[opensuse-factory] Booting factory-tested LiveCD on UEFI secureboot system
Hi! While trying to boot openSUSE-Factory-GNOME-Live-x86_64-Snapshot20140829-Media.iso from a Live USB disk on my UEFI secureboot enabled laptop, I get the following error (I am paraphrasing here):
The current device is blocked by system security policy, following which my system simply proceeds to boot the installed system rather than the Live USB. If I try the exact same routine with a 13.1 Live USB instead, it boots into the Live system all fine. Is there something I am not doing right, or is there some issue with factory booting on UEFI secureboot systems?
Thanks for any help. -- Atri Bhattacharya <badshah400@aim.com> -- Atri Bhattacharya Dept. of Physics University of Arizona Phone: (520) 621 2453 Tue Sep 2 18:54:22 MST 2014 Sent from openSUSE 13.1 on my laptop. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, 02 Sep 2014 18:54:24 -0700 Atri Bhattacharya <badshah400@aim.com> wrote:
Hi! While trying to boot openSUSE-Factory-GNOME-Live-x86_64-Snapshot20140829-Media.iso from a Live USB disk on my UEFI secureboot enabled laptop, I get the following error (I am paraphrasing here):
The short answer is that, for the time being, you will need to turn off secure-boot in your firmware if you want to boot factory live media (or the factory install DVD). There's a new version of "shim" being used, and it does not yet have the required signatures for secure booting. Until that is corrected, secure-boot won't work for factory booting. I am booting my factory system using the boot menu from opensuse 13.1. And that works fine. But it isn't easy to use that work-around for booting live media. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 03.09.2014 um 05:30 schrieb Neil Rickert:
There's a new version of "shim" being used, and it does not yet have the required signatures for secure booting. Until that is corrected, secure-boot won't work for factory booting.
I am booting my factory system using the boot menu from opensuse 13.1. And that works fine. But it isn't easy to use that work-around for booting live media.
Actually we discussed this before accepting shim and expected not many people requiring secure boot for factory. But looks like we were wrong and should make sure we get only MS signed shims into Factory. Which is a pitty to rely on Microsoft for Factory development, but it will work out. Should we revert shim or are you just testing this feature? Greetings, Stephan -- Ma muaß weiterkämpfen, kämpfen bis zum Umfalln, a wenn die ganze Welt an Arsch offen hat, oder grad deswegn. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Thanks a lot Stephan and Neil for your responses. On Wed, 2014-09-03 at 08:13 +0200, Stephan Kulow wrote:
Am 03.09.2014 um 05:30 schrieb Neil Rickert:
There's a new version of "shim" being used, and it does not yet have the required signatures for secure booting. Until that is corrected, secure-boot won't work for factory booting.
I am booting my factory system using the boot menu from opensuse 13.1. And that works fine. But it isn't easy to use that work-around for booting live media.
Actually we discussed this before accepting shim and expected not many people requiring secure boot for factory. But looks like we were wrong and should make sure we get only MS signed shims into Factory. Which is a pitty to rely on Microsoft for Factory development, but it will work out. Should we revert shim or are you just testing this feature?
Eventually, if you expect reasonably wide scale adoption of openSUSE:Factory as *the* installed version of openSUSE on systems, which I understand is the objective of the present Factory model, this issue will turn out to be a blocker, since most modern laptops come with UEFI-secureboot enabled. I was trying the Factory LiveCD not only to test but also to see if upgrading the 13.1 openSUSE on my laptop to the rolling Factory version would sit well, but clearly this problem blocks me off from so upgrading completely. My other objective was also to test how 13.2 is turning out and may be file some bugs if I could so find. I understand, then, that if the present situation persists, openSUSE 13.2 will also turn out to be uninstallable on secureboot enabled computers, isn't that so? That, for am official release version, would be really scary. Best wishes.
Greetings, Stephan
-- Ma muaß weiterkämpfen, kämpfen bis zum Umfalln, a wenn die ganze Welt an Arsch offen hat, oder grad deswegn.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Atri Bhattacharya schrieb:
Thanks a lot Stephan and Neil for your responses.
On Wed, 2014-09-03 at 08:13 +0200, Stephan Kulow wrote:
Am 03.09.2014 um 05:30 schrieb Neil Rickert:
There's a new version of "shim" being used, and it does not yet have the required signatures for secure booting. Until that is corrected, secure-boot won't work for factory booting.
I am booting my factory system using the boot menu from opensuse 13.1. And that works fine. But it isn't easy to use that work-around for booting live media.
Actually we discussed this before accepting shim and expected not many people requiring secure boot for factory. But looks like we were wrong and should make sure we get only MS signed shims into Factory. Which is a pitty to rely on Microsoft for Factory development, but it will work out. Should we revert shim or are you just testing this feature?
[...] me off from so upgrading completely. My other objective was also to test how 13.2 is turning out and may be file some bugs if I could so find. I understand, then, that if the present situation persists, openSUSE 13.2 will also turn out to be uninstallable on secureboot enabled computers, isn't that so? That, for am official release version, would be really scary.
Factory's purpose is to get package updates all the time whereas releases are frozen. So a release would of course get a shim version with signature. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, 03 Sep 2014 08:13:28 +0200 Stephan Kulow <coolo@suse.de> wrote:
Actually we discussed this before accepting shim and expected not many people requiring secure boot for factory. But looks like we were wrong and should make sure we get only MS signed shims into Factory. Which is a pitty to rely on Microsoft for Factory development, but it will work out. Should we revert shim or are you just testing this feature?
Personally, it isn't that important. I can't speak for others. I am running factory full time at present, but I also have 13.1 installed as a fallback in case of problems. I consider it testing as thoroughly as I can. The only thing seriously affected by an unsigned (by Microsoft) "shim" is my ability to test secure-booting. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Atri Bhattacharya -
Ludwig Nussel -
Neil Rickert -
Stephan Kulow