I installed openSUSE on Acer V3 571G with secure boot disabled. My sytem is qudrabooting - windows, ubuntu, fedora & openSUSE with openSUSE boot manager as default boot manager. I made openSUSE boot manager as default boot manager by following command in cmd in windows-
But, yesterday after updating BIOS somehow **secure boot got re-enabled. **Now my laptop is not booting and is asking to register the boot manager either by using key or hash.
To register by using key I need .crt/.cer/.dercertificates. EFI partition is mouted but I’m not able to find **.crt/****.cer/.der certificates **anywhere in the EFI partition.
Now a bigger problem I’ve forgot my BIOS password and I won’t be able to disable secure boot. Also, I won’t be able be able to change my device boot order, so I won’t be able to boot into a live cd either.
So I need to load a certificate for openSUSE boot manager. Is any other method left.
PS - I’ve initiated a complaint to reset my BIOS password at Acer.
Have you tried Googling for a way to reset your BIOS password on your
laptop? Just Googling for something like ‘reset acer laptop bios
password’ a lot of potentially-useful things come up. Whether or not
they’ll work on your system, I cannot test.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
The results of google search will only work with older laptops. For newer laptops there is no method such as master password, etc. I cannot open my laptop as it’s still in warranty.
Again my question is can I side load certificate for openSUSE boot manager.
@nrickert the F12 key method is not working.
In shim UEFI key management I’m asked to perform mok management. Upon selecting enroll key from disk two options are shown - esp (the efi partition of my laptop) and boot (openSUSE KDE live usb). Still I’m not able to find .cer/.der/.crt keys in live usb.
Options available with the boot (opensuse live usb) boot/efi/boot/ grub.efi or grub.cfg or bootx64.efi
You should not need to enroll a key. You only need that if you have built and signed your own kernels or are using the tumbleweed kernels.
With 13.1, I was unable to enroll a key until I had first run “mokutil”. It was easier with the 12.3 shim.
If you are able to boot a live usb, you should be able to fix the problem. If you cannot boot anything, then I think you will need to call Acer support.
Although I haven’t seen it explicitly described, I’m pretty sure one part of the idea of “secure boot” is to disable any kind of BIOS access during boot by hot key. This means that the only way to access boot is from within a successfully booted system.
If I were to guess, Acer support will probably say that if you cannot boot your OS to access your UEFI, you’re SOL.
Maybe there is a way to hack this… for instance I’d consider creating an alternate boot eg from a LiveCD pointing to your OS files… but I’d be just spitballin’
If you as far as in shim, then secure boot has worked. I do not understand what you are trying to do. It seems that you have corrupted openSUSE bootloader which is something different. I doubt it has anything to do with BIOS update.
Since, I installed openSUSE in secure boot disabled mode, I guess that boot-loaders might not have been signed. And since, my system was booting perfectly before updating bios, only after that ‘verification failed’ messeges began displaying on the screen. So, I interpret it as secure boot might have been turned on that’s why BIOS is asking for .der/.cer/.crt certificates and not allowing openSUSE boot-loader to load. See attached image.
So what I’m trying to do is make a certificate and side load it from opensuse live usb. Note: BIOS is asking .cer/.crt/.der certificates and efi and opensuse live usb is mounted by bios/uefi.
Your screenshot is not from shim (at least, not from shim installed by openSUSE). So yes, it seems that your problem is caused by enabling secure boot. In this case if you had before used grub2 in non-secure mode, it cannot be fixed by adding certificate - for the simple reason that in this case grub.efi is built on the fly and is not signed at all.
Unfortunately if you cannot boot from removable media and cannot disable secure boot you are stuck. You need to find how to reset settings (may be there is some jumper or DIP switch on motherboard)?
On 2014-10-08 17:16, tsu2 wrote:
>
> Although I haven’t seen it explicitly described, I’m pretty sure one
> part of the idea of “secure boot” is to disable any kind of BIOS access
> during boot by hot key.
Not even by typing a bios password?
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
The BIOS update seems to have turned on secure boot but kept the password settings.
Only the computer maker can help him out. There should be a way to reset to factory state. But then UEFI stuff has a history of bricking because the maker has not allowed factory reset.
In any case the BIOS patch should not have set secure boot on if it was off. This is a serious programming error and should be referred back to the guys that made the hardware
What I don’t understand is it appears that he can not boot to a USB/DVD either which should not depend on secure boot as I understand it. If he could do that then he could reinstall using a full DVD/USB
His messing around with certificates probable has broken stuff anyway so best to reinstall if he could boot to a removable media
On 2014-10-10 18:46, gogalthorp wrote:
>
> He forgot his password
Oh! Crumbs…
True, he said so in the first post.
> The BIOS update seems to have turned on secure boot but kept the
> password settings.
In BIOS times, the password was kept on CMOS RAM memory, inside the same
chip that had the CMOS clock, backed with a small battery. Thus removing
that battery with the computer un-powered cleared the password. Unsafe
if you could open the box. Some boxes had (iron) locks. Others just a
detect switch.
Some used flash memory instead. I believe UEFI uses flash (I hope on a
different chip that the bios itself). In that case, unless there is a
jumper, I have no idea how to reset it… :-?
> Only the computer maker can help him out. There should be a way to reset
> to factory state. But then UEFI stuff has a history of bricking because
> the maker has not allowed factory reset.
> In any case the BIOS patch should not have set secure boot on if it was
> off. This is a serious programming error and should be referred back to
> the guys that made the hardware
>
> What I don’t understand is it appears that he can not boot to a USB/DVD
> either which should not depend on secure boot as I understand it. If he
> could do that then he could reinstall using a full DVD/USB
If the bios has paranoid settings, external booting /must/ be disabled.
What if you remove the hard disk, or put a new or totally empty one?
Would the bios realize that it must allow a reinstall and boot from
external media?
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
Would be nice if your opinion was actually implemented.
I’ve noticed for over a year now that every time HP has pushed a new BIOS update (and I’ve received 5 such updates in the past year which could be a comment on the issues the original BIOS had, and attempts to fix), <every> time it resets all my BIOS settings to factory defaults… which means secure boot on, virtual extensions off, original boot order, etc.
In other words, any BIOS update today probably defaults to secure boot on on next boot.
So, I’ve had plenty of practice and now fully expect these settings with every BIOS update… and yes, dread the day if it should come when something happens to secure boot. Is why my secure boot is not customized and why I also disable it always in the hopes that if it should fail I can recover using normal means and tools (which apparently is not available to the OP).
I’m pretty sure that was the default (secure boot box checked even while not using secure boot) for my EFI install of 13.2-RC1 and 13.2-Beta1. I don’t remember if that was the situation for 13.1.
Also a good idea to remember your passwords
I stopped using BIOS passwords, around 10 years ago. I had not forgotten it, but it did make it harder to fix some problems. And the computer was in a secure location anyway, so a BIOS password wasn’t important.
And it is programming 101 you never ever change settings on updates.
Right. But firmware often has tight memory requirements, and the new version changes some of the data structures. So some vendors find it easier to switch to defaults.
More of a puzzle, is that a system with BIOS password would allow a BIOS update without giving the password. This seems a basic mistake. What’s the use of a BIOS password, if the BIOS firmware can be replaced?
It has been my experience that pretty well all BIOS and Firmware updates set the respective units to default settings. You will find this so with most routers, as well.
That is occasionally because the new Firmware changes some offsets.
