Comment # 119 on bug 1173158 from 
(In reply to Tripple Moon from comment #115)
> (In reply to Gary Ching-Pang Lin from comment #114)
> > (In reply to Tripple Moon from comment #113)
> > > (In reply to Martin Wilck from comment #111)
> > > > (In reply to Tripple Moon from comment #108)
> > > > > Is there any way to revoke this choice, or is it only used by the current
> > > > > opensuse-shim?
> > > > 
> > > > Yes. "mokutil --list-enrolled" shows currently enrolled certificates in the
> > > > MoK. "mokutil --delete" will create a MoK request to delete this key. You
> > > > have to reboot and enter mokmanager to confirm.
> > > 
> > > If it is only enrolled in the MokList of the current boot then there is no
> > > problem at all.
> > > But when i boot into KeyTool from my own boot menu i don't see any key from
> > > openSUSE in the MokList, so where is this choice stored?
> > > 
> > > How does one enter the MokManager at boot time using the openSUSE shim?
> > 
> > "mokutil --import" will create an EFI variable called MokNew. When shim
> > detects the existence of MokNew, it loads MokManager for the further process.
> 
> I understand that method all too well, but the problem is that on my machine
> "mokutil --import" does not work properly and gives an error.
Is there any error message?

> At least that is what happened while i was using Kubuntu and i had to
> manually add the certificate to the MokList using KeyTool.efi from the
> efitools package/repo (I compiled on my own machine from sources)
> 
> But you still have not answered the last 2 questions in that reply.
> 1. "so where is this choice stored?" Meaning the choice to accept the
> opensuse certificate.
It means the certificate built in shim. When you choose "yes", shim stores 1 to
an EFI variable, use_openSUSE_cert, and won't bother you again. It can be
removed with "mokutil --revoke-cert".

> 2. "How does one enter the MokManager at boot time using the openSUSE shim?"
By design, shim launches MokManager only when there is a request for it. If you
really want to launch MokManager directly, disable Secure Boot and load
MokManager.efi directly from the firmware could be choice. Or, you can manually
create a boot entry for MokManager. E.g:

 # efibootmgr -c -d /dev/sda -p 1 -l "\EFI\opensuse\MokManager.efi" -L
"MokManager"

Note: Here I assumes that ESP is sda1.

You are receiving this mail because: