On 25/11/2021 21.00, Andrei Borzenkov wrote:
On 25.11.2021 22:09, Carlos E. R. wrote:
Legolas:~ # l /etc/uefi/certs/BDD31A9E-kmp.crt
ls: cannot access '/etc/uefi/certs/BDD31A9E-kmp.crt': No such file or
directory
Legolas:~ # l /data/Erebor/etc/uefi/certs/BDD31A9E-kmp.crt
-rw-r--r-- 1 root root 1177 May 3 2021
/data/Erebor/etc/uefi/certs/BDD31A9E-kmp.crt
Legolas:~ #
This is openSUSE certificate, not SUSE certificate. You may need it too if you have some additional KMP, but it will not validate kernel itself.
But that directory is the 15.3 install. It contains: -rw-r--r-- 1 root root 1288 Nov 11 16:16 4AAA0B54.crt -rw-r--r-- 1 root root 1257 Jul 16 10:59 BCA4E38E-shim.crt -rw-r--r-- 1 root root 1177 May 3 2021 BDD31A9E-kmp.crt Legolas:/ # rpm -qf /etc/uefi/* openSUSE-signkey-cert-20210302-lp153.1.1.x86_64 kernel-default-5.3.18-59.34.1.x86_64 shim-15.4-4.7.1.x86_64 Legolas:/ #
Chrooting on 15.2 to 15.3:
Legolas:~ # mount --bind /proc /data/Erebor/proc Legolas:~ # mount --bind /sys /data/Erebor/sys Legolas:~ # mount --bind /dev /data/Erebor/dev Legolas:~ # chroot /data/Erebor/
Why do you need chroot to call efibootmgr or mokutil?
Because I can not boot 15.3, and I don't know if chroot is needed or not.
Legolas:/ # cat /etc/os-release NAME="openSUSE Leap" VERSION="15.3" ID="opensuse-leap" ID_LIKE="suse opensuse" VERSION_ID="15.3" PRETTY_NAME="openSUSE Leap 15.3" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:leap:15.3" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/" Legolas:/ #
Legolas:/ # efibootmgr -v BootCurrent: 0000 Timeout: 2 seconds BootOrder: 0000,0001,0003,0002,0004,2001,2002,2003 Boot0000* opensuse_main-secureboot HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\opensuse_main\shim.efi) Boot0001* Windows Boot Manager HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...4................ Boot0002* opensuse-secureboot HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\opensuse\shim.efi) Boot0003* openSUSE HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\opensuse\grubx64.efi)RC Boot0004* opensuse_aux-secureboot HD(1,GPT,f8cc1b03-845f-495d-afb8-8763d362576a,0x800,0x82000)/File(\EFI\opensuse_aux\shim.efi) Boot2001* EFI USB Device RC
What is it? Is it your USB disk?
Only the internal disk is listed there, AFAIK. The external disk is not listed at all, that is problem #1.
Boot2002* EFI DVD/CDROM RC Boot2003* EFI Network RC Legolas:/ #
You have three different openSUSE boot entries - opensuse_main, opensuse, opensuse_aux. Which one is which? One of them may well be your 15.3. What device /boot/efi is on in 15.3?
None is 15.3. All are on the internal disk. opensuse_main 15.2 opensuse I don't know (*) opensuse_aux 15.0, another partition, doesn't boot (same shim error message). (*) But it is the same hard disk. My guess, it is an old entry that I forgot to delete long ago, pertaining to the initial 15.0 install, before I changed the name of the installation in /etc/default/grub.cfg
Legolas:/ # mokutil --list-enrolled Failed to read MokListRT: Input/output error Legolas:/ #
You need to mount efivars in chroot:
mount --bind /sys/firmware/efi/efivars /data/Erebor/sys/firmware/efi/efivars
I thought something like that, but no idea which.
Can't continue procedure you asked on another post on those threads linked above.
You do not need chroot for this. You can do all of this from within 15.2.
All that you need is
mokutil --import /data/Erebor/etc/uefi/certs/4AAA0B54.crt
If it is already enrolled, it is noop.
Ok, doing so: Legolas:~ # mokutil --import /data/Erebor/etc/uefi/certs/4AAA0B54.crt input password: input password again: Legolas:~ # I suppose I have to try rebooting? [...] Yes! It booted (using the 15.2 grub menu on internal disk). This time I saw and realized what it was the MokManager request menu. A big blue screen coming from the firmware, a *very strange window*. There should be clear instructions somewhere about this *very strange window* is going to appear at boot, because now I remember that I have seen before that strange blue text mode screen , or a very similar one, without any explanation whatsoever, either before or in it. The only thing I clearly saw was to press some key to boot. I get something similar when booting from USB stick, I thought it was the same one. Sigh. Yiks, it is uglier than old MsDOS 2.0 screens! Thanks. Why do we need to add this key manually, and we, at least I, did not need to do it to install 15.0 when I bought this laptop? I thought we asked M$ to add the key to the firmware back then. Well, I still need help to tell the UEFI to add entries in the menu for the external disk to boot directly on its own... -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)