kernel-vanilla: incorrect shim signature
Hi, I am running openSUSE 15.3 and I would like to test the drm-tip kernel branch on my hardware. I am trying to install and run kernel-vanilla-5.17.0-kt.5.1.g401575d from the following repo: https://download.opensuse.org/repositories/home:/tiwai:/kernel:/drm-tip/open... In spite of the package has been installed successfully, I cannot boot due to "incorrect shim signature" at a very early stage. Secure boot is enabled currently. What is the proper way to overcome this problem? I suppose disabling secure boot should help. -- With best regards, Matwey V. Kornilov
Hello, On Sat, Mar 26, 2022 at 12:03:53PM +0300, Matwey V. Kornilov wrote:
Hi,
I am running openSUSE 15.3 and I would like to test the drm-tip kernel branch on my hardware. I am trying to install and run kernel-vanilla-5.17.0-kt.5.1.g401575d from the following repo: https://download.opensuse.org/repositories/home:/tiwai:/kernel:/drm-tip/open...
In spite of the package has been installed successfully, I cannot boot due to "incorrect shim signature" at a very early stage. Secure boot is enabled currently. What is the proper way to overcome this problem? I suppose disabling secure boot should help.
You need enroll the new kernel key. It should happeen automaticaly but there si a timeout at boot and if you do not confirm enrollment the key is NOT enrolled and you can NOT boot the new kernel. You can list enroleld keys with mokutil --list-enrolled the keys to enroll with mokutil --list-new the kernel key with openssl x509 -in $(rpm -ql kernel-vanilla-5.17.0-kt.5.1.g401575d | grep 'uefi.*crt') -inform der -noout -text HTH Michal
сб, 26 мар. 2022 г. в 15:31, Michal Suchánek <msuchanek@suse.de>:
Hello,
On Sat, Mar 26, 2022 at 12:03:53PM +0300, Matwey V. Kornilov wrote:
Hi,
I am running openSUSE 15.3 and I would like to test the drm-tip kernel branch on my hardware. I am trying to install and run kernel-vanilla-5.17.0-kt.5.1.g401575d from the following repo: https://download.opensuse.org/repositories/home:/tiwai:/kernel:/drm-tip/open...
In spite of the package has been installed successfully, I cannot boot due to "incorrect shim signature" at a very early stage. Secure boot is enabled currently. What is the proper way to overcome this problem? I suppose disabling secure boot should help.
You need enroll the new kernel key. It should happeen automaticaly but there si a timeout at boot and if you do not confirm enrollment the key is NOT enrolled and you can NOT boot the new kernel.
You can list enroleld keys with
mokutil --list-enrolled
the keys to enroll with
mokutil --list-new
the kernel key with
openssl x509 -in $(rpm -ql kernel-vanilla-5.17.0-kt.5.1.g401575d | grep 'uefi.*crt') -inform der -noout -text
HTH
Michal
Thank you. I've managed to get it working now. -- With best regards, Matwey V. Kornilov
participants (2)
-
Matwey V. Kornilov -
Michal Suchánek