Missing Key in Leap 15.3 (boo#1188475)
Op dinsdag 3 augustus 2021 11:16:27 CEST schreef Andrei Borzenkov:
On Tue, Aug 3, 2021 at 12:02 PM Freek de Kruijf <freek@opensuse.org> wrote: ...
Install or force reinstall openSUSE-signkey-cert, reboot, perform certificate enrollment in MokManager screen. The password MokManager expects is operating system root user password.
Or if package is already installed just manually create enrollment request using
mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt
it will ask for password to use in MokManager. Reboot, confirm certificate enrollment in MokManager screen.
https://en.opensuse.org/openSUSE:UEFI#Enroll_MOK_certificate_with_mokuti l_.2 8x86.2A_only.29
I tried this procedure, but did not succeed.
Which of the two procedures listed above?
I should have said tried suggestions in this article.
Maybe my situation is different. It is: Secure multi-boot laptop with openSUSE 15.2, 15.3, Tumbleweed and Windows Booting 15.3 gives error, caused by wrong certificate. I used Tumbleweed for the above procedure. At which point? BIOS cannot load shim, shim cannot load grub, grub cannot load kernel, some errors after kernel is loaded and started (although I am not sure what would display these errors during boot)?
When I boot 15.3 I from grub I get window with error ../../grub.......... bad shim signature ..... I used in Tumbleweed: mokutil --import /suse153/etc/uefi/certs/BDD31A9E-kmp.crt mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt both give: Already in kernel trusted keyring.
Did you verify that certificates are the same? I do not know. But if you have a problem with 15.3 you should use whatever is delivered with and for 15.3.
Booting 15.2 succeeds also. Entering both certificates using "mokutil --import" gives that they are already present.
See above for both.
Who are "they"? But educated guess is that you are booting using openSUSE shim which embeds openSUSE certificate which is the reason mokutil says this certificate is already present.
Booting MokManager.efi and choosing Enroll from disk gives
I never said to choose "enroll from disk" so you must have been following some other procedure.
all kinds of things to choose from; in fact they are folders. I tried all, but afterwards I am still unable to boot 15.3. When I list available certificates I only see one.
What am I doing wrong?
It is difficult to understand what you are doing. Anyway, this is out of place on this list. Post your question to support list and provide
1. output of efibootmgr -v BootCurrent: 0000 Timeout: 0 seconds BootOrder: 0000,0001,2001,2002,2003 Boot0000* opensuse-secureboot HD(2,GPT,4b5a9cda-e2ef-4d5f-87ee- a79393267592,0x12c800,0x96000)/File(\EFI\opensuse\shim.efi) Boot0001* Windows Boot Manager HD(2,GPT,4b5a9cda-e2ef-4d5f-87ee- a79393267592,0x12c800,0x96000)/ File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=. {.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d. 4.7.9.5.}.................... Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC
2. mokutil --list-enrolled [key 1] SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Validity Not Before: Aug 26 16:12:07 2013 GMT Not After : Jul 22 16:12:07 2035 GMT Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org [rest removed...] Only one certificate.
3. full script of "mokutil --import" including full invocation and all messages. See above.
4. Description at which point during boot you get an error and screenshot/photo of this error (upload to https://susepaste.org/).
See above description.
Even better would be a photo of each boot step starting from the very first screen until you get this error. I get the grub menu and choose Leap 15.3 after that I get a subwindow with the error message mentioned above.
When I use c in grub menu I enter: chainloader (hd0,2)/EFI/opensuse/MokManager.efi and boot behind grub> prompt I get the MokManager window asking password, which I enter, but after that I do NOT get Enroll Mok, only boot, enroll from disk, and enroll from hash. -- fr.gr. member openSUSE Freek de Kruijf
Op dinsdag 3 augustus 2021 12:33:31 CEST schreef Freek de Kruijf:
Op dinsdag 3 augustus 2021 11:16:27 CEST schreef Andrei Borzenkov:
On Tue, Aug 3, 2021 at 12:02 PM Freek de Kruijf <freek@opensuse.org> wrote: ...
Install or force reinstall openSUSE-signkey-cert, reboot, perform certificate enrollment in MokManager screen. The password MokManager expects is operating system root user password.
Or if package is already installed just manually create enrollment request using
mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt
it will ask for password to use in MokManager. Reboot, confirm certificate enrollment in MokManager screen.
https://en.opensuse.org/openSUSE:UEFI#Enroll_MOK_certificate_with_moku ti l_.2 8x86.2A_only.29
I tried this procedure, but did not succeed.
Which of the two procedures listed above?
I should have said tried suggestions in this article.
Maybe my situation is different. It is: Secure multi-boot laptop with openSUSE 15.2, 15.3, Tumbleweed and Windows Booting 15.3 gives error, caused by wrong certificate. I used Tumbleweed for the above procedure.
At which point? BIOS cannot load shim, shim cannot load grub, grub cannot load kernel, some errors after kernel is loaded and started (although I am not sure what would display these errors during boot)?
When I boot 15.3 I from grub I get window with error ../../grub.......... bad shim signature .....
I used in Tumbleweed: mokutil --import /suse153/etc/uefi/certs/BDD31A9E-kmp.crt mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt both give: Already in kernel trusted keyring.
Did you verify that certificates are the same? I do not know. But if you have a problem with 15.3 you should use whatever is delivered with and for 15.3.
Booting 15.2 succeeds also. Entering both certificates using "mokutil --import" gives that they are already present.
See above for both.
Who are "they"? But educated guess is that you are booting using openSUSE shim which embeds openSUSE certificate which is the reason mokutil says this certificate is already present.
Booting MokManager.efi and choosing Enroll from disk gives
I never said to choose "enroll from disk" so you must have been following some other procedure.
all kinds of things to choose from; in fact they are folders. I tried all, but afterwards I am still unable to boot 15.3. When I list available certificates I only see one.
What am I doing wrong?
It is difficult to understand what you are doing. Anyway, this is out of place on this list. Post your question to support list and provide
1. output of efibootmgr -v
BootCurrent: 0000 Timeout: 0 seconds BootOrder: 0000,0001,2001,2002,2003 Boot0000* opensuse-secureboot HD(2,GPT,4b5a9cda-e2ef-4d5f-87ee- a79393267592,0x12c800,0x96000)/File(\EFI\opensuse\shim.efi) Boot0001* Windows Boot Manager HD(2,GPT,4b5a9cda-e2ef-4d5f-87ee- a79393267592,0x12c800,0x96000)/ File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T. =. {.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d. 4.7.9.5.}.................... Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC
2. mokutil --list-enrolled
[key 1] SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Validity Not Before: Aug 26 16:12:07 2013 GMT Not After : Jul 22 16:12:07 2035 GMT Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org [rest removed...] Only one certificate.
3. full script of "mokutil --import" including full invocation and all messages.
See above.
4. Description at which point during boot you get an error and screenshot/photo of this error (upload to https://susepaste.org/).
See above description.
Even better would be a photo of each boot step starting from the very first screen until you get this error.
I get the grub menu and choose Leap 15.3 after that I get a subwindow with the error message mentioned above.
When I use c in grub menu I enter: chainloader (hd0,2)/EFI/opensuse/MokManager.efi and boot behind grub> prompt I get the MokManager window asking password, which I enter, but after that I do NOT get Enroll Mok, only boot, enroll from disk, and enroll from hash.
I further tried to solve the situation and used the 15.3 NET iso to upgrade 15.3 and was able to boot 15.3. Previously, after that, I could not boot 15.2 and Tumbleweed. In 15.3 I performed the suggested mokutil --import and now I did NOT get the message about already present. After that I did a reboot and now I got the MokManager, which asked for the password and to Enroll Mok, which I did. Now I can boot all three openSUSE systems. mokutil --list-enrolled shows two keys. Is not being able to enroll the certificate in Tumbleweed a bug? Bug report? The whole situation, in the first place, was caused by ignoring the Mok screen. I know it appeared several times and ignoring did not seem to harm anything. I don't recall having seen a warning that such screen could appear and not acting on it might cause problems. -- fr.gr. member openSUSE Freek de Kruijf
On 03.08.2021 16:12, Freek de Kruijf wrote:
Op dinsdag 3 augustus 2021 12:33:31 CEST schreef Freek de Kruijf:
Op dinsdag 3 augustus 2021 11:16:27 CEST schreef Andrei Borzenkov:
On Tue, Aug 3, 2021 at 12:02 PM Freek de Kruijf <freek@opensuse.org> wrote: ...
Install or force reinstall openSUSE-signkey-cert, reboot, perform certificate enrollment in MokManager screen. The password MokManager expects is operating system root user password.
Or if package is already installed just manually create enrollment request using
mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt
it will ask for password to use in MokManager. Reboot, confirm certificate enrollment in MokManager screen.
https://en.opensuse.org/openSUSE:UEFI#Enroll_MOK_certificate_with_moku ti l_.2 8x86.2A_only.29
I tried this procedure, but did not succeed.
Which of the two procedures listed above?
I should have said tried suggestions in this article.
Maybe my situation is different. It is: Secure multi-boot laptop with openSUSE 15.2, 15.3, Tumbleweed and Windows Booting 15.3 gives error, caused by wrong certificate. I used Tumbleweed for the above procedure.
At which point? BIOS cannot load shim, shim cannot load grub, grub cannot load kernel, some errors after kernel is loaded and started (although I am not sure what would display these errors during boot)?
When I boot 15.3 I from grub I get window with error ../../grub.......... bad shim signature .....
You are using openSUSE shim to boot Leap 15.3 kernel which is signed by SUSE key. So you obviously need to enroll SUSE key, because openSUSE shim only embeds openSUSE key. Unfortunately this appears extremely difficult to display actual certificate used to sign PE executable (there are a lot of tools to *sign* it, but no tool to extract signature). bor@leap15:~> openssl x509 -noout -fingerprint -subject -ext subjectKeyIdentifier -inform DER -in /etc/uefi/certs/4AAA0B54.crt SHA1 Fingerprint=4A:AA:0B:54:67:76:1E:CF:C0:0A:42:32:B1:7A:B4:8B:3E:09:A3:BF subject=CN = SUSE Linux Enterprise Secure Boot Signkey, C = DE, L = Nuremberg, O = SUSE Linux Products GmbH, OU = Build Team, emailAddress = build@suse.de X509v3 Subject Key Identifier: 5A:24:04:49:D2:9F:D0:D8:A7:A1:87:E6:FC:0E:26:B9:5D:1A:A8:7B bor@leap15:~>
I used in Tumbleweed: mokutil --import /suse153/etc/uefi/certs/BDD31A9E-kmp.crt mokutil --import /etc/uefi/certs/BDD31A9E-kmp.crt both give: Already in kernel trusted keyring.
Yes, this certificate is embedded in Tumbleweed kernel. Use "mokutil --ignore-keyring ..." to force adding it. ...
I further tried to solve the situation and used the 15.3 NET iso to upgrade 15.3 and was able to boot 15.3. Previously, after that, I could not boot 15.2 and Tumbleweed. In 15.3 I performed the suggested mokutil --import and now I did NOT get the message about already present.
mokutil in Leap 15.3 is tool old and does not check kernel keyring at all.
After that I did a reboot and now I got the MokManager, which asked for the password and to Enroll Mok, which I did.
Now I can boot all three openSUSE systems. mokutil --list-enrolled shows two keys.
Is not being able to enroll the certificate in Tumbleweed a bug? Bug report?
See above. It is not a bug. Unfortunately there is no easy way to display various certificates and where they come from; dmesg output provides information about kernel keyring like [ 0.582498] Loading compiled-in X.509 certificates [ 0.583162] Loaded X.509 cert 'Build time autogenerated kernel key: 6af17e88d143a5e927cc9982b97b8e933a9d694e' ... [ 0.587238] integrity: Loading X.509 certificate: UEFI:db ... [ 0.587415] integrity: Loading X.509 certificate: UEFI:MokListRT But they are displayed using subject keyid, so now you need to search all available certificates to match it (because certificates files are named using fingerprint).
The whole situation, in the first place, was caused by ignoring the Mok screen. I know it appeared several times and ignoring did not seem to harm anything. I don't recall having seen a warning that such screen could appear and not acting on it might cause problems.
I am not sure what happens during installation (it is very long time ago I did new installation). But it looks like installation should import certificates even though they are built into shim. If someone can check and verify it and finds that certificates are not imported *that* would certainly be valid bug report.
participants (2)
-
Andrei Borzenkov
-
Freek de Kruijf