[opensuse-factory] Secure Boot Keys
Hello, can any tell me the place I can found the openSUSE / SUSE Secure Boot Key files ? After export the certificate from the Bios I found only ASUS, Microsoft and Canonical (?) Keys / Certificate in the files. I never install a Ubuntu (?). I like to install this files manually, I hope afterward I can test with Secure Boot ;). - mit freundlichen Grüßen / best Regards, Günther J. Niederwimmer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Apr 09, 2014 at 10:34:21AM +0200, Günther J. Niederwimmer wrote:
Hello,
can any tell me the place I can found the openSUSE / SUSE Secure Boot Key files ? After export the certificate from the Bios I found only ASUS, Microsoft and Canonical (?) Keys / Certificate in the files. I never install a Ubuntu (?).
The openSUSE/SUSE keys are available in the build service: For openSUSE 12.3/13.1 https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/ope... For openSUSE 13.2+ https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/ope... For SUSE: https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/SLE... Just copy the strings to a file, says key.crt, and convert it to DER format. $ openssl x509 -in key.crt -outform DER -out key.der
I like to install this files manually, I hope afterward I can test with Secure Boot ;).
AFAIK, not every firmware vendor allows the user to enroll a customer key. Starting from openSUSE 12.3, a shim loader with MS signature was included, so theoretically you can boot openSUSE 12.3+ in a Secure Boot enabled box with MS key. You may need some workaround for some old firmware though. Cheers, Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello Gary, Thank's for the answer, but i have a question again ;). I do this the first Time.... Is this a KEK or PK file I have 4 possible insert positions KEK, PK, db, dbx I read online the file have to named key.cer you write key.der what is correct ? Thank's for a answer mit freundlichen Grüssen / best Regards Günther J. Niederwimmer -----Ursprüngliche Nachricht----- Von: Gary Ching-Pang Lin [mailto:glin@suse.com] Gesendet: Mittwoch, 09. April 2014 11:36 An: Günther J. Niederwimmer Cc: opensuse-factory@opensuse.org Betreff: Re: [opensuse-factory] Secure Boot Keys On Wed, Apr 09, 2014 at 10:34:21AM +0200, Günther J. Niederwimmer wrote:
Hello,
can any tell me the place I can found the openSUSE / SUSE Secure Boot Key files ? After export the certificate from the Bios I found only ASUS, Microsoft and Canonical (?) Keys / Certificate in the files. I never install a Ubuntu (?).
The openSUSE/SUSE keys are available in the build service: For openSUSE 12.3/13.1 https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/ope nSUSE-UEFI-CA-Certificate-4096.crt?expand=1 For openSUSE 13.2+ https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/ope nSUSE-UEFI-CA-Certificate.crt?expand=1 For SUSE: https://build.opensuse.org/package/view_file/devel:openSUSE:Factory/shim/SLE S-UEFI-CA-Certificate.crt?expand=1 Just copy the strings to a file, says key.crt, and convert it to DER format. $ openssl x509 -in key.crt -outform DER -out key.der
I like to install this files manually, I hope afterward I can test with Secure Boot ;).
AFAIK, not every firmware vendor allows the user to enroll a customer key. Starting from openSUSE 12.3, a shim loader with MS signature was included, so theoretically you can boot openSUSE 12.3+ in a Secure Boot enabled box with MS key. You may need some workaround for some old firmware though. Cheers, Gary Lin -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Günther J. Niederwimmer wrote:
Hello Gary,
Thank's for the answer, but i have a question again ;).
I do this the first Time....
Is this a KEK or PK file I have 4 possible insert positions KEK, PK, db, dbx
I read online the file have to named key.cer you write key.der what is correct ?
Maybe this wiki article helps explaining the difference: https://en.opensuse.org/openSUSE:UEFI#Booting_the_Machine_without_vendor_pro... cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Wed, 09 Apr 2014 10:34:21 +0200
Günther J. Niederwimmer
Hello,
can any tell me the place I can found the openSUSE / SUSE Secure Boot Key files ? After export the certificate from the Bios I found only ASUS, Microsoft and Canonical (?) Keys / Certificate in the files. I never install a Ubuntu (?).
I like to install this files manually, I hope afterward I can test with Secure Boot ;).
You do not need to install any key. Just boot installation DVD (not live) on a system with enabled secure boot and it will automatically setup bootloader appropriately. If not, you either hit a bug or have some weird system that may need manual workaround. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Andrey Borzenkov
-
Gary Ching-Pang Lin
-
Günther J. Niederwimmer
-
Ludwig Nussel