[kernel-bugs] [Bug 1175626] Recent update run on August 21, 2020 kills bootloader
http://bugzilla.opensuse.org/show_bug.cgi?id=1175626
http://bugzilla.opensuse.org/show_bug.cgi?id=1175626#c53
--- Comment #53 from Gary Ching-Pang Lin
(In reply to Gary Ching-Pang Lin from comment #45)
I guess the update of kernel triggered the enrollment of new signkey and the deletion of the old signkey. But somehow MokNew was gone, so MokManager thought that there was a reset.
How would MokNew go away? The scriptlets in the kernel rpm are written so that the keys won't be deleted as long as the system still has one kernel installed that needs them.
MokManager deletes the MokNew after loading it. This is a bug should be fixed. It seems to me that MokManager was loaded but got stuck or just failed to draw the screen. John, Have you seen the MokManager screen with Secure Boot enabled before? I wonder if it's a drawing problem. [snip]
I forced Yast to reinstall them, rebooted, and its now working (not SecureBoot).
The forced reinstall may have caused harm. When you reinstall (and the version number of the nvidia-gfxG05-kmp-default package is the same as before), the installation procedure will generate a new key with the same file name, overwriting the previous one. Because of rpm scriptlet ordering (%postun is executed after %post), this might lead to the old key remaining present and the new one not being enrolled. I'm not 100% certain about this, but I guess it could happen. It's safer to delete the package and install it again.
I'm not saying this is the user's fault. It's rather a corner case that we may have overlooked. It does not apply to the kernel packages.
Reinstalling OS won't change MokList. The most reliable way is to reset the firmware to factory default. You'll need to restore the boot entries after that.
Isn't this is an overkill recommendation? It should be only a last resort measure. Perhaps MokManager should have an option to reset the MokList only.
Although mokutil can create a reset request, it seems MokManager cannot be launched reliably, and that's why I recommend a firmware reset. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com