KMP signature key is provided as /etc/uefi/certs/BDD31A9E-kmp.crt, but apparently nothing enrolls this key automatically. It is missing after update to Leap 15.4: bor@10:~> mokutil --list-enrolled | grep 'SHA1 Finger' SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8 SHA1 Fingerprint: 4a:aa:0b:54:67:76:1e:cf:c0:0a:42:32:b1:7a:b4:8b:3e:09:a3:bf bor@10:~> And there is no enrollment request after installation of KMP: bor@10:~> sudo zypper in bbswitch-kmp-default ... bor@10:~> mokutil --list-new bor@10:~> Looking at kernel-scriptlets, certificate is handled by inkpm-script, but (at least, this KMP) calls kmp-script. Is it a bug, missing feature or what? KMP was built for 15.4: bor@10:~> zypper se -s bbswitch-kmp-default Loading repository data... Reading installed packages... S | Name | Type | Version | Arch | Repository ---+----------------------+---------+------------------------------------+--------+---------------- i+ | bbswitch-kmp-default | package | 0.8_k5.14.21_150400.22-lp154.1.187 | x86_64 | Main Repository bor@10:~>
On Fri, Jun 10, 2022 at 06:03:42PM +0300, Andrei Borzenkov wrote:
KMP signature key is provided as /etc/uefi/certs/BDD31A9E-kmp.crt, but apparently nothing enrolls this key automatically. It is missing after update to Leap 15.4:
bor@10:~> mokutil --list-enrolled | grep 'SHA1 Finger'
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
SHA1 Fingerprint: 4a:aa:0b:54:67:76:1e:cf:c0:0a:42:32:b1:7a:b4:8b:3e:09:a3:bf
bor@10:~>
And there is no enrollment request after installation of KMP:
bor@10:~> sudo zypper in bbswitch-kmp-default ... bor@10:~> mokutil --list-new
bor@10:~>
Looking at kernel-scriptlets, certificate is handled by inkpm-script, but (at least, this KMP) calls kmp-script.
Is it a bug, missing feature or what? KMP was built for 15.4:
I think this is probably the same bug as boo#1195118. The problem is understood, but the proper solution is not there yet. Gaicomo
bor@10:~> zypper se -s bbswitch-kmp-default
Loading repository data...
Reading installed packages...
S | Name | Type | Version | Arch | Repository
---+----------------------+---------+------------------------------------+--------+----------------
i+ | bbswitch-kmp-default | package | 0.8_k5.14.21_150400.22-lp154.1.187 | x86_64 | Main Repository
bor@10:~>
On 10.06.2022 18:45, Giacomo Comes wrote:
On Fri, Jun 10, 2022 at 06:03:42PM +0300, Andrei Borzenkov wrote:
KMP signature key is provided as /etc/uefi/certs/BDD31A9E-kmp.crt, but apparently nothing enrolls this key automatically. It is missing after update to Leap 15.4:
bor@10:~> mokutil --list-enrolled | grep 'SHA1 Finger'
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
SHA1 Fingerprint: 4a:aa:0b:54:67:76:1e:cf:c0:0a:42:32:b1:7a:b4:8b:3e:09:a3:bf
bor@10:~>
And there is no enrollment request after installation of KMP:
bor@10:~> sudo zypper in bbswitch-kmp-default ... bor@10:~> mokutil --list-new
bor@10:~>
Looking at kernel-scriptlets, certificate is handled by inkpm-script, but (at least, this KMP) calls kmp-script.
Is it a bug, missing feature or what? KMP was built for 15.4:
I think this is probably the same bug as boo#1195118.
This bug revolves around missing root password hash during initial installation. In this case this was online upgrade from Leap 15.2 (waiting for Carlos telling me that it is not supported). # 2022-06-09 08:08:07 openSUSE-signkey-cert-20210302-lp154.1.2.x86_64.rpm installed ok # Additional rpm output: # Already in kernel trusted keyring. Skip /etc/uefi/certs/BDD31A9E-kmp.crt # Which is correct because at the time of installation the active kernel was *openSUSE* kernel which had this key as built-in ... I am not going to press this particular issue (it may have been relevant for "supported" 15.2 -> 15.3, although I am not sure whether mokutil in 15.3 already checked kernel keyring). My primary point is - every KMP must request key enrollment during installation. I am pretty sure it was the case in the past, but may be something was lost in transition to kernel-scriplets.
participants (2)
-
Andrei Borzenkov -
Giacomo Comes