How does one find out if Kernel Stable is uefi Signed? What & where to look for in the repo (other)?
Is it a Kexec signed kernel?
If it’s a Kexec kernel will it boot uefi + secure boot via the signed 13.2 kernels? – or only signed 3.17 kernels?
What do I have to do to make kexec work?
How does one get kernel stable to boot uefi + secure boot otherwise?
Thanks for thinking on these!
bor@opensuse:~> mkdir /tmp/cert
bor@opensuse:~> cd /tmp/cert
bor@opensuse:/tmp/cert> certutil -d . -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
bor@opensuse:/tmp/cert> pesign --show-signature -i /boot/vmlinuz-3.11.10-21-desktop -n .
---------------------------------------------
certificate address is 0x7f1867bfedd8
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is openSUSE Secure Boot Signkey
The signer's email address is build@opensuse.org
Signing time: Tue Jul 22, 2014
There were certs or crls included.
---------------------------------------------
bor@opensuse:/tmp/cert>
Newer pesign in factory may relax requirement for valid certificate store when displaying signature.
So, from: openSUSE:UEFI - openSUSE Wiki I see I need to install “mozilla-nss-tools” & “pesign”
If I do “man pesign” I don’t see the "-n"operator, What does that operator do?
[bor@opensuse:/tmp/cert> pesign --show-signature -i /boot/vmlinuz-3.11.10-21-desktop -n ./CODE]
Is the ending period/dot part of the code? --or just the end of the line (as I don't see it in the above link)?
If I install kernel stable on a non ufei machine will the Certificate be there as a test prior to installing on a uefi + secure boot machine?
New question:
I just ran "zypper dup" and have Linux 3.16.3-1.gd2bbe7f-desktop x86_64: however, I see that
http://download.opensuse.org/repositories/Kernel:/openSUSE-13.2/standard/x86_64/
contains kernel-desktop-3.16.6-2.1.gfeb42ea.x86_64.rpm
Anyone know if that one is signed?
ThanksYes, it is path to certificate store. As I said it is possible that new pesign does not need it in this case.
It appears that kernel-3.17 is signed; from my desktop install (non-uefi):
mkdir /tmp/cert
cd /tmp/cert
certutil -d . -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
pesign --show-signature -i /boot/vmlinuz-3.17.1-2.g5c4d099-desktop -n .
---------------------------------------------
certificate address is 0x7fc8e0ee4328
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Kernel OBS Project
The signer's email address is kernel@build.opensuse.org
Signing time: Sun Oct 19, 2014
There were certs or crls included.
---------------------------------------------
And, in /tmp/cert, I have three files, cert8.db, key3.db & secmod.db; all with content.
Now worth trying on my uefi +secure boot laptop
Thank you arvidjaar!
As long as shim includes this certificate. I suggest you ask on opensuse-kernel list if there is shim build that does.
Hi
That’s already been asked and answered;
Disable UEFI Secure Boot in your BIOS for installing development kernels.
Ref: http://lists.opensuse.org/opensuse-kernel/2014-10/msg00096.html
Alas, some of us can not; my new HP 17T does not allow that in BIOS at the present.
I will check for a BIOS upgrade prior to install 13.2 GA
But, Thanks
On some BIOSes you have to setup a supervisor password first to be able to disable secure boot, AFAIK.
Hi
That’s a pain then, you should post that on the kernel devel lists then for sure! The GA (and updates) will be signed.