As with other kernels, kernel (vmlinuz-x.y.z) should go under /boot, modules under /lib/modules and you need to create initrd running mkinitrd. You do not really need to add it to boot menu, you can simply edit any available menu and replace kernel/initrd versions.
Thanks for your help, but that doesn’t solve my problem.
Grub2 complains about bad signature of Ubuntu kernel.
I think, I should:
Disable signature checking (How Can I do this?)
Sign Ubuntu kernel with OpenSuSE key or add Ubuntu key to my motherboard
Second solution probably isn’t available, because I cannot wrote new key to motherboard (I cannot change anything) and I probably cannot sign Ubuntu kernel with OpenSuSE key (that’s only action, OpenSuSE team can do).
So right question is probably: how to disable (using Yast or by command line) signature checking in grub2?
Use “linux” instead of “linuxefi” to load kernel (and “initrd” instead of “intirdefi”).
Sign Ubuntu kernel with OpenSuSE key
You can’t - you (or anyone of us) do not have SUSE key. If you could do it, there would be no sense in checking signature in the first place. If you can run shim (depending on how your EFI boot manager is configured) you may be able to enroll hash of kenel if EFI variables are stored in different EPROM.
Assuming that you are able to boot openSUSE, then I suggest adding the Ubuntu key (really, the Canonical key) to MokManager.
First you will need to get the Canonical key. Easiest way is to boot the Ubuntu installer on a UEFI box (it does not need to be the same box). Then use “mokutil --export” to export the canonical key to a file.
Then copy that file into the EFI partition in your computer – copy to “/boot/efi”. And then use “mokutil --import key (filename)” with openSUSE. It should complete the import when you next boot into openSUSE.
This is system where changing any BIOS settings is not possible because EPROM where they are stored is read-only. With high probability EFI variable store is read-only as well. If storing variable is possible, you do not even need certificate - as I mentioned you can simply enroll hash of binary, this will be enough.
I’m trying to run kernel with init ram disk by omit efi suffix. Nothing happens. Screen only blinks. When I added sleep 10 to the end of editor window, no important message appears and grub returns to editor window.
If you are running with Secure Boot enabled it is likely not possible - your EFI boot menu does not offer it, and using external binary requires this binary to be signed.
Did you try whether you can enroll anything as suggested by Neil to “approve” Ubuntu kernel?
Otherwise I would try post to opensuse-kernel mailing list; may be developers can build signed kernel based on Ubuntu one (or with the same patch).
Hmm … what could work - you should be able to load Ubuntu shim (which is signed by Microsoft); this shim should embed Ubuntu certificate; so you should be able to load Ubuntu signed grub and kernel after that.
Another option is to try network boot to load Ubuntu signed shim and grub. Although I’m not sure whether shim supports network (I expect yes as long as it only uses simple filesystem protocol).
I don’t know, how to enroll/introduce (Do I understand enroll correctly as word with the same meaning as introduce? English is not my native language). Can you give me some hint how to enroll via terminal or GUI tools? I think you, guys, suggest me to introduce new key to my motherboard’s memory.
Sorry for writing too many posts, but I see mockutil --import-hash works partially, but mockutil --disable-validation showing some errors. Is there any chance to sign Ubuntu kernel with my own key and add it to the motherboard?
No, it does not compute hash itself; you need to provide compatible hash as option to --import-hash. One possibility to obtain hash is to use “pesign --hash -i vmlinuz”. Also you need to provide mokutil with password that is used to confirm action at boot time. If mokutil is successful, after reboot you should see MokManager GUI. If you do not see it, something went wrong.
But mokutil works by updating EFI variable. If your settings are read-only, quite probably that EFI variables are read-only too. In this case enrolling anything is simply not possible and launching Ubuntu shim may be the only option (short of building kernel with openSUSE signature).
Is there any chance to sign Ubuntu kernel with my own key and add it to the motherboard?
See above. Try creating certificate and enrolling it using mokutil. If it works, signing kernel should be possible.