Op dinsdag 3 augustus 2021 11:16:27 CEST schreef Andrei Borzenkov:
On Tue, Aug 3, 2021 at 12:02 PM Freek de Kruijf <freek@opensuse.org> wrote: ...
Install or force reinstall openSUSE-signkey-cert, reboot, perform certificate enrollment in MokManager screen. The password MokManager expects is operating system root user password.
Or if package is already installed just manually create enrollment request using
mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt
it will ask for password to use in MokManager. Reboot, confirm certificate enrollment in MokManager screen.
https://en.opensuse.org/openSUSE:UEFI#Enroll_MOK_certificate_with_mokuti l_.2 8x86.2A_only.29
I tried this procedure, but did not succeed.
Which of the two procedures listed above?
I should have said tried suggestions in this article.
Maybe my situation is different. It is: Secure multi-boot laptop with openSUSE 15.2, 15.3, Tumbleweed and Windows Booting 15.3 gives error, caused by wrong certificate. I used Tumbleweed for the above procedure. At which point? BIOS cannot load shim, shim cannot load grub, grub cannot load kernel, some errors after kernel is loaded and started (although I am not sure what would display these errors during boot)?
When I boot 15.3 I from grub I get window with error ../../grub.......... bad shim signature ..... I used in Tumbleweed: mokutil --import /suse153/etc/uefi/certs/BDD31A9E-kmp.crt mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt both give: Already in kernel trusted keyring.
Did you verify that certificates are the same? I do not know. But if you have a problem with 15.3 you should use whatever is delivered with and for 15.3.
Booting 15.2 succeeds also. Entering both certificates using "mokutil --import" gives that they are already present.
See above for both.
Who are "they"? But educated guess is that you are booting using openSUSE shim which embeds openSUSE certificate which is the reason mokutil says this certificate is already present.
Booting MokManager.efi and choosing Enroll from disk gives
I never said to choose "enroll from disk" so you must have been following some other procedure.
all kinds of things to choose from; in fact they are folders. I tried all, but afterwards I am still unable to boot 15.3. When I list available certificates I only see one.
What am I doing wrong?
It is difficult to understand what you are doing. Anyway, this is out of place on this list. Post your question to support list and provide
1. output of efibootmgr -v BootCurrent: 0000 Timeout: 0 seconds BootOrder: 0000,0001,2001,2002,2003 Boot0000* opensuse-secureboot HD(2,GPT,4b5a9cda-e2ef-4d5f-87ee- a79393267592,0x12c800,0x96000)/File(\EFI\opensuse\shim.efi) Boot0001* Windows Boot Manager HD(2,GPT,4b5a9cda-e2ef-4d5f-87ee- a79393267592,0x12c800,0x96000)/ File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=. {.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d. 4.7.9.5.}.................... Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC
2. mokutil --list-enrolled [key 1] SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Validity Not Before: Aug 26 16:12:07 2013 GMT Not After : Jul 22 16:12:07 2035 GMT Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org [rest removed...] Only one certificate.
3. full script of "mokutil --import" including full invocation and all messages. See above.
4. Description at which point during boot you get an error and screenshot/photo of this error (upload to https://susepaste.org/).
See above description.
Even better would be a photo of each boot step starting from the very first screen until you get this error. I get the grub menu and choose Leap 15.3 after that I get a subwindow with the error message mentioned above.
When I use c in grub menu I enter: chainloader (hd0,2)/EFI/opensuse/MokManager.efi and boot behind grub> prompt I get the MokManager window asking password, which I enter, but after that I do NOT get Enroll Mok, only boot, enroll from disk, and enroll from hash. -- fr.gr. member openSUSE Freek de Kruijf