After recent zypper dup resulting in kernel-default-5.7.11-1.1 to kernel-default-5.7.11-1.2 update, I saw a blue screen after reboot proposing me to enter uefi shim management or something. It automatically disappeared after some time and didn’t show again on next reboot. I thought this might have happened because of changed keys, but it doesn’t seem to be the case:
$ mokutil --list-new
MokNew is empty
Why did this happen and have I missed something not entering that screen?
I have no idea either, in my case IIRC the very first time i tried a Suse version i was asked if i wanted to trust some certificate with Suse mentioned in it, never got that prompt again, and i can’t find the cert either that was trusted…
Maybe i just need to reset my SecureBoot keys to the factory ones again to check dunno.
Anyway the most logical reason would be if grub-efi was updated that is loaded by the shim, maybe check that because anything after grub should be permitted by the signature used to sign the grub-efi also…
Also check the output of: sudo mokutil --list-enrolled
In my case at moment it shows:
And that would probably be it. There was a new uefi cert released - 33CEA71B.crt. The question now is, how to make that blue screen reappear (is it mokutil --import /etc/uefi/certs/33CEA71B.crt?) and is it fine not to do it?
I got that prompt after updating this morning. I told it to install the new key.
If your system booted fine, then I guess it doesn’t much matter.
Yes, the “mokutil” command that you suggested does look like the right one. You can add “–root-pw” as an additional option (put that just after the “–import”) if you want it to use the root password instead of “mokutil” asking you to give a password.
Enrollment (and all other key management requests) are for the next reboot only. They are cleared immediately when MokManager is started. Kernel RPM will submit new enrollment request on every update as long as it is missing.
Thanks for your help, people! One last question: may I or maybe should I delete the older key when enrolling the new one? I’m trying to bring my computer to the state that zypper dup would, had I entered shim management when first asked to.
openSUSE shim embeds openSUSE CA certificate used to sign other certificates used to sign kernels. So as long as new certificate is issued by the same openSUSE CA (it is) shim will allow kernel signed by it. New certificate is also embedded into kernel itself and used to verify kernel modules so it does not matter whether it is enrolled.
The only case when this certificate is needed is when you use non-openSUSE shim to boot openSUSE kernel with secure boot enabled.
Normally this happens automatically - kernel RPM issues delete request when last kernel using certificate is removed. You still have to manually acknowledge request on reboot.
I think the correct state should be that the enrolled keys are exactly those in “/etc/uefi/certs” plus any that you have manually add (such as a signing key that you created for yourself).
There’s a key built into shim that shows up as enrolled, but really isn’t (though I suppose that depends on what you mean by “enrolled”).
If you boot Ubuntu live media, thus using the Ubuntu shim, that key won’t show up as enrolled, but the Canonical key from Ubuntu will show up in its place (that’s built into the Ubuntu shim).
Yes, that lists the one built into shim – I think that’s last on the list.
If you boot using live Ubuntu media, and run the same command there, you will see the keys that are stored in NVRAM together with the key built into the Ubuntu shim. But you won’t see the key built into the openSUSE shim. Or, at least, that’s what my tests show.
To keep terms correct, all references to “keys” that are used to verify binaries eg. enrolled ones are actually (Public) Certificates and not keys, because KEYS are used to sign/encrypt stuff only while certs are used to verify/decrypt stuff…
I know i might sound a little weird when pointing that out, but it keeps things clean on the internet…
Some people use the terms “Private key” and “Public Key” while they should actually be using “Key” and “Certificate” in those usages…
Most prominent evidence of this are “CRL’s” which stands for “Certificate Revocation List” instead of “PKRL’s, which would stand for Public Key Revocation List”
Most prominent evidence of this are “CRL’s” which stands for “Certificate Revocation List” instead of “PKRL’s”, which could stand for ‘Public Key Revocation List’ or ‘Private Key Revocation List’ the last not making any sense