Help Center/ Huawei Cloud EulerOS/ FAQs/ How Do I Handle Secure Boot Failures Caused by Certificate Changes?
Updated on 2025-09-04 GMT+08:00

How Do I Handle Secure Boot Failures Caused by Certificate Changes?

Background

Before March 2025, in the RPM package hce-sign-certificate-1.0-1.hce2 released in HCE, two certificates were provided for secure boot: HCE_Secure_Boot_RSA_Code-Signing_Authority_1.cer and Huawei_Code-Signing_Authority_CA_3.der.cer. The two certificates were used to verify the signatures of Shim, GRUB, and vmlinux components during the secure boot of an OS. Either of the two certificates can be imported to BIOS as a signature verification certificate. The HCE_Secure_Boot_RSA_Code-Signing_Authority_1.cer certificate expired in April 2025 and could no longer be used.

If HCE released before March 2025 is installed on your server with secure boot enabled, and only the HCE_Secure_Boot_RSA_Code-Signing_Authority_1.cer certificate is imported, the OS cannot be booted from a restart after your OS is upgraded to HCE released after May 2025.

Detecting the Issue

  1. Check whether your OS version is HCE 2.0 released before March 2025. If yes, go to step 2. If no, your OS does not have this issue.

    [root@localhost ~]# cat /etc/hce-latest
    hceversion=HCE-2.0.2412.1_aarch64
    compiletime=2025-02-28-10-00-01

  2. Run mokutil --sb to check whether secure boot is enabled. If "SecureBoot enabled" is displayed, go to step 3. If not, your OS does not have this issue.

    [root@localhost ~]# mokutil --sb
    SecureBoot enabled

  3. Check the certificate imported to BIOS.

    [root@localhost ~]# mokutil --db | grep "Subject:"
    Figure 1 Checking the imported certificate
    • If the command output contains "Huawei Root CA", your OS does not have this issue. No further action is required.
    • If the command output does not contain "Huawei Root CA" but contains "Huawei Code-Signing Authority CA 3", your OS does not have this issue after it is upgraded to HCE 2.0 released after May 2025.
    • If the command output contains neither "Huawei Root CA" nor "Huawei Code-Signing Authority CA 3" but contains "HCE Secure Boot RSA Code-Signing Authority 1", your OS will encounter this issue.

Solution

Obtain the updated certificate in the HCE 2.0 image repository, decompress or install hce-sign-certificate-1.0-2.hce2.x86_64.rpm in the https://repo.huaweicloud.com/hce/2.0/updates/x86_64/Packages/ directory, and import the new certificate Huawei_Root_CA.cer to BIOS.

  • Reference for importing a certificate to BIOS:

    Kunpeng: https://support.huawei.com/enterprise/en/doc/EDOC1100088647/97a0d5a0

    2288H V5: https://support.huawei.com/enterprise/en/doc/EDOC1000163372/afc5c7f8?idPath=23710424|251364409|21782478|21872244

    2288H V6: https://support.huawei.com/enterprise/en/doc/EDOC1100195299/fdb56216?idPath=23710424|251364409|21782478|23692812