Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable)?

  1. #1
    Join Date
    Mar 2008
    Location
    Phuket, Thailand
    Posts
    26,997
    Blog Entries
    40

    Default Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable)?

    I am looking for some guidance / assurance in proceeding to active an installed kernel:stable:backports kernel 5.14.11. I have 'secure boot' enabled in BIOS.

    The laptop in secure boot, boots/runs ok with the 5.3.18 kernel (with some aspects I want to investigate by trying a newer kernel).

    I installed the kernel-default-5.14.11 from the kernel:stable:backports repository on my openSUSE-LEAP-15.3 on my Lenovo X1 Carbon Gen-9 laptop (which also pulled in suse-modules-tools-16.0.11-lp153.2.1 (so to obtain suse-kernel-rpm-scriplets) replacing the previous 15.3.6-1.1 version on my laptop).

    When I first rebooted, after selecting the new kernel-default-5.14.11 in the openSUSE grub menu, I was sent to a blue grub screen on "Shim UEFI key management" and asked to "Press any key to perform MOK management".

    While I was pondering this, the screen timed out, and gave me a black screen with this error:
    Code:
    Loading Linux 5.14.11-lp153.2.g834dddd-default ...
    error: ../../grub-core/kern/efi/sb.c:151:bad shim signature.
    Loading initial ramdisk ...
    error: ../../grub-core/loader/i386/efi/linux.c:98:you need to load the kernel first.
    
    Press any key to continue
    I pressed a key and it sent me back to the normal green grub boot screen, at which time I selected the regular openSUSE kernel boot to a 5.3.18 kernel.

    I concluded I did not know what I was doing, and I needed to research more to know what was appropriate to do next to boot to the 5.14.11 kernel.

    I would like to boot to this 5.14.11 kernel, but given I am unfamiliar with this, I don't want to mess up my install if further blue screens are encountered after I "Press any key to perform MOK management". I suspect the next screen might say "Enrol Key from disk" or "Enrol Hash from disk". What do I select there? My guess is "Enrol key from disk" but I prefer not to guess.

    Can anyone offer any experience here?

    Should I select "Enrol key from disk" ? And if I select that, will I encounter more menus with different selections/decisions to make?
    I prefer not to screw this us.

    or is my best/only approach to disable Secure Boot in BIOS and try again?

    As a precaution I have now backed up my /boot/EFI directory to a USB stick.

  2. #2
    Join Date
    Mar 2011
    Location
    Sauerland
    Posts
    6,633

    Default AW: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    I would enrool key from disk, but:
    https://bugzilla.suse.com/show_bug.cgi?id=1191480

  3. #3
    Join Date
    Sep 2012
    Posts
    6,978

    Default Re: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    Quote Originally Posted by oldcpu View Post
    Should I select "Enrol key from disk" ?
    No. Kernel installation should have created certificate enrollment request. You need to enter MokManager screen, agree to enroll certificate and provide root user password when requested (operating system root user).

    Because enrollment request was already cleared, remove kernel and then install it again. Reboot, press any key and follow MokManager prompts.

    P.S. I do not know where "any" key is on your keyboard

    P.P.S. Please avoid using bold, color etc without real need. It distracts from actual content.

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,596
    Blog Entries
    3

    Default Re: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    When you installed that 5.14.11 kernel, it should have installed a certificate in "/etc/uefi/certs". There are probably several certificates there. The one installed by the kernel install will not have "-shim" as part of the name. You can probably guess which one it was by the timestamp on the file.

    Enroll that certificate:
    Code:
    mokutil --import FILENAME
    (Run that as root). If you add "--root-pw" to that command line, then it will use the root password for the enroll. Otherwise it will prompt you for a one-time password.

    On reboot, you should get that blue screen again, to complete the enroll request.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  5. #5
    Join Date
    Mar 2008
    Location
    Phuket, Thailand
    Posts
    26,997
    Blog Entries
    40

    Default Re: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    Unfortunately, I proceeded before all the replies to this thread were given. I tried "enroll key from disk" and it failed.

    For the curious, this is what I did which failed to work:
    I de-installed the 5.14.11 kernel, rebooted to 5.3.18 kernel, re-installed 5.14.11 kernel, rebooted and selected the 5.14.11 at boot. It presented me this menu where I had to choose from:
    * continue boot
    * enroll MOK
    * enroll key from disk
    * enroll hash from disk

    I selected 'enroll key from disk'

    I then obtained this:
    "Select Key" - "The selected key will be enrolled into the MOK database. This means any binaries signed with it will be run without prompting. Remember to make sure it is a genuine key before Enrolling it".

    After pressing any key, I then obtained this list of directories:
    * EFI/
    * BOOT/
    * System Volume Information/
    * $RECYCLE.BIN/

    Note there is no option to navigate to a higher level directory. I chose EFI and obtained this:
    ../
    Microsoft/
    Boot/
    opensuse/

    I chose 'opensuse/'

    I was then given this choice:
    * MokManager.efi
    * grub.efi
    * shim.efi
    * boot.csv
    * grub.cfg
    * grubx64.efi

    I chose 'shim.efi' which did not work, as I obtained this:
    Unsupported Format; Only DER encoded certificate (*.cer/der/crt) is supported. OK.

    Clearly I had no clue as to what was best. I clicked OK and I was back to here:
    * continue boot
    * enroll MOK
    * enroll key from disk
    * enroll hash from disk

    I selected 'continue boot' and as expected, I obtained the same error as before.
    Code:
    ...
    error: ../../grub-core/kern/efi/sb.c:151:bad shim signature.
    Loading initial ramdisk ...
    error: ../../grub-core/loader/i386/efi/linux.c:98:you need to load the kernel first.
    
    Press any key to continue

    So back to the drawing board ... so to speak ...
    Quote Originally Posted by nrickert View Post
    When you installed that 5.14.11 kernel, it should have installed a certificate in "/etc/uefi/certs".
    By the date time stamp in /etc/uefi/certs directory, there is only one file with .crt entitled "6A4E915C.crt " that is associated with today

    Quote Originally Posted by nrickert View Post
    Enroll that certificate:
    Code:
    mokutil --import FILENAME
    (Run that as root). If you add "--root-pw" to that command line, then it will use the root password for the enroll. Otherwise it will prompt you for a one-time password.
    Run that while being in a boot from the 5.3.18 kernel? That is counter intuitive to me, albeit I confess I have no clue. What does that do? The man page says it manipulates machine owner keys which is not specific enough for me to understand. ... I have questions like, if a key is created/imported - where does it then go? How will it be named ? ... and there are probably more questions I should ask but I am not smart enough to know the questions. ...
    .
    Quote Originally Posted by nrickert View Post
    On reboot, you should get that blue screen again, to complete the enroll request.
    I am still puzzled here. Where do I navigate to? As seen from the above, there will be a selection or will the menu selections have changed after running 'mokutil'.

    ...
    I actually surfed looking for a guide through all these different menus, and I failed to find such.
    Last edited by oldcpu; 12-Oct-2021 at 06:22.

  6. #6
    Join Date
    Sep 2012
    Posts
    6,978

    Default Re: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    Quote Originally Posted by oldcpu View Post
    Where do I navigate to?
    Enroll MOK

  7. #7
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,596
    Blog Entries
    3

    Default Re: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    Quote Originally Posted by oldcpu View Post
    Run that while being in a boot from the 5.3.18 kernel?
    Yes, that's fine. What that command does, is leave a message in NVRAM. That message is picked up by "shim" on your next boot, which then loads "MokManager" to enroll the key.

    As said by arvidjaar, you should go with the "enroll MOK".
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  8. #8
    Join Date
    Mar 2008
    Location
    Phuket, Thailand
    Posts
    26,997
    Blog Entries
    40

    Default Re: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    Thankyou for the help.

    Thanks to your help, I am now typing this from LEAP-15.3 running the 5.14.11 kernel. For info:
    Code:
    oldcpu@localhost:~> uname -a
    Linux localhost 5.14.11-lp153.2.g834dddd-default #1 SMP Sun Oct 10  08:34:34 UTC 2021 (834dddd) x86_64 x86_64 x86_64 GNU/Linux
    DETAILS (for any who may be curious):

    The first time when running LEAP-15.3 from the 5.3.18 kernel (also with the 5.14.11 kernel installed from before) when I tried 'mokutil' command to import the key, I did so from /home/oldcpu, and of course it failed (with an error message it could not find the file status). I was not thinking, as when running the command the bash shell either needed to be in the /etc/uefi/certs subdirectory, or the path was needed. So I changed to the /etc/uefi/certs subdirectory and tried again with:
    Code:
    localhost:/etc/uefi/certs # mokutil --import 6A4E915C.crt --root-pw
    That gave no error message, just a return of the root prompt, which I took as a good sign. So I rebooted and immediately obtained this in a blue screen:
    Code:
    Shim UEFI key management" and asked to "Press any key to perform MOK management"
    I immeadiately pressed a key.

    I was then presented with this menu (as before) where I had to choose:
    * continue boot
    * enroll MOK
    * enroll key from disk
    * enroll hash from disk

    This time I chose "enroll MOK". That then presented me with this screen:
    * View key 0
    * Continue

    I had no idea what "View key 0" was for, so I elected to ignore that and I selected "continue" ... That then presented me with this:
    Enroll the key(s)?
    .
    * No
    * Yes

    I selected "Yes" and I was prompted with a blue screen asking for a "Password". I entered the root password. I then obtained this screen:
    Perform MOK management
    .
    * reboot
    * Enroll key from disk
    * Enroll hash from disk

    I already knew that 'enrolling key from disk was the wrong approach, ... and I decided if my previous actions (with entering the root password) were correct, then a reboot likely appropriate, so I selected 'reboot'.

    The PC rebooted, I selected to boot to the 5.14.11 kernel in the grub menu, and this time I had a boot success to the 5.14.11 kernel.

    I am now posting immediately after that. I have yet to explore this new kernel, ... and pretty much all the kernel related apps I have still installed are associated with the older 5.3.18 kernel, where I may wish to update all those other kernel related apps (but I have not done so yet). I suspect I also may wish to update the intel-media-driver app as well to a newer version.

    Many thanks again to all on this thread for your help. I was DEFINITELY out of my comfort zone here ... and maybe thats a good thing.

    I was pleased (thanks to your help) that I was able to do this without disabling the secure boot.
    Last edited by oldcpu; 06-Nov-2021 at 00:25.

  9. #9
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,596
    Blog Entries
    3

    Default Re: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    Quote Originally Posted by oldcpu View Post
    I had no idea what "View key 0" was for, so I elected to ignore that and I selected "continue" ...
    That would have given information about the key - mostly a screen of hexadecimal numbers. If you are not sure what key you are enrolling, you could use this to check -- except that you probably don't have anything to check it against.

    And after viewing the key, there would have been another prompt to enroll it.

    And, yes, after all that choosing "reboot" was the right step.

    I was confused by these MOK screens the first few times. It is a learning experience. You will be more comfortable next time.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  10. #10
    Join Date
    Mar 2011
    Location
    Sauerland
    Posts
    6,633

    Default AW: Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable

    and pretty much all the kernel related apps I have still installed are associated with the older 5.3.18 kernel
    Here are some kmps for kernel:stable:backports:
    https://download.opensuse.org/reposi.../KMP/standard/

    But no nvidia, you have to build it the hard way (which is no hard way)......

    Otherwise post your missing kmps.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •