- Product Bulletin
- Service Overview
-
User Guide
- Usage Overview
- Selecting HCE as the Public Image When Creating an ECS
- Changing an OS to HCE
- Migrating an OS
- Upgrading HCE and RPM Packages
- Security Updates for HCE
- Obtaining the openEuler Extended Software Packages
- Creating a Docker Image and Starting a Container
- Tools
- Kernel Functions and Interfaces
- xGPU
- Configuring the Repositories and Installing Software for HCE
-
FAQs
- What Do I Do If CentOS Linux Is No Longer Maintained?
- Does Huawei Cloud Have a Migration Solution for CentOS?
- How Do I Install the MLNX Driver?
- How Do I Enable SELinux on an ECS Running HCE?
- How Do I Change the OS Name on the Console After the OS Is Migrated?
- How Are Huawei Cloud EulerOS, EulerOS, and openEuler Different from One Another?
- How Do I Enable WireGuard in Kernel and Install wireguard-tools?
- How Do I Save the User Credential Information for Logging In to Docker Like What Docker CE Does?
- What Is OOM? Why Does OOM Occur?
- How Do I Handle IPVS Errors?
- Why Can't HCE Obtain an IPv6 Address After IPv6 Is Enabled for an ECS?
- How Do I Set Auto Log Using TMOUT?
- Best Practices
- General Reference
Show all
Copied.
Secure Boot
Secure Boot
Secure Boot ensures the integrity of each component during system boot-up and prevents components that have no valid signatures from being loaded. It protects the system and user data from security threats as well as bootkit and rootkit attacks. HCE 2.0 supports Secure Boot.
- Verifying that Secure Boot has been enabled
After the OS is booted, run the following command to check whether Secure Boot is enabled:
mokutil --sb-state SecureBoot enabled #Secure Boot has been enabled.
- Enabling kernel .ko signature verification
Secure Boot is implemented by signature verification. By default, the kernel of HCE 2.0 is not compiled with forcibly enabled signature verification. You need to enable signature verification using parameter module.sig_enforce of the kernel.
To enable .ko signature verification, add module.sig_enforce=1 to the /boot/efi/EFI/hce/grub.cfg file.
Kernel parameter
Value
Description
module.sig_enforce
0
Disables the kernel's signature verification on the .ko module. The setting takes effect after the system is rebooted.
1
Enables the kernel's signature verification on the .ko module. The setting takes effect after the system is rebooted.
- Viewing the public key certificate for signature in HCE 2.0
For details about the HCE 2.0 KEK certificate and UEFI signature certificate, see hce-sign-certificate-1.0-1.hce2.x86_64.rpm in https://repo.huaweicloud.com/hce/2.0/updates/x86_64/Packages/.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot