Help on booting to a 5.14.11 kernel:stable:backports kernel with secure boot? (or must I disable)?

[oldcpu]

I am looking for some guidance / assurance in proceeding to active an installed kernel:stable:backports kernel 5.14.11. I have 'secure boot' enabled in BIOS.

The laptop in secure boot, boots/runs ok with the 5.3.18 kernel (with some aspects I want to investigate by trying a newer kernel).

I installed the kernel-default-5.14.11 from the kernel:stable:backports repository on my openSUSE-LEAP-15.3 on my Lenovo X1 Carbon Gen-9 laptop (which also pulled in suse-modules-tools-16.0.11-lp153.2.1 (so to obtain suse-kernel-rpm-scriplets) replacing the previous 15.3.6-1.1 version on my laptop).

When I first rebooted, after selecting the new kernel-default-5.14.11 in the openSUSE grub menu, I was sent to a blue grub screen on "Shim UEFI key management" and asked to "Press any key to perform MOK management".

While I was pondering this, the screen timed out, and gave me a black screen with this error:

Code:

Loading Linux 5.14.11-lp153.2.g834dddd-default ...
error: ../../grub-core/kern/efi/sb.c:151:bad shim signature.
Loading initial ramdisk ...
error: ../../grub-core/loader/i386/efi/linux.c:98:you need to load the kernel first.

Press any key to continue

I pressed a key and it sent me back to the normal green grub boot screen, at which time I selected the regular openSUSE kernel boot to a 5.3.18 kernel.

I concluded I did not know what I was doing, and I needed to research more to know what was appropriate to do next to boot to the 5.14.11 kernel.

I would like to boot to this 5.14.11 kernel, but given I am unfamiliar with this, I don't want to mess up my install if further blue screens are encountered after I "Press any key to perform MOK management". I suspect the next screen might say "Enrol Key from disk" or "Enrol Hash from disk". What do I select there? My guess is "Enrol key from disk" but I prefer not to guess.

Can anyone offer any experience here?

Should I select "Enrol key from disk" ? And if I select that, will I encounter more menus with different selections/decisions to make? I prefer not to screw this us.

or is my best/only approach to disable Secure Boot in BIOS and try again?

As a precaution I have now backed up my /boot/EFI directory to a USB stick.

[Sauerland]

I would enrool key from disk, but:
https://bugzilla.suse.com/show_bug.cgi?id=1191480

[arvidjaar]

Should I select "Enrol key from disk" ?

No. Kernel installation should have created certificate enrollment request. You need to enter MokManager screen, agree to enroll certificate and provide root user password when requested (operating system root user).

Because enrollment request was already cleared, remove kernel and then install it again. Reboot, press any key and follow MokManager prompts.

P.S. I do not know where "any" key is on your keyboard

P.P.S. Please avoid using bold, color etc without real need. It distracts from actual content.

[nrickert]

When you installed that 5.14.11 kernel, it should have installed a certificate in "/etc/uefi/certs". There are probably several certificates there. The one installed by the kernel install will not have "-shim" as part of the name. You can probably guess which one it was by the timestamp on the file.

Enroll that certificate:

Code:

mokutil --import FILENAME

(Run that as root). If you add "--root-pw" to that command line, then it will use the root password for the enroll. Otherwise it will prompt you for a one-time password.

On reboot, you should get that blue screen again, to complete the enroll request.

[oldcpu]

Unfortunately, I proceeded before all the replies to this thread were given. I tried "enroll key from disk" and it failed.

For the curious, this is what I did which failed to work:

I de-installed the 5.14.11 kernel, rebooted to 5.3.18 kernel, re-installed 5.14.11 kernel, rebooted and selected the 5.14.11 at boot. It presented me this menu where I had to choose from:

* continue boot
* enroll MOK
* enroll key from disk
* enroll hash from disk

I selected 'enroll key from disk'

I then obtained this:

"Select Key" - "The selected key will be enrolled into the MOK database. This means any binaries signed with it will be run without prompting. Remember to make sure it is a genuine key before Enrolling it".

After pressing any key, I then obtained this list of directories:

* EFI/
* BOOT/
* System Volume Information/
* $RECYCLE.BIN/

Note there is no option to navigate to a higher level directory. I chose EFI and obtained this:

../
Microsoft/
Boot/
opensuse/

I chose 'opensuse/'

I was then given this choice:

* MokManager.efi
* grub.efi
* shim.efi
* boot.csv
* grub.cfg
* grubx64.efi

I chose 'shim.efi' which did not work, as I obtained this:

Unsupported Format; Only DER encoded certificate (*.cer/der/crt) is supported. OK.

Clearly I had no clue as to what was best. I clicked OK and I was back to here:

* continue boot
* enroll MOK
* enroll key from disk
* enroll hash from disk

I selected 'continue boot' and as expected, I obtained the same error as before.

Code:

...
error: ../../grub-core/kern/efi/sb.c:151:bad shim signature.
Loading initial ramdisk ...
error: ../../grub-core/loader/i386/efi/linux.c:98:you need to load the kernel first.

Press any key to continue

So back to the drawing board ... so to speak ...

When you installed that 5.14.11 kernel, it should have installed a certificate in "/etc/uefi/certs".

By the date time stamp in /etc/uefi/certs directory, there is only one file with .crt entitled "6A4E915C.crt " that is associated with today

Enroll that certificate:

Code:

mokutil --import FILENAME

(Run that as root). If you add "--root-pw" to that command line, then it will use the root password for the enroll. Otherwise it will prompt you for a one-time password.

Run that while being in a boot from the 5.3.18 kernel? That is counter intuitive to me, albeit I confess I have no clue. What does that do? The man page says it manipulates machine owner keys which is not specific enough for me to understand. ... I have questions like, if a key is created/imported - where does it then go? How will it be named ? ... and there are probably more questions I should ask but I am not smart enough to know the questions. ...
.

On reboot, you should get that blue screen again, to complete the enroll request.

I am still puzzled here. Where do I navigate to? As seen from the above, there will be a selection or will the menu selections have changed after running 'mokutil'.

...
I actually surfed looking for a guide through all these different menus, and I failed to find such.

[arvidjaar]

Where do I navigate to?

Enroll MOK

[nrickert]

Run that while being in a boot from the 5.3.18 kernel?

Yes, that's fine. What that command does, is leave a message in NVRAM. That message is picked up by "shim" on your next boot, which then loads "MokManager" to enroll the key.

As said by arvidjaar, you should go with the "enroll MOK".

[oldcpu]

Thankyou for the help.

Thanks to your help, I am now typing this from LEAP-15.3 running the 5.14.11 kernel. For info:

Code:

oldcpu@localhost:~> uname -a
Linux localhost 5.14.11-lp153.2.g834dddd-default #1 SMP Sun Oct 10  08:34:34 UTC 2021 (834dddd) x86_64 x86_64 x86_64 GNU/Linux

DETAILS (for any who may be curious):

The first time when running LEAP-15.3 from the 5.3.18 kernel (also with the 5.14.11 kernel installed from before) when I tried 'mokutil' command to import the key, I did so from /home/oldcpu, and of course it failed (with an error message it could not find the file status). I was not thinking, as when running the command the bash shell either needed to be in the /etc/uefi/certs subdirectory, or the path was needed. So I changed to the /etc/uefi/certs subdirectory and tried again with:

Code:

localhost:/etc/uefi/certs # mokutil --import 6A4E915C.crt --root-pw

That gave no error message, just a return of the root prompt, which I took as a good sign. So I rebooted and immediately obtained this in a blue screen:

Code:

Shim UEFI key management" and asked to "Press any key to perform MOK management"

I immeadiately pressed a key.

I was then presented with this menu (as before) where I had to choose:

* continue boot
* enroll MOK
* enroll key from disk
* enroll hash from disk

This time I chose "enroll MOK". That then presented me with this screen:

* View key 0
* Continue

I had no idea what "View key 0" was for, so I elected to ignore that and I selected "continue" ... That then presented me with this:

Enroll the key(s)?
.
* No
* Yes

I selected "Yes" and I was prompted with a blue screen asking for a "Password". I entered the root password. I then obtained this screen:

Perform MOK management
.
* reboot
* Enroll key from disk
* Enroll hash from disk

I already knew that 'enrolling key from disk was the wrong approach, ... and I decided if my previous actions (with entering the root password) were correct, then a reboot likely appropriate, so I selected 'reboot'.

The PC rebooted, I selected to boot to the 5.14.11 kernel in the grub menu, and this time I had a boot success to the 5.14.11 kernel.

I am now posting immediately after that. I have yet to explore this new kernel, ... and pretty much all the kernel related apps I have still installed are associated with the older 5.3.18 kernel, where I may wish to update all those other kernel related apps (but I have not done so yet). I suspect I also may wish to update the intel-media-driver app as well to a newer version.

Many thanks again to all on this thread for your help. I was DEFINITELY out of my comfort zone here ... and maybe thats a good thing.

I was pleased (thanks to your help) that I was able to do this without disabling the secure boot.

[nrickert]

I had no idea what "View key 0" was for, so I elected to ignore that and I selected "continue" ...

That would have given information about the key - mostly a screen of hexadecimal numbers. If you are not sure what key you are enrolling, you could use this to check -- except that you probably don't have anything to check it against.

And after viewing the key, there would have been another prompt to enroll it.

And, yes, after all that choosing "reboot" was the right step.

I was confused by these MOK screens the first few times. It is a learning experience. You will be more comfortable next time.

[Sauerland]

and pretty much all the kernel related apps I have still installed are associated with the older 5.3.18 kernel

Here are some kmps for kernel:stable:backports:
https://download.opensuse.org/reposi.../KMP/standard/

But no nvidia, you have to build it the hard way (which is no hard way)......

Otherwise post your missing kmps.