On 2023-09-27 14:41, cagsm wrote:
On Tue, Sep 26, 2023 at 7:27 PM Andrei Borzenkov
wrote: This key is embedded into shim. Normally you do not need to explicitly enroll any key as long as your shim, kernel and additional kernel modules all come from the same vendor (in this case SUSE).
embedded in the shim? is this some superior security means in contrast to that MOK stuff? anyhow that mokutil listing keys only shows opensuse enterprise corporate linux secureboot key.
Laicolasse:~ # ls -lh /boot/efi/EFI/opensuse_main/ total 3.2M -rwxr-xr-x 1 root root 833K Jul 20 18:58 MokManager.efi -rwxr-xr-x 1 root root 68 Jul 20 18:58 boot.csv -rwxr-xr-x 1 root root 173 Jul 20 18:58 grub.cfg -rwxr-xr-x 1 root root 1.3M Jul 20 18:58 grub.efi -rwxr-xr-x 1 root root 220K Jul 20 18:58 grubx64.efi -rwxr-xr-x 1 root root 932K Jul 20 18:58 shim.efi <======= Laicolasse:~ # The MOK database is inside the "BIOS" aka UEFI. You have to install openSUSE-signkey-cert Laicolasse:~ # rpm -q openSUSE-signkey-cert openSUSE-signkey-cert-20220613-lp155.3.5.x86_64 Laicolasse:~ # And on the next boot you should get a text prompt before the GRUB prompt, to accept the key. Notice that this prompt is very confusing. And if you say "no" by mistake it is no for ever. Laicolasse:~ # mokutil --list-enrolled | grep -i openSUSE Issuer: CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org Subject: CN=Kernel OBS Project/emailAddress=Kernel@build.opensuse.org Issuer: CN=home:tiwai OBS Project/emailAddress=home:tiwai@build.opensuse.org Subject: CN=home:tiwai OBS Project/emailAddress=home:tiwai@build.opensuse.org Laicolasse:~ # -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.5 (Laicolasse))