http://bugzilla.opensuse.org/show_bug.cgi?id=1173158
http://bugzilla.opensuse.org/show_bug.cgi?id=1173158#c119
--- Comment #119 from Gary Ching-Pang Lin
(In reply to Gary Ching-Pang Lin from comment #114)
(In reply to Tripple Moon from comment #113)
(In reply to Martin Wilck from comment #111)
(In reply to Tripple Moon from comment #108)
Is there any way to revoke this choice, or is it only used by the current opensuse-shim?
Yes. "mokutil --list-enrolled" shows currently enrolled certificates in the MoK. "mokutil --delete" will create a MoK request to delete this key. You have to reboot and enter mokmanager to confirm.
If it is only enrolled in the MokList of the current boot then there is no problem at all. But when i boot into KeyTool from my own boot menu i don't see any key from openSUSE in the MokList, so where is this choice stored?
How does one enter the MokManager at boot time using the openSUSE shim?
"mokutil --import" will create an EFI variable called MokNew. When shim detects the existence of MokNew, it loads MokManager for the further process.
I understand that method all too well, but the problem is that on my machine "mokutil --import" does not work properly and gives an error. Is there any error message?
At least that is what happened while i was using Kubuntu and i had to manually add the certificate to the MokList using KeyTool.efi from the efitools package/repo (I compiled on my own machine from sources)
But you still have not answered the last 2 questions in that reply. 1. "so where is this choice stored?" Meaning the choice to accept the opensuse certificate. It means the certificate built in shim. When you choose "yes", shim stores 1 to an EFI variable, use_openSUSE_cert, and won't bother you again. It can be removed with "mokutil --revoke-cert".
2. "How does one enter the MokManager at boot time using the openSUSE shim?" By design, shim launches MokManager only when there is a request for it. If you really want to launch MokManager directly, disable Secure Boot and load MokManager.efi directly from the firmware could be choice. Or, you can manually create a boot entry for MokManager. E.g:
# efibootmgr -c -d /dev/sda -p 1 -l "\EFI\opensuse\MokManager.efi" -L "MokManager" Note: Here I assumes that ESP is sda1. -- You are receiving this mail because: You are the assignee for the bug.