On 09/01/2014 05:06 PM, Carlos E. R. wrote:
On 2014-09-01 18:38, Neil Rickert wrote:
On Mon, 01 Sep 2014 09:52:02 +0200 Ludwig Nussel <> wrote:
If we don't want to wait for MS, a machine with secure boot enabled may not boot Factory. One has to either disable secure boot or import the openSUSE CA into the UEFI firmware. So we can take a conscious decision here and define a policy.
I would consider importing the opensuse CA into the firmware, if I knew how. I cannot find a place to do that in the BIOS settings on either of my UEFI boxes.
I found some references:
https://en.opensuse.org/openSUSE:UEFI
which mentions that is is done with something called "mokutil".
http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
https://www.suse.com/releasenotes/x86_64/SUSE-SLES/12/
http://software.opensuse.org/package/mokutil?search_term=mokutil
This program provides the means to enroll and erase the machine owner keys (MOK) stored in the database of shim.
man page:
http://linuxmanpages.net/manpages/fedora19/man1/mokutil.1.html
I have not located an opensuse page that explains how to do it. Only on the first link, where it says that the utility was broken on 12.3 and that some UEFI implementations might offer a boot menu option to do it.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
This is a must read: http://blog.hansenpartnership.com/uefi-secure-boot/ http://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/ http://tomsblog.gschwinds.net/2014/08/uefi-secure-boot-resources/ James Bottomley has a very informative blog http://blog.hansenpartnership.com/efitools-1-4-with-linux-key-manipulation-u... Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org