Multiooting in Secureboot mode - Linuxmint vmlinuz invalid signature

vishy · January 13, 2015, 1:39pm

My system has Windows 8.1 installed by default. I installed LinuxMint and openSUSE later. The problem is if I use openSUSE bootloader, it is able to load windows but not linuxmint. The error vmlinuz not signed And when I use linuxmint bootloader (actually it uses ubuntu bootloader), it is able to load

Have the same problem as https://forums.opensuse.org/showthread.php/495681-Grub2-Invalid-signature-error-when-multi-booting
The solutions suggested were

Of course I can do that but I want to break my head with secure-boot first
I saw a method at https://en.opensuse.org/openSUSE:UEFI, to enroll key by MokManager.efi

reboot

in the grub menu press the ‘c’ key

type (assuming the ESP is ‘gpt1’ on ‘hd0’):

chainloader (hd0,gpt1)/EFI/opensuse/MokManager.efi
boot

select “Enroll key from disk”

navigate to the cert.der file and press enter

I obtained canonical-uefi-ca.der certificate from **rEFInd **But, it did not work.
3. I don’t want to use linuxmint bootloader as it also has problems
4. Haven’t tried the 4th method yet.

Earlier I was able to boot to linuxmint from F12 boot menu but I restored my laptop firmware/UEFI to its defaults and now I’m not able to find linuxmint option from F12 boot menu

Can someone post documentation for MokManager.efi
Is it wrong to source ceritificate from rEFInd or should I make linuxmint/ubuntu key from https://wiki.ubuntu.com/SecurityTeam/SecureBoot
I’m going in correct path.

arvidjaar · January 13, 2015, 2:04pm

Sure, neither BIOS not openSUSE know key used to sign other distribution.

And when I use linuxmint bootloader (actually it uses ubuntu bootloader)
…
I obtained canonical-uefi-ca.der certificate

Are you sure it is key that is actually used to sign kernels for EFI? “Ca” suffix makes me a bit suspicious it is not.

Earlier I was able to boot to linuxmint from F12 boot menu but I restored my laptop firmware/UEFI to its defaults and now I’m not able to find linuxmint option from F12 boot menu

I have all reasons to believe that reinstalling bootloader in Mint should put it back.

should I make linuxmint/ubuntu key from https://wiki.ubuntu.com/SecurityTeam/SecureBoot

You should not make key, you should use key that is referenced in this page. If I follow it right, keys are located on http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/files/head:/notes_testing/secure-boot/keys/ and name canonical-signing-public.der looks promising. But you are really better off asking on Ubuntu or Mint support list where to find EFI signing keys.

nrickert · January 13, 2015, 2:21pm

I imported a key when running opensuse 12.3. It worked about as expected.

I tried again with 13.1 Tumbleweed, and that did not work. I finished up using “mokutil” (which I had to install).

I don’t remember the full details. My rough recollection is that I put the key in the EFI partition. I used mokutil to tell it to load that key. And then I booted to MokManager and was able to complete the key import.

Related: At present I do have Mint on one of my boxes (as a second linux system). I Installed it a Mint 17, and yesterday I upgraded that to Mint 17.1 (I think). I also installed Ubuntu 14.04, but have long since removed that.

What I found, was that opensuse could not secure-boot Ubuntu (and presumably not Mint). This was expected, because the Ubuntu kernel was not signed with an opensuse key.

I also discovered that Ubuntu-14.04 could boot opensuse. It turned out that the Ubuntu shim.efi was not verifying kernel signatures, which is why that worked. The opensuse shim.efi is verifying kernel signatures, so it doesn’t work the other way.

My choice was to turn off secure-boot, and use the opensuse installed grub2-efi for booting everything.

My personal opinion is that secure-boot doesn’t do anything useful anyway, so turning it off is the easy solution.

(added note): there’s an earlier thread where I gave more details of importing that key for Tumbleweed. I don’t happen to remember the thread, but it is probably in the Tumbleweed (and other) forum.

vishy · January 15, 2015, 1:01pm

My system has some junk keys of** canonical-uefi-ca.der **and some other and I want to delete them.

**akash:~ # mokutil --list-enrolled
[key 1]
  [SHA256]
  ea7ae2eda2200d0f0e1d2def24d3df768cfef5f93a33ca3ec489d9ce3f291d0a

[key 2]
  [SHA256]
  a964d253b7c829f1d99cac801183896e8307513cb2dab914eb948128394d03ca

[key 3]
  [SHA256]
  d5bc11fb619bfced64249b930c785ead5fca3927f0ce3c5efd3f1d9af04b37bf

[key 4]
  [SHA256]
  a964d253b7c829f1d99cac801183896e8307513cb2dab914eb948128394d03ca

[key 5]
  [SHA256]
  1b6b5c18d7baf9e94dc937092f33bb047026747aabce0f3505bfd11d1c062a94

[key 6]
  [SHA256]
  1b6b5c18d7baf9e94dc937092f33bb047026747aabce0f3505bfd11d1c062a94

[key 7]
  [SHA256]
  3c736406d0519632ff6fe82694a06455eef9674d7df9a0efb5e5eb8d4af05253

[key 8]
  [SHA256]
  8d1b74227cb2ee6b23b829595b761baa34d171337f70d44abf542d5318bdba08

[key 9]
  [SHA256]
  ae8b2a05eee456f853b3c0645f9f3ace6c0e11ddcbdf86dbf22692d699063b8c

[key 10]
  [SHA256]
  7f0153b9d2050d161ec582abc2d7ed95bd904544cda1c6dbab587de20d3f66d1

[key 11]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13348991040521802343 (0xb94124a0182c9267)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    .
                    .
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Authority Key Identifier: 
                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.canonical.com/secure-boot-master-ca.crl

    Signature Algorithm: sha256WithRSAEncryption
         .
         .
         .

[key 12]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13348991040521802343 (0xb94124a0182c9267)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    .
                    .
                    .
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Authority Key Identifier: 
                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.canonical.com/secure-boot-master-ca.crl

    Signature Algorithm: sha256WithRSAEncryption
         .
         .
         .

[key 13]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13348991040521802343 (0xb94124a0182c9267)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    .
                    .

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Authority Key Identifier: 
                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.canonical.com/secure-boot-master-ca.crl

    Signature Algorithm: sha256WithRSAEncryption
         .
         .
         .

[key 14]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13348991040521802343 (0xb94124a0182c9267)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    .
                    .

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Authority Key Identifier: 
                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.canonical.com/secure-boot-master-ca.crl

    Signature Algorithm: sha256WithRSAEncryption
         .
         .

[key 15]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13348991040521802343 (0xb94124a0182c9267)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    .
                    .

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Authority Key Identifier: 
                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.canonical.com/secure-boot-master-ca.crl

    Signature Algorithm: sha256WithRSAEncryption
         .
         .

[key 16]
SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
        Validity
            Not Before: Aug 26 16:12:07 2013 GMT
            Not After : Jul 22 16:12:07 2035 GMT
        Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    .
                    .
                    .

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
            X509v3 Authority Key Identifier: 
                keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
                DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
                serial:01

            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         .
         .
**

Tried to delete them but couldn’t succed

akash:~ # mokutil -D 15
MokDel is empty
akash:~ # mokutil -d 15
Failed to get file status, 15

I’ve no idea what’s [key1] - [key10] so won’t delete them but [key 11] - [key 15] is junk for sure

nrickert · January 15, 2015, 2:25pm

The man page indicates that you need to give the der file for the key to delete it.

I checked on my two systems. On my Dell box, I have three enrolled keys. Two seem to be from opensuse, and one was a key from an opensuse developer that I added to test a version of “shim”. I did not retain the “.der” file for that, so I cannot remove it.

On my Lenovo box, I have only opensuse keys listed as enrolled. This is a bit odd, because I did have ubuntu 14.04 installed on this box. So I guess the canonical keys were all cleared out when I did a recent BIOS update. I do remember the update outputting a message about reformatting NVRAM.

My Lenovo box has a BIOS option to reset NVRAM to factory settings. I guess I could use that to delete keys I did not want, and opensuse would reinstall its own from “shim.efi” on my next boot.

My Dell box has a BIOS option to clear NVRAM. But I don’t know if that retains the Microsoft key and Dell key and only deletes enrolled keys, or does it delete everything. So I hesitate to try it.