Hi,
In boo#1188475, a user with secure boot enabled is having trouble loading the VirtualBox modules. When he runs the 'mokutil -l' command, the only key he has installed is "SUSE Linux Enterprise Secure Boot CA", but the vbox modules are signed with "openSUSE Secure Boot CA".
There have been no other complaints about this problem. Either most users have secure boot off as I do, or a fresh install (not upgrade) gets different keys.
Is there any easy way to instruct him to add that additional key? What package is supposed to have that key?
Thanks,
Larry
On Fri, 2021-07-23 at 11:49 -0500, Larry Finger wrote:
Hi,
In boo#1188475, a user with secure boot enabled is having trouble loading the VirtualBox modules. When he runs the 'mokutil -l' command, the only key he has installed is "SUSE Linux Enterprise Secure Boot CA", but the vbox modules are signed with "openSUSE Secure Boot CA".
There have been no other complaints about this problem. Either most users have secure boot off as I do, or a fresh install (not upgrade) gets different keys.
Is there any easy way to instruct him to add that additional key? What package is supposed to have that key?
Thanks,
Larry
I believe that would come from the "shim" package. I recently updated a Win10 laptop to Win11 and it dual-boots Tumbleweed. Needless to say, TW wouldn't boot after enabling "Secure Boot" so Win11 would install. There's a checkbox in YaST for 'Secure Boot' (which wasn't checked from initial installation) and after disabling 'Secure Boot' to get into TW, then ticking that box I was able to leave 'Secure Boot' enabled.
'mokutil -l' shows:
[key 1] SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Validity Not Before: Aug 26 16:12:07 2013 GMT Not After : Jul 22 16:12:07 2035 GMT Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
and 'rpm -ql shim' shows a reference to the SN of that cert:
$ rpm -ql shim /etc/uefi /etc/uefi/certs /etc/uefi/certs/4659838C-shim.crt /usr/lib64/efi /usr/lib64/efi/MokManager.efi /usr/lib64/efi/fallback.efi /usr/lib64/efi/shim-opensuse.efi /usr/lib64/efi/shim.efi /usr/sbin/shim-install /usr/share/doc/packages/shim /usr/share/doc/packages/shim/COPYRIGHT /usr/share/doc/packages/shim/README /usr/share/efi /usr/share/efi/x86_64 /usr/share/efi/x86_64/MokManager.efi /usr/share/efi/x86_64/fallback.efi /usr/share/efi/x86_64/shim-opensuse.der /usr/share/efi/x86_64/shim-opensuse.efi /usr/share/efi/x86_64/shim.efi
Don't know if it's enough to just install that package (or it would compete w/ a similar package on Leap) but I'd surmise there's a SLE "shim" and a Leap/TW "shim". Maybe downloading the Leap/TW "shim" package and getting the .crt file out of it would be enough.
On 23.07.2021 19:49, Larry Finger wrote:
Hi,
In boo#1188475, a user with secure boot enabled is having trouble loading the VirtualBox modules. When he runs the 'mokutil -l' command, the only key he has installed is "SUSE Linux Enterprise Secure Boot CA", but the vbox modules are signed with "openSUSE Secure Boot CA".
There have been no other complaints about this problem. Either most users have secure boot off as I do, or a fresh install (not upgrade) gets different keys.
Is there any easy way to instruct him to add that additional key? What package is supposed to have that key?
The key /etc/uefi/certs/BDD31A9E-kmp.crt is provided by openSUSE-signkey-cert:
Issuer: CN = openSUSE Secure Boot CA, C = DE, L = Nuremberg, O = openSUSE Project, emailAddress = build@opensuse.org Subject: CN = openSUSE Secure Boot Signkey, C = DE, L = Nuremberg, O = openSUSE Project, emailAddress = build@opensuse.org SHA1 Fingerprint=BD:D3:1A:9E:0F:7E:D3:12:76:84:65:E6:57:8E:0D:C0:00:64:46:16
This package is not required by anything, it is recommended by base pattern and suggested by openSUSE-release. So if you disabled recommends (solver.onlyRequires=true) you won't get it.
Of course installing this package just creates enrollment request; it is easy to miss MokManager on reboot and my feeling is that no user is aware what password is expected anyway so they just give up even if they happen to actually see MokManager. And shim deletes all enrollment requests so it is one time offer.
On 7/23/21 12:32 PM, Scott Bradnick wrote:
I believe that would come from the "shim" package. I recently updated a Win10 laptop to Win11 and it dual-boots Tumbleweed. Needless to say, TW wouldn't boot after enabling "Secure Boot" so Win11 would install. There's a checkbox in YaST for 'Secure Boot' (which wasn't checked from initial installation) and after disabling 'Secure Boot' to get into TW, then ticking that box I was able to leave 'Secure Boot' enabled.
Where is this checkbox in YaST? I do not have an EFI system, thus I expect that the feature is disabled.
Larry
On Fri, 2021-07-23 at 16:52 -0500, Larry Finger wrote:
On 7/23/21 12:32 PM, Scott Bradnick wrote:
I believe that would come from the "shim" package. I recently updated a Win10 laptop to Win11 and it dual-boots Tumbleweed. Needless to say, TW wouldn't boot after enabling "Secure Boot" so Win11 would install. There's a checkbox in YaST for 'Secure Boot' (which wasn't checked from initial installation) and after disabling 'Secure Boot' to get into TW, then ticking that box I was able to leave 'Secure Boot' enabled.
Where is this checkbox in YaST? I do not have an EFI system, thus I expect that the feature is disabled.
Larry
# yast
"System -> Boot Loader"
Here's a paste of what I'm referring to: https://paste.opensuse.org/ab82f060
This is from my raspberry pi 4 running TW, but the idea is the same.
-
Andrei Borzenkov -
Larry Finger -
Scott Bradnick