Results 1 to 9 of 9

Thread: Unsigned Kernels

  1. #1

    Default Unsigned Kernels

    I have recently installed leap 42.3 on an Acer laptop (ES1-523) and the default kernel does not work correctly with the QCA9733 wifi. Thus I need to use a more recent kernel, namely 4.12.5 from repo: download.opensuse.org/repositories/Kernel:/stable/standard/x86_64/

    After telling the EFI to trust the LEAP 42.3 secure boot key, and some fiddling with the BIOS to put grub before windows EFi boot, I did get opensuse working properly with secure boot. I used zypper to download kernel 4.12.5 and install it. Using secure boot the kernel is unsigned and not loaded, presubalbly by shim of grub. I would happily go back to the stock 4.4 kernel if there is a fix for the QCA9733 driver.

    MY QUESTION:
    Are all the updated/developer kernels unsigned? (The LEAP42.3 kernel was signed.) What is the normal way to get get the new kernel signed so I can use secure boot again?

    Thank You.

  2. #2
    Join Date
    Sep 2012
    Posts
    7,107

    Default Re: Unsigned Kernels

    Quote Originally Posted by rhugs View Post
    Are all the updated/developer kernels unsigned?
    Update kernels are signed, developer kernels are not signed with Leap key. Kernel:stable is not an update for Leap but independent project offering latest kernels.

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Unsigned Kernels

    Quote Originally Posted by rhugs View Post
    Are all the updated/developer kernels unsigned?
    They are signed with a different key.

    I don't know where to find the signing key (the publickey component). If you could find that, then add it with MokManager, and you will be set.

    The other option is to create your own signing key, and add that to MokManager. Then you can sign the kernels yourself.

    Or just leave secure-boot disabled.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  4. #4
    Join Date
    Sep 2012
    Posts
    7,107

    Default Re: Unsigned Kernels

    Quote Originally Posted by nrickert View Post
    I don't know where to find the signing key (the publickey component).
    On the very first page of project or directly https://build.opensuse.org/projects/...key/key_dialog or using
    Code:
    bor@bor-Latitude-E5450:~$ osc signkey --sslcert Kernel:stable
    Kernel:stable has no key, trying Kernel
    -----BEGIN CERTIFICATE-----
    MIIDhjCCAm6gAwIBAgIJAJfbUUv1M3lAMA0GCSqGSIb3DQEBCwUAMEcxGzAZBgNV
    BAMMEktlcm5lbCBPQlMgUHJvamVjdDEoMCYGCSqGSIb3DQEJARYZS2VybmVsQGJ1
    aWxkLm9wZW5zdXNlLm9yZzAeFw0xNzA2MTYxNDIwNDlaFw0xOTA4MjUxNDIwNDla
    MEcxGzAZBgNVBAMMEktlcm5lbCBPQlMgUHJvamVjdDEoMCYGCSqGSIb3DQEJARYZ
    S2VybmVsQGJ1aWxkLm9wZW5zdXNlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
    ADCCAQoCggEBAOjf7YJfj+1mgYiijLtAXz4n3ivCvtOi/eRcUAOVev5obvMcyvOv
    f3xCJIKYuwTuQnwNxqkcf5NpiunLnK5LTpFXh66GUmOjb5IcRxLNMYMiOs9MO8zw
    pkTcJZmDJFNVmdOrttE+1WFIjORM83Il7UAwwNkfxhiAOCjTOV5lZHfDdUDvl0J8
    ZRiMVOPKYAzZC3MrdYCDLCpkrQXbUwo4JRavPxkVsKZ1xmH+YBgOGY2UVw3qZlIT
    /IPkTqmoYQXU+vh1/A/Q1s8GmxirzA/dPlMh1oPnCvfy7ZAk05HEIqLx+4Kql/sd
    DHm/fHYRXPhWFHPNzfVM9XPUtfkw9vLzKkECAwEAAaN1MHMwDAYDVR0TAQH/BAIw
    ADAdBgNVHQ4EFgQUH7QVEqy8juvfgo2HfkNnv2xxmvMwHwYDVR0jBBgwFoAUH7QV
    Eqy8juvfgo2HfkNnv2xxmvMwDgYDVR0PAQH/BAQDAgKEMBMGA1UdJQQMMAoGCCsG
    AQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQDVecaa0GjaOh8y8cmz1nUaXNucpw+9
    RahEaVJkWGUaQITwVeuA7QEMEFd5PDLuj3Q75Du2rpOmyloDDziXA2p+LIelG+Am
    UEe8tAzDqgQqad59dlGSSOwNWLz3lRZ7zFn0zd+tEuhB7BQOAkyBE/YuoyLLleFA
    Ci7WtH/tFXodBekvh/gd9GSs2uQmrPfax+zCZo3Ly5FZE9gyZbqMxsu4WO1Xelxk
    UVMPV5xpe2j7UkIyfoc2P0w8oI6l0tZ+0UvRqJ2MEwbMI7MPrmC9CX8Ns29pf3fZ
    NAhGwYKXgwvaN9ql3+n0XXJ3ot1bs89ROR/8qyflPbxkYDjkbW1ZgWvN
    -----END CERTIFICATE-----
    bor@bor-Latitude-E5450:~$

  5. #5
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Unsigned Kernels

    Quote Originally Posted by arvidjaar View Post
    On the very first page of project or directly https://build.opensuse.org/projects/...key/key_dialog or using[code]bor@bor-Latitude-E5450:~$ osc signkey --sslcert Kernel:stable
    Kernel:stable has no key, trying Kernel
    Thanks.

    The direct link gives me a 404 (page not found). But we can at least try the cert that you included.

    And a note to the OP:

    Copy the part between the BEGIN and END lines (inluding those lines) into a file with name something.pem -- I suggest "obs.pem".

    Then convert to DER format with:
    Code:
    openssl x509 -inform pem -outform der -in obs.pem -out obs.der
    Copy that "obs.der" file to your EFI partition. It's easiest to find at the top, so copy to "/boot/efi/."

    Use "mokutil" to add the certificate. Check the man pages for "mokutil". It should actually be added by MokManager when you next boot.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  6. #6
    Join Date
    Sep 2012
    Posts
    7,107

    Default Re: Unsigned Kernels

    Quote Originally Posted by nrickert View Post
    The direct link gives me a 404 (page not found).
    Indeed. But the same link from the project page (https://build.opensuse.org/project/show/Kernel:stable) works. Funny, may be referral is missing or some scripting magic.

  7. #7

    Default Re: Unsigned Kernels

    Quote Originally Posted by arvidjaar View Post
    Indeed. But the same link from the project page (https://build.opensuse.org/project/show/Kernel:stable) works. Funny, may be referral is missing or some scripting magic.
    Yes, that's it. NB, Tumbleweed boots OK with secure boot on my machine, thus it appears to use the same sig as LEAP 42.3

    There is no security value in blessing some downloaded binary with my own sig. I don't know what's in it.

  8. #8
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    16,288

    Default Re: Unsigned Kernels

    IMO Secure Boot is security theater . If a bad actor can modify the boot chain they already own the machine. The best that secure boot can do is brick the system.

  9. #9

    Default Re: Unsigned Kernels

    Yes, that's true, but baddies do need physical access to the machine. It's really Windows that benefits from secure boot. I do dual boot so I'd prefer it to be on.

    The purpose of using a development kernel was to get my wifi (QCA9733) going in LEAP42.3. How can I find out if the fixed ath10k driver has been back ported to the stock 4.4.xx kernel ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •