Missing Key in Leap 15.3 (boo#1188475)
Hi, We are still fighting the problem described in boo#1188475. Systems with secure boot enabled and upgraded from Leap 15.2 to Leap 15.3 cannot load the VirtualBox modules. In Leap 15.2, all modules are signed with "openSUSE Secure Boot CA" and all is well, but in Leap 15.3, the VB modules are signed with "openSUSE Secure Boot CA" as in Leap 15.2, but the standard modules are signed with "SUSE Linux Enterprise Secure Boot CA." Using 'mokutil -l', only the latter key is present. At present, the only work-around that I can suggest is to disable secure boot, which is hardly a fix. Reinstalling the shim package or installing "openSUSE-signkey-cert" do not help. Can someone with expertise in these keys suggest a way to add "openSUSE Secure Boot CA" to the list of keys, or how to re-sign the VB modules with "SUSE Linux Enterprise Secure Boot CA"? I have read the documentation on signing modules, but I still do not understand how to do these operations. Thanks, Larry
On 31.07.2021 19:58, Larry Finger wrote:
Hi,
We are still fighting the problem described in boo#1188475. Systems with secure boot enabled and upgraded from Leap 15.2 to Leap 15.3 cannot load the VirtualBox modules.
In Leap 15.2, all modules are signed with "openSUSE Secure Boot CA" and all is well, but in Leap 15.3, the VB modules are signed with "openSUSE Secure Boot CA" as in Leap 15.2, but the standard modules are signed with "SUSE Linux Enterprise Secure Boot CA." Using 'mokutil -l', only the latter key is present.
At present, the only work-around that I can suggest is to disable secure boot, which is hardly a fix. Reinstalling the shim package or installing "openSUSE-signkey-cert" do not help.
Can someone with expertise in these keys suggest a way to add "openSUSE Secure Boot CA" to the list of keys, or how to re-sign the VB modules with "SUSE Linux Enterprise Secure Boot CA"? I have read the documentation on signing modules, but I still do not understand how to do these operations.
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/...
On 7/31/21 12:47 PM, Andrei Borzenkov wrote:
On 31.07.2021 19:58, Larry Finger wrote:
Hi,
We are still fighting the problem described in boo#1188475. Systems with secure boot enabled and upgraded from Leap 15.2 to Leap 15.3 cannot load the VirtualBox modules.
In Leap 15.2, all modules are signed with "openSUSE Secure Boot CA" and all is well, but in Leap 15.3, the VB modules are signed with "openSUSE Secure Boot CA" as in Leap 15.2, but the standard modules are signed with "SUSE Linux Enterprise Secure Boot CA." Using 'mokutil -l', only the latter key is present.
At present, the only work-around that I can suggest is to disable secure boot, which is hardly a fix. Reinstalling the shim package or installing "openSUSE-signkey-cert" do not help.
Can someone with expertise in these keys suggest a way to add "openSUSE Secure Boot CA" to the list of keys, or how to re-sign the VB modules with "SUSE Linux Enterprise Secure Boot CA"? I have read the documentation on signing modules, but I still do not understand how to do these operations.
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/...
Unfortunately, that does not tell me how to instruct the users with this problem how to fix their systems. Larry
On 01.08.2021 00:30, Larry Finger wrote:
On 7/31/21 12:47 PM, Andrei Borzenkov wrote:
On 31.07.2021 19:58, Larry Finger wrote:
Hi,
We are still fighting the problem described in boo#1188475. Systems with secure boot enabled and upgraded from Leap 15.2 to Leap 15.3 cannot load the VirtualBox modules.
In Leap 15.2, all modules are signed with "openSUSE Secure Boot CA" and all is well, but in Leap 15.3, the VB modules are signed with "openSUSE Secure Boot CA" as in Leap 15.2, but the standard modules are signed with "SUSE Linux Enterprise Secure Boot CA." Using 'mokutil -l', only the latter key is present.
At present, the only work-around that I can suggest is to disable secure boot, which is hardly a fix. Reinstalling the shim package or installing "openSUSE-signkey-cert" do not help.
Installing or reinstalling this package by itself will not enroll certificate, just create enrollment request which must be interactively confirmed by user physically present on console.
Can someone with expertise in these keys suggest a way to add "openSUSE Secure Boot CA" to the list of keys, or how to re-sign the VB modules with "SUSE Linux Enterprise Secure Boot CA"? I have read the documentation on signing modules, but I still do not understand how to do these operations.
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/...
Unfortunately, that does not tell me how to instruct the users with this problem how to fix their systems.
Well, you mentioned mokutil several times so I presumed "how" part is known, it is "what" part that is missing. Install or force reinstall openSUSE-signkey-cert, reboot, perform certificate enrollment in MokManager screen. The password MokManager expects is operating system root user password. Or if package is already installed just manually create enrollment request using mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt it will ask for password to use in MokManager. Reboot, confirm certificate enrollment in MokManager screen. https://en.opensuse.org/openSUSE:UEFI#Enroll_MOK_certificate_with_mokutil_.2...
Op zondag 1 augustus 2021 07:42:40 CEST schreef Andrei Borzenkov:
On 01.08.2021 00:30, Larry Finger wrote:
On 7/31/21 12:47 PM, Andrei Borzenkov wrote:
On 31.07.2021 19:58, Larry Finger wrote:
Hi,
We are still fighting the problem described in boo#1188475. Systems with secure boot enabled and upgraded from Leap 15.2 to Leap 15.3 cannot load the VirtualBox modules.
In Leap 15.2, all modules are signed with "openSUSE Secure Boot CA" and all is well, but in Leap 15.3, the VB modules are signed with "openSUSE Secure Boot CA" as in Leap 15.2, but the standard modules are signed with "SUSE Linux Enterprise Secure Boot CA." Using 'mokutil -l', only the latter key is present.
At present, the only work-around that I can suggest is to disable secure boot, which is hardly a fix. Reinstalling the shim package or installing "openSUSE-signkey-cert" do not help.
Installing or reinstalling this package by itself will not enroll certificate, just create enrollment request which must be interactively confirmed by user physically present on console.
Can someone with expertise in these keys suggest a way to add "openSUSE Secure Boot CA" to the list of keys, or how to re-sign the VB modules with "SUSE Linux Enterprise Secure Boot CA"? I have read the documentation on signing modules, but I still do not understand how to do these operations.
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/messa ge/BBFOK7VQSWCZIUBJIUBZ2ZOMJZ3I2ZVL/> Unfortunately, that does not tell me how to instruct the users with this problem how to fix their systems.
Well, you mentioned mokutil several times so I presumed "how" part is known, it is "what" part that is missing.
Install or force reinstall openSUSE-signkey-cert, reboot, perform certificate enrollment in MokManager screen. The password MokManager expects is operating system root user password.
Or if package is already installed just manually create enrollment request using
mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt
it will ask for password to use in MokManager. Reboot, confirm certificate enrollment in MokManager screen.
https://en.opensuse.org/openSUSE:UEFI#Enroll_MOK_certificate_with_mokutil_.2 8x86.2A_only.29
I tried this procedure, but did not succeed. Maybe my situation is different. It is: Secure multi-boot laptop with openSUSE 15.2, 15.3, Tumbleweed and Windows Booting 15.3 gives error, caused by wrong certificate. I used Tumbleweed for the above procedure. Booting 15.2 succeeds also. Entering both certificates using "mokutil --import" gives that they are already present. Booting MokManager.efi and choosing Enroll from disk gives all kinds of things to choose from; in fact they are folders. I tried all, but afterwards I am still unable to boot 15.3. When I list available certificates I only see one. What am I doing wrong? -- fr.gr. member openSUSE Freek de Kruijf
On Tue, Aug 3, 2021 at 12:02 PM Freek de Kruijf <freek@opensuse.org> wrote: ...
Install or force reinstall openSUSE-signkey-cert, reboot, perform certificate enrollment in MokManager screen. The password MokManager expects is operating system root user password.
Or if package is already installed just manually create enrollment request using
mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt
it will ask for password to use in MokManager. Reboot, confirm certificate enrollment in MokManager screen.
https://en.opensuse.org/openSUSE:UEFI#Enroll_MOK_certificate_with_mokutil_.2 8x86.2A_only.29
I tried this procedure, but did not succeed.
Which of the two procedures listed above?
Maybe my situation is different. It is: Secure multi-boot laptop with openSUSE 15.2, 15.3, Tumbleweed and Windows Booting 15.3 gives error, caused by wrong certificate. I used Tumbleweed for
At which point? BIOS cannot load shim, shim cannot load grub, grub cannot load kernel, some errors after kernel is loaded and started (although I am not sure what would display these errors during boot)?
the above procedure.
Did you verify that certificates are the same? I do not know. But if you have a problem with 15.3 you should use whatever is delivered with and for 15.3.
Booting 15.2 succeeds also. Entering both certificates using "mokutil --import" gives that they are already present.
Who are "they"? But educated guess is that you are booting using openSUSE shim which embeds openSUSE certificate which is the reason mokutil says this certificate is already present.
Booting MokManager.efi and choosing Enroll from disk gives
I never said to choose "enroll from disk" so you must have been following some other procedure.
all kinds of things to choose from; in fact they are folders. I tried all, but afterwards I am still unable to boot 15.3. When I list available certificates I only see one.
What am I doing wrong?
It is difficult to understand what you are doing. Anyway, this is out of place on this list. Post your question to support list and provide 1. output of efibootmgr -v 2. mokutil --list-enrolled 3. full script of "mokutil --import" including full invocation and all messages. 4. Description at which point during boot you get an error and screenshot/photo of this error (upload to https://susepaste.org/). Even better would be a photo of each boot step starting from the very first screen until you get this error.
participants (3)
-
Andrei Borzenkov -
Freek de Kruijf -
Larry Finger