On Fri, 2021-07-23 at 11:49 -0500, Larry Finger wrote:
In boo#1188475, a user with secure boot enabled is having trouble loading the VirtualBox modules. When he runs the 'mokutil -l' command, the only key he has installed is "SUSE Linux Enterprise Secure Boot CA", but the vbox modules are signed with "openSUSE Secure Boot CA".
There have been no other complaints about this problem. Either most users have secure boot off as I do, or a fresh install (not upgrade) gets different keys.
Is there any easy way to instruct him to add that additional key? What package is supposed to have that key?
I believe that would come from the "shim" package. I recently updated a Win10 laptop to Win11 and it dual-boots Tumbleweed. Needless to say, TW wouldn't boot after enabling "Secure Boot" so Win11 would install. There's a checkbox in YaST for 'Secure Boot' (which wasn't checked from initial installation) and after disabling 'Secure Boot' to get into TW, then ticking that box I was able to leave 'Secure Boot' enabled.
'mokutil -l' shows:
[key 1] SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddressfirstname.lastname@example.org Validity Not Before: Aug 26 16:12:07 2013 GMT Not After : Jul 22 16:12:07 2035 GMT Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddressemail@example.com
and 'rpm -ql shim' shows a reference to the SN of that cert:
$ rpm -ql shim /etc/uefi /etc/uefi/certs /etc/uefi/certs/4659838C-shim.crt /usr/lib64/efi /usr/lib64/efi/MokManager.efi /usr/lib64/efi/fallback.efi /usr/lib64/efi/shim-opensuse.efi /usr/lib64/efi/shim.efi /usr/sbin/shim-install /usr/share/doc/packages/shim /usr/share/doc/packages/shim/COPYRIGHT /usr/share/doc/packages/shim/README /usr/share/efi /usr/share/efi/x86_64 /usr/share/efi/x86_64/MokManager.efi /usr/share/efi/x86_64/fallback.efi /usr/share/efi/x86_64/shim-opensuse.der /usr/share/efi/x86_64/shim-opensuse.efi /usr/share/efi/x86_64/shim.efi
Don't know if it's enough to just install that package (or it would compete w/ a similar package on Leap) but I'd surmise there's a SLE "shim" and a Leap/TW "shim". Maybe downloading the Leap/TW "shim" package and getting the .crt file out of it would be enough.