How do I enroll tumbleweed kernel signature in shim.efi?

I am running 64 bit tumbleweed and I would like to add the secure kernel signature to shim.efi so I can use secure boot.
I have tried following the instructions at: https://en.opensuse.org/openSUSE:UEFI
I have tried using both mokutil and MokManager.efi but it seems as if neither one has added the signature to MOK.

I am running lvm on luks with all partions but boot, boot/efi and swap formatted as btrfs.

Please do not suggest I turn off secure boot, I would not be asking this question if I wanted to run without secure boot enabled.

Thank you

Hi
In a nutshell unless you can get it signed by the openSUSE folks, then you will be out of luck… I would have thought the tumbleweed one is signed?

There is a setting that was changed on kernel >= 3.11 to enable the install of things like the proprietary drivers.

From what I have read the tumbleweed kernel is signed. Per the instructions at openSUSE:UEFI I downloaded the tumbleweed _sslcert.bin and converted it to a DER file which is now located at “boot/efi/EFI/opensuse” for use with mokutil and/or MokManager.efi. That did not work which is the reason I am asking for help.

I seem to have an enrolled key (signed by arvidjaar). I added that for testing a proposed new version of “shim”, and it seemed to work.

As for how I did that – I ran into some problems. The instructions to start MokManager did not work for me. So I constructed an entry in the grub.cfg boot menu that did work. The change from the suggested manual command was to add a UUID search term. I disabled secure-boot while installing that key, though I’m not sure if that is needed.

The key that I added was in “der” format. The Tumbleweed key in the Wiki page is in “pem” format. You can save the “pem” format key in a text file, then use the command “openssl” to convert it to “der”. I don’t remember the details off-hand – I think it’s part of the “openssl x509” command. The man pages should fill in the details.

I currently don’t have tumbleweed on this machine, so I can’t test whether I can enroll. I do have it on another UEFI machine, but it’s one of those machines that does not like double-signing. So I’ve been leaving secure-boot disabled for now.

Question: Were you running full disk luks encryption when you added the key? I am wondering if the reason I cannot get a result is that all partitions except /boot (sda2) and /boot/efi (sda1) are encrypted and not assessable when I am in the grub menu. What leads me to ask this question is that copies of files found in /boot/efi/EFI/opensuse are also in /usr/lib64/efi.

Strictly speaking, I was running grub2, and opensuse had not been started.

I invoked MokManager from the opensuse 13.2 boot menu. And opensuse 13.2 was installed in an encrypted LVM at that stage (since replaced by 13.1). I had copied the “der” file into the EFI partition.

What leads me to ask this question is that copies of files found in /boot/efi/EFI/opensuse are also in /usr/lib64/efi.

Yes, but that’s in case you need to reinstall grub2. Those files (from /usr/lib64/efi) are not being used by MokManager.

Okay, I decided to do this. And I succeeded.

So here’s what I did:

1: I set my system up for secure boot. For that, I had to go through the Wiki section on “Booting the Machine that supports only one signature with vendor provided Keys”. I won’t go through the details, since it probably doesn’t apply to you.

2: I saved the tumbleweed key (from that wiki page) into a file “tweed.pem”.

3: I converted to DER format

openssl x509 -inform PEM -outform DER -in tweed.pem -out tweed.der

4: I copied the file “tweed.der” to “/boot/efi”. I later also copied to “/boot/efi/EFI/opensuse”, so I’m not certain which one of those actually worked (I think it was the one just in “/boot/efi”

5: This is where problems began to arise.

I ran MokManager, using an entry I had added to my boot menu. I think there’s a bug there. I selected “install from hard disk”. But it just gave me the same output as if I selected “install hash”. That did not happen to me in my earlier experience (different computer running 12.3). I had expected that it would list the file name “tweed.der”. I suggest that you file a bug report on this, and post the bug number (then I’ll add my own comments).

6: Because of that failure, I booted back into opensuse (details of that, below). I then did

# cd /boot/efi
# mokutil --list-enrolled ### it showed empty
# mokutil --list-new      ### it showed empty
# mokutil --import tweed.der
Password:  (I entered a password here -- I think it just to encrypt the request)
Password-again: (same password)
# modutil --list-new      ### it now listed the cert that I wanted to enrol

7: I rebooted, and again selected MokManager from my menu

8: I was given a list of keys (only one in the list), and asked to enter the number of the key I wanted to enroll. I entered “1” (without the quotes)
On the next prompt, I entered 0 (to continue). It seemed to enroll the key. It then gave an option to continue with boot or to add another key. I told it to continue with boot.

9: I booted into my system, which demonstrated that the key was working.

NOTE: on secure booting. I have been carefully retaining a 3.11.10 kernel (from the installed 13.1). I do this, so that with secure-boot enabled, I can select Advanced Options on the grub menu, and select a kernel which I know will secure-boot. I set the multi-boot options in “/etc/zypp/zypp.conf” to

multiversion.kernels = latest,latest-1,running,oldest

so that kernel cleanup will retain the oldest which should be an original 13.1 kernel. That way, even with secure-boot on, I can get into my Tumbleweed system.

I used that fallback kernel in step 6 above (after the MokManager failure). However, I used the latest Tumbleweed kernel “3.15.5-39.g01d2774-desktop” in my final boot (step 9 above), which proved that I had it working.

I hope that helps. And please file that bug report (see step 5 above).