(In reply to Tripple Moon from comment #115) > (In reply to Gary Ching-Pang Lin from comment #114) > > (In reply to Tripple Moon from comment #113) > > > (In reply to Martin Wilck from comment #111) > > > > (In reply to Tripple Moon from comment #108) > > > > > Is there any way to revoke this choice, or is it only used by the current > > > > > opensuse-shim? > > > > > > > > Yes. "mokutil --list-enrolled" shows currently enrolled certificates in the > > > > MoK. "mokutil --delete" will create a MoK request to delete this key. You > > > > have to reboot and enter mokmanager to confirm. > > > > > > If it is only enrolled in the MokList of the current boot then there is no > > > problem at all. > > > But when i boot into KeyTool from my own boot menu i don't see any key from > > > openSUSE in the MokList, so where is this choice stored? > > > > > > How does one enter the MokManager at boot time using the openSUSE shim? > > > > "mokutil --import" will create an EFI variable called MokNew. When shim > > detects the existence of MokNew, it loads MokManager for the further process. > > I understand that method all too well, but the problem is that on my machine > "mokutil --import" does not work properly and gives an error. Is there any error message? > At least that is what happened while i was using Kubuntu and i had to > manually add the certificate to the MokList using KeyTool.efi from the > efitools package/repo (I compiled on my own machine from sources) > > But you still have not answered the last 2 questions in that reply. > 1. "so where is this choice stored?" Meaning the choice to accept the > opensuse certificate. It means the certificate built in shim. When you choose "yes", shim stores 1 to an EFI variable, use_openSUSE_cert, and won't bother you again. It can be removed with "mokutil --revoke-cert". > 2. "How does one enter the MokManager at boot time using the openSUSE shim?" By design, shim launches MokManager only when there is a request for it. If you really want to launch MokManager directly, disable Secure Boot and load MokManager.efi directly from the firmware could be choice. Or, you can manually create a boot entry for MokManager. E.g: # efibootmgr -c -d /dev/sda -p 1 -l "\EFI\opensuse\MokManager.efi" -L "MokManager" Note: Here I assumes that ESP is sda1.