ELevate with SecureBoot

mitchellbot · January 5, 2024, 3:35pm

We have hundreds of Intel NUCs needing to get off of CentOS 7 due to the EOL. We were thrilled to discover ELevate and created a script to roll it out to these systems. In our initial testing, everything proceeds perfectly on virtual systems (which have SecureBoot disabled by default), however, once we tried to deploy it to a physical system, we encountered the error “/vmlinuz-upgrade.x86_64 has invalid signature. you need to load the kernel first.”

Clearly SecureBoot has stopped the vmlinuz-upgrade initramfs kernel from booting. But, upon checking sbverify, I’m seeing that it is actually signed by DigiCert with a G4 Code Signing certificate so I’m wondering what’s stopping it.

I also failed to find any mention of SecureBoot in the ELevate documentation specifically. Is SecureBoot even supported?

Would it suffice to simply add the public key to the MOK?

Has anyone else encountered this issue and is there any way to do this without having to boot to UEFI and disable SecureBoot across hundreds of systems?

Thanks in advance.

maerlin · March 3, 2025, 12:48pm

Hey there! Sorry to bother and resurrecting this thread but we’re facing the same problems. We don’t have hundreds of systems, but a significant quantity. Did you manage to find a solution to this? Or just point us in the right direction? Thanks!

mitchellbot · March 3, 2025, 3:31pm

Ooof, you’re testing my memory with this one.

IIRC, we ended up having to pin an older version of the data package to leapp-data-oraclelinux-0.2-3.el7.2. That worked for awhile and then broke in a different way but by then, most of our systems had completed the migration.

Good luck!

maerlin · March 3, 2025, 3:34pm

I will definitely try! Thanks for the tip. We’ve been struggling all morning. Hopefully this will help!