Tumbleweed, kernels and UEFI

I am running opensuse Tumbleweed on my UEFI box. Yesterday, there was a kernel update. After the update, the box had several kernels:

  • 3.7.10-1.1-1 ## from installing 12.3
  • 3.8.8-3.1 ## from a Tumbleweed update
  • 3.8.9-5.1 ## also a TW update
  • 3.9.0-6.1 ## from the latest TW update

I’m not sure why there are so many kernels. I had thought that there would be only two. But, I have the disk space, so no problem.


What does this have to do with UEFI? Just this. With my UEFI box set for secure boot, I can only boot the 3.7.10 kernel. For the others, I get a message “invalid signature”.

That makes it a good thing that the 3.7.10 kernel was retained.

I can boot the other kernels, and I have done so. But I must disable secure-boot in the UEFI firmware (or BIOS) for that to be possible.

Personally, I’m inclined to think that secure-boot is worthless. It’s main purpose seems to be to secure Microsoft profits. So I don’t mind turning it off. But I mostly keep secure-boot enabled for testing how things work with secure boot.

I’m not sure why the Tumbleweed kernels show up with invalid signatures. My best guess is that getting them signed with the opensuse key requires some sort of approval, which would slow down the Tumbleweed updating. So it may be unavoidable that these kernels are unsigned.

Kernel 3.7.10-1.4.1

Recently, standard 12.3 (non-Tumbleweed) had a kernel update to 3.7.10-1.4.1. The Tumbleweed update procedure (using “zypper dup”) did not install this, presumably because the 3.9.0-6.1 kernel has a higher version number. So I decided to install that for myself. My reason for this is that the 3.7.10 kernels are signed and can be booted in secure-boot mode. So I should at least have the newest of those available.

To update, I started Yast software management, and searched for “kernel”. Then I clicked on the “versions” button. There, I could select to install 3.7.10-1.4.1, and to uninstall 3.7.10-1.1.1. The unistall required clicking in the entry twice. The first click flags it for reinstall, and the second click flags it for removal.

I did the same with “kernel-devel”, “kernel-desktop-devel”, “kernel-default-devel”, “kernel-zen-devel” and “kernel-syms”. These latter changes were mostly for consistency.

If you are using a UEFI box, and sometimes use secure-boot, you might want to consider making similar changes. If you do not use secure-boot at all, then it is probably not worth the effort.

So I don’t use Tumbleweed, but YaST is configured by default in openSUSE 12.3 to keep three kernels installed in the same version. So perhaps the original installed 3.7 version is kept and then (3) 3.8 kernel versions is what you get. To look at or set these parameters, edit the config file as follows:

In KDE do Alt-F2: kdesu kwrite /etc/zypp/zypp.conf


In Gnome do Alt-F2: gnomesu gedit /etc/zypp/zypp.conf 

Find the lines that start with multiversion = &[size=2] multiversion.kernels = [/size]:

multiversion = provides:multiversion(kernel)
multiversion.kernels = latest,latest-1,running

The first line says to keep mutiversion kernels installed (don’t remove older kernels install by YaST) and the second says to keep three versions so you can drop back one or two versions if you need to. These settings only effect kernels loaded by YaST, that is, you did not compile and install your own kernel outside of using YaST. To stop these actions you can put a remark # in front of the line and save the file. Line two would not do anything unless line one is not remarked out and they work together to form the default action used in openSUSE 12.3.

Thank You,