On Tue, Sep 26, 2023 at 7:27 PM Andrei Borzenkov
This key is embedded into shim. Normally you do not need to explicitly enroll any key as long as your shim, kernel and additional kernel modules all come from the same vendor (in this case SUSE).
embedded in the shim? is this some superior security means in contrast to that MOK stuff? anyhow that mokutil listing keys only shows opensuse enterprise corporate linux secureboot key. but in
/lib/modules/5.14.21-150500.55.22-default/weak-updates/extra vboxdrv.ko -> /lib/modules/5.14.21-150500.55.7-default/extra/vboxdrv.ko
/lib/modules/5.14.21-150500.55.7-default/extra> rpm -qf vboxdrv.ko virtualbox-kmp-default-7.0.10_k5.14.21_150500.55.7-lp155.2.5.1.x86_64
but this virtualbox rpm is built / signed (?) by the opensuse folks and not by the suse enterprise linux folks rpm -qi virtualbox-kmp-default-7.0.10_k5.14.21_150500.55.7-lp155.2.5.1.x86_64 Name : virtualbox-kmp-default Version : 7.0.10_k5.14.21_150500.55.7 Release : lp155.2.5.1 Architecture: x86_64 Install Date: Mon 25 Sep 2023 04:19:17 PM CEST Group : System/Kernel Size : 2000994 License : GPL-2.0-or-later Signature : RSA/SHA512, Mon 24 Jul 2023 01:27:48 PM CEST, Key ID 35a2f86e29b700a4 Source RPM : virtualbox-kmp-7.0.10-lp155.2.5.1.src.rpm Build Date : Mon 24 Jul 2023 01:27:40 PM CEST Build Host : goat43 Relocations : (not relocatable) Packager : http://bugs.opensuse.org Vendor : openSUSE -------------- and the kernel itself and the shim and all basics essential boot stuff is built / signed (?) by the suse LLC (enterprise folks) i guess... Source Timestamp: 2023-08-08 22:15:01 +0000 GIT Revision: 9908c297db56e74e320d2a98ec399b588ec136ca GIT Branch: SLE15-SP5_EMBARGO Distribution: SUSE Linux Enterprise 15 Name : kernel-default Version : 5.14.21 Release : 150500.55.22.1 Architecture: x86_64 Install Date: Wed 20 Sep 2023 03:04:22 PM CEST Group : System/Kernel Size : 185348636 License : GPL-2.0-only Signature : RSA/SHA256, Fri 08 Sep 2023 11:24:32 AM CEST, Key ID 70af9e8139db7c82 Source RPM : kernel-default-5.14.21-150500.55.22.1.nosrc.rpm Build Date : Fri 08 Sep 2023 11:17:02 AM CEST Build Host : h01-ch5a Relocations : (not relocatable) Packager : https://www.suse.com/ Vendor : SUSE LLC https://www.suse.com/ ----------- so i quickly guessed and deducted that I am having a secureboot uefi trouble running this funny virtualbox on linux making users lives so hard. so is this really a virtual box package bug in opensuse leap 15.5, is secureboot and uefi so exotic and rare that nobody actually runs virtualbox this way I attempted and nobody comes across these bugs? then again, that germanic blog post i found before also talked about exactly this stuff and the blog author was also wondering why this opensuse key never made it into the MOK (or whereto ever) to begin with on opensuse distros. i also strongly wonder, why doesnt the opensuse secure boot key get automagically MOKed into the opensuse users systems and installations? this makes no sense to give the opensuse users such a bad rap and hassle? anyone care for opensuse or are we opensuse usersbase only the easy laborers, betatesters and incubators for the enterprise suse customers and userbase? ty