On 25/11/2021 19.11, Andrei Borzenkov wrote:
On 25.11.2021 18:21, Carlos E. R. wrote:
I can't boot freshly installed 15.3 system (with current updates as of today).
I get (hand copied):
error: bad shim signature. error: you need to load the kernel first. Press any key to continue.
Details:
It is a new external hard disk, via USB3 (tried also USB2) on a laptop that has internally Leap 15.2 and Windows, both booting normally. On this external hard disk I installed 15.3 (UEFI mode).
The UEFI boot menu does not display this disk at all.
How do you boot it then?
The new system on the external disk doesn't boot at all, that is the problem. The normal system in the internal system boots fine.
...
So, instead I boot 15.2 (with current updates as of yesterday), start yast boot manager, and tell it to probe the disk for other systems. It does find 15.3, and the error I posted above is precissely what happens when using that probed entry.
Do you intentionally start backwards so that nobody can understand where error message comes from?
Sorry? I am describing the problem to the best of my abilities.
shim from 15.2 embeds openSUSE certificate and kernel from 15.3 is signed by SUSE key. You need to enroll SUSE key if you are using openSUSE shim. You should have seen MokManager request after installing 15.3.
I did not see anything. The machine was happily installing packages and I was looking elsewhere. Suddenly, it went black. I thought it was a screen saver (in YaST installer?), but no, it was rebooting. There are two boot problems, two possible boot methods: a) The boot menu of the UEFI system of the machine does not display the external disk at all. This can be seen in the efibootmgr output I posted. Can I add it and how? The man page does not say how. b) the grub menu of the internal disk (with 15.2) contains entries to boot the external kernel (on 15.3), added by yast when probing for other dystem, but boot fails with that shim message. I assume this is what you are saying about the openSUSE vs SUSE key. How can I solve this other problem? I see problem b) mentioned here: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/... https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/... Legolas:~ # l /etc/uefi/certs/BDD31A9E-kmp.crt ls: cannot access '/etc/uefi/certs/BDD31A9E-kmp.crt': No such file or directory Legolas:~ # l /data/Erebor/etc/uefi/certs/BDD31A9E-kmp.crt -rw-r--r-- 1 root root 1177 May 3 2021 /data/Erebor/etc/uefi/certs/BDD31A9E-kmp.crt Legolas:~ # Chrooting on 15.2 to 15.3: Legolas:~ # mount --bind /proc /data/Erebor/proc Legolas:~ # mount --bind /sys /data/Erebor/sys Legolas:~ # mount --bind /dev /data/Erebor/dev Legolas:~ # chroot /data/Erebor/ Legolas:/ # cat /etc/os-release NAME="openSUSE Leap" VERSION="15.3" ID="opensuse-leap" ID_LIKE="suse opensuse" VERSION_ID="15.3" PRETTY_NAME="openSUSE Leap 15.3" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:leap:15.3" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/" Legolas:/ # Legolas:/ # efibootmgr -v BootCurrent: 0000 Timeout: 2 seconds BootOrder: 0000,0001,0003,0002,0004,2001,2002,2003 Boot0000* opensuse_main-secureboot HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\opensuse_main\shim.efi) Boot0001* Windows Boot Manager HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...4................ Boot0002* opensuse-secureboot HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\opensuse\shim.efi) Boot0003* openSUSE HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\opensuse\grubx64.efi)RC Boot0004* opensuse_aux-secureboot HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\opensuse_aux\shim.efi) Boot2001* EFI USB Device RC Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC Legolas:/ # Legolas:/ # mokutil --list-enrolled Failed to read MokListRT: Input/output error Legolas:/ # Can't continue procedure you asked on another post on those threads linked above. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)