17.04.2017 18:20, Neil Rickert пишет:
I recently installed Ubuntu 17.04. But I want to boot it with the opensuse grub2. This is on a UEFI machine.
I am already setup to sign kernels. So the idea is for me to sign the Ubuntu kernel, so that the kernel signature will be okay with opensuse grub2-efi.
Why not simply chainload Ubuntu shim?
Ubuntu comes with two kernels:
vmlinuz-4.10.0-19-generic vmlinuz-4.10.0-19-generic.efi.signed
The second of those is signed by Canonical. The first is unsigned.
I chose to sign the second of those kernels. It was my understanding that having multiple signatures is allowed. But it would not boot. I got a message about invalid signature.
There was a bug to that effect; not sure if it was about firmware that failed verification in case of multiple signatures or tools used to create them.
So I instead signed the first of those kernels. And that is working fine. And if Ubuntu boot tries to check signatures, it should be okay because it sees my installed machine owner key. I'm not sure why Ubuntu provides a signed kernel, since Ubuntu boot normally doesn't check signatures anyway. They seem to just pretend to check (a bit like the Volkswagen pollution controls).
Not sure what you mean here. Ubuntu is using the same shim; do you imply that Ubuntu shim fakes verification? That would be rather strong statement.
My question: Is this a bug in the opensuse shim signature checking? Shouldn't it work with multiple signatures on kernels?
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org