I am running opensuse Tumbleweed on my UEFI box. Yesterday, there was a kernel update. After the update, the box had several kernels:
- 3.7.10-1.1-1 ## from installing 12.3
- 3.8.8-3.1 ## from a Tumbleweed update
- 3.8.9-5.1 ## also a TW update
- 3.9.0-6.1 ## from the latest TW update
I’m not sure why there are so many kernels. I had thought that there would be only two. But, I have the disk space, so no problem.
What does this have to do with UEFI? Just this. With my UEFI box set for secure boot, I can only boot the 3.7.10 kernel. For the others, I get a message “invalid signature”.
That makes it a good thing that the 3.7.10 kernel was retained.
I can boot the other kernels, and I have done so. But I must disable secure-boot in the UEFI firmware (or BIOS) for that to be possible.
Personally, I’m inclined to think that secure-boot is worthless. It’s main purpose seems to be to secure Microsoft profits. So I don’t mind turning it off. But I mostly keep secure-boot enabled for testing how things work with secure boot.
I’m not sure why the Tumbleweed kernels show up with invalid signatures. My best guess is that getting them signed with the opensuse key requires some sort of approval, which would slow down the Tumbleweed updating. So it may be unavoidable that these kernels are unsigned.
Recently, standard 12.3 (non-Tumbleweed) had a kernel update to 3.7.10-1.4.1. The Tumbleweed update procedure (using “zypper dup”) did not install this, presumably because the 3.9.0-6.1 kernel has a higher version number. So I decided to install that for myself. My reason for this is that the 3.7.10 kernels are signed and can be booted in secure-boot mode. So I should at least have the newest of those available.
To update, I started Yast software management, and searched for “kernel”. Then I clicked on the “versions” button. There, I could select to install 3.7.10-1.4.1, and to uninstall 3.7.10-1.1.1. The unistall required clicking in the entry twice. The first click flags it for reinstall, and the second click flags it for removal.
I did the same with “kernel-devel”, “kernel-desktop-devel”, “kernel-default-devel”, “kernel-zen-devel” and “kernel-syms”. These latter changes were mostly for consistency.
If you are using a UEFI box, and sometimes use secure-boot, you might want to consider making similar changes. If you do not use secure-boot at all, then it is probably not worth the effort.