 
5. To update the MOK database, follow these steps:
1. To import the certification to MOK, run the following command:
2. mokutil [--root-pw] --import
3. /tmp/arcserve_public_key_for_secureboot.der
4. The --root-pw option enables the usage of root user directly. The root password is required to enroll the key after restarting the system.
2. Specify a password for the certification when the --root-pw option is not available.
3. This password is required to enroll the key after restarting the system.
3. Verify the list of certificates that are prepared to be enrolled from mokutil using the following command:
4. mokutil --list-new>
5. The list must include Arcserve public key.
4. Restart the system.
5. The system launches shim UEFI key management tool.
6. Note: If the shim UEFI key management tool is not launched, the system may not have the mmx64.efi file.
5. Enter the password that you have specified while importing Arcserve public key to enroll the certification to the MOK list.
6. For UEK R6, only those keys that are listed in the kernel builtin_trusted_keys keyring are trusted for module signing. For this reason, module signing keys are added to the kernel image as part of the process for signing modules. Run the following command to validate that a key is trusted:
7. # keyctl show %:.builtin_trusted_keys
8. Keyring: 335047181 ---lswrv 0 0 keyring: .builtin_trusted_keys
9. 1042239099 ---lswrv 0 0 \_ asymmetric: Oracle CA Server: 58bd7ea9c4fba3a4a62720d5d06f1e96053ddf4d
10. 24285436 ---lswrv 0 0 \_ asymmetric: Arcserve kernel module signing key: fb4c19dca60d31bb203499bf6cb384af6615699d
11. 362335717 ---lswrv 0 0 \_ asymmetric: Oracle America, Inc.: Ksplice Kernel Module Signing Key: 09010ebef5545fa7c54b626ef518e077b5b1ee4c
12. 448587676 ---lswrv 0 0 \_ asymmetric: Oracle Linux Kernel Module Signing Key: 2bb352412969a3653f0eb6021763408ebb9bb5ab
13. Notes:
• The list must include Arcserve public key.
• If multiple UEK version kernels are installed, signing only one kernel does not allow other kernels to log in. For example, if you have installed the UEK5 and UEK6 kernels, imported a key and signed the UEK6 kernel using the above steps, then boot using the UEK5 kernel in Secure Boot fails.

The Secure Boot enabled Oracle Linux UEK6 kernel is ready for protection.