Invalid signature in kernel updated from kernel:stable repository (Secure Boot problems)

Hi, I have a problem updating the kernel in Suse 13.2.

First of all, I want to update the kernel because it fixes a number of problems in my laptop (a brand new Lenovo X1 Carbon, 3rd Gen). The kernel packed in the 13.2 distribution is 3.16, which does not contain certain bug fixes I need. I have added the kernel:stable repository (http://download.opensuse.org/repositories/Kernel:/stable/standard/), which currently contains a 4.0 kernel. I have tried it, and it indeed fixes the problems, so is somewhat important to keep using this kernel instead of the default one.

However the problem is that I can not boot this kernel unless I switch off Secure Boot, because the signature can not be verified. The problem seems to be that this kernel is not properly signed, so grub does not boot it. Disabling Secure boot is a bad solution because then I can not use Windows 8, and using both system is also important for me.

Hence, the question is, is there a simple way* to use an updated kernel in Suse without having to switch of Secure Boot? I would expect that this repository contain signed kernels, or that at least Opensuse offers a solution to update the kernel in a simple way respecting Secure boot. I can hardly believe that you have to stick to the 3.16 kernel until next release of Suse 13.3.

Do you think there is a work around this problem?

*By simple way means that I do not want to compile and sign my own kernel

You could try fetching key from Kernel:stable project and enroll it in shim (using UEFI interface or mokutils). You can fetch key using “osc signkey --sslcert Kernel:stable”, but you need to be registered on build.opensuse.org.

Another choice is to create your own signing key, and enroll that in shim. Then sign the kernel with your key.

Booting a custom kernel

Signing a kernel for secure-boot

OK, I see that there is no “easy” solution. I really would like to try it and learn more about the Secure Boot stuff, sign kernels and all this, but I’m afraid I do not have much time right now to get familiar with the tool… thanks anyway.

If I manage to find time to fix it, I’ll share my experience.

On 2015-06-05 09:26, onturenio wrote:
>
> OK, I see that there is no “easy” solution. I really would like to try
> it and learn more about the Secure Boot stuff, sign kernels and all
> this, but I’m afraid I do not have much time right now to get familiar
> with the tool… thanks anyway.
>
> If I manage to find time to fix it, I’ll share my experience.

Try Bugzilla :-?


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

What is exactly is “bug” here?

On 2015-06-05 13:46, arvidjaar wrote:
>
> robin_listas;2713719 Wrote:
>>
>> Try Bugzilla :-?
>>
>
> What is exactly is “bug” here?

That the kernel doesn’t have a working signature and you have to add it
yourself. You don’t have to do any of that with the official kernels in
oss repo.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Sorry? Where have you seen any evidence in this thread that signature does not work?

and you have to add it
yourself. You don’t have to do any of that with the official kernels in
oss repo.

Why do you expect unofficial kernel to have official signature?

Opening bug report for this will just waste time of developers and they do not have much at hand anyway.

On Fri 05 Jun 2015 12:03:05 PM CDT, Carlos E. R. wrote:

On 2015-06-05 13:46, arvidjaar wrote:
>
> robin_listas;2713719 Wrote:
>>
>> Try Bugzilla :-?
>>
>
> What is exactly is “bug” here?

That the kernel doesn’t have a working signature and you have to add it
yourself. You don’t have to do any of that with the official kernels in
oss repo.

Hi
AFAIK, that doesn’t apply for that repo (from memory spotted on the
ML’s factory or kernel).


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.39-47-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

On 2015-06-05 14:16, arvidjaar wrote:
>
> robin_listas;2713731 Wrote:
>>
>> That the kernel doesn’t have a working signature
> Sorry? Where have you seen any evidence in this thread that signature
> does not work?

No? I thought that was what the thread solution was about.
You are telling the OP to sign himself the kernel, or get an account on
the OBS…

That’s not working to me.

>> and you have to add it
>> yourself. You don’t have to do any of that with the official kernels in
>> oss repo.
>
> Why do you expect unofficial kernel to have official signature?

Well, I don’t know, but then it is very difficult to install them. They
might just as well not publish them at all.

> Opening bug report for this will just waste time of developers and they
> do not have much at hand anyway.

Well, I was just asking…


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Just turn secure boot off it is false security. if someone is in position to modify the boot stack they already own you.

“No working” for me means - correct key was enrolled but signature verification fails. “Signature verification fails without correct key” is “works by design” for me.

If someone wants to be constructive, steps would be

  1. test if key from OBS project works
  2. if it works, open discussion on kernel/buildservice lists how to make key more easily accessible (may be it already is, just I do not know it). E.g. grub packages key used to sign it so you can easily enroll it if installing from non-default repository (was actually used for testing proposed patches).
  3. if it does not work, open discussion on kernel list, what key is used for signing and how to fetch it

Now, 2 or 3 may eventually result in bug reports or enhancement requests that would be useful then.

On 2015-06-06 07:26, arvidjaar wrote:
>
> robin_listas;2713737 Wrote:
>>
>> No? I thought that was what the thread solution was about.
>> You are telling the OP to sign himself the kernel, or get an account on
>> the OBS…
>>
>> That’s not working to me.
>>
>
> “No working” for me means -

Wait. I said “to”, not “for”. There is a difference. :slight_smile:

> If someone wants to be constructive, steps would be

Well, opening a discussion in a specialized mail list is a variation of
writing a bugzilla. The later is more formal, though.

Yes, what you suggest seems a good plan. I’m not affected, though, so I
can’t do it.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))