Hello Gary, Thank's for the answer, but i have a question again ;). I do this the first Time.... Is this a KEK or PK file I have 4 possible insert positions KEK, PK, db, dbx I read online the file have to named key.cer you write key.der what is correct ? Thank's for a answer mit freundlichen Grüssen / best Regards Günther J. Niederwimmer -----Ursprüngliche Nachricht----- Von: Gary Ching-Pang Lin [mailto:glin@suse.com] Gesendet: Mittwoch, 09. April 2014 11:36 An: Günther J. Niederwimmer Cc: opensuse-factory@opensuse.org Betreff: Re: [opensuse-factory] Secure Boot Keys On Wed, Apr 09, 2014 at 10:34:21AM +0200, Günther J. Niederwimmer wrote:
Hello,
can any tell me the place I can found the openSUSE / SUSE Secure Boot Key files ? After export the certificate from the Bios I found only ASUS, Microsoft and Canonical (?) Keys / Certificate in the files. I never install a Ubuntu (?).
The openSUSE/SUSE keys are available in the build service: For openSUSE 12.3/13.1 https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/ope nSUSE-UEFI-CA-Certificate-4096.crt?expand=1 For openSUSE 13.2+ https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/ope nSUSE-UEFI-CA-Certificate.crt?expand=1 For SUSE: https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/SLE S-UEFI-CA-Certificate.crt?expand=1 Just copy the strings to a file, says key.crt, and convert it to DER format. $ openssl x509 -in key.crt -outform DER -out key.der
I like to install this files manually, I hope afterward I can test with Secure Boot ;).
AFAIK, not every firmware vendor allows the user to enroll a customer key. Starting from openSUSE 12.3, a shim loader with MS signature was included, so theoretically you can boot openSUSE 12.3+ in a Secure Boot enabled box with MS key. You may need some workaround for some old firmware though. Cheers, Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org