Uefi Signing

chrisgidden · October 11, 2022, 3:52pm

Trying to install and activate Oracle Virtual Box, which needs to sined and enrolled onto the computer.
https://en.opensuse.org/openSUSE:Build_Service_Signer
Shows means with requirement for

the obs-signd
package from the openSUSE:Tools repository - a gpg2
package with the files-are-digests.patch applied - **
openSUSE:Tools repository is nor available and therefore the website is out of date
Likewise
https://www.declarecode.com/code-solutions/shell/if-your-system-is-using-efi-secure-boot-you-may-need-to-sign-the-kernel-modules-vboxdrv-vboxnetflt-vboxnetadp-vboxpci-before-you-can-load-them
cd /root/module-signing
chmod 700 /root/module-signing/sign-vbox-modules
./sign-vbox-modules
module-signing does not exist.
Please advise what procedure and resourses and location of mthem with links
If this is in the wrong section please repost in the correct section
Your assistance is most appreciated
Chris Gidden

mrmazda · October 11, 2022, 8:08pm

I couldn’t find any URI on Build_Service_Signer to the openSUSE:Tools repo, but wherever it is most likely it does need an update to http://download.opensuse.org/repositories/openSUSE:/Tools/15.4/. For 15.3 is was http://download.opensuse.org/repositories/openSUSE:/Tools/openSUSE_15.3/. Most openSUSE_15.3 repos were changed to simply 15.4.

chrisgidden · October 11, 2022, 8:12pm

[QUOTE=chrisgidden;3165487]Trying to install and activate Oracle Virtual Box, which needs to sined and enrolled onto the computer.
https://en.opensuse.org/openSUSE:Build_Service_Signer
Shows means with requirement for

the obs-signd
package from the openSUSE:Tools repository - a gpg2
package with the files-are-digests.patch applied - **
openSUSE:Tools repository is nor available and therefore the website is out of date
Likewise
https://www.declarecode.com/code-solutions/shell/if-your-system-is-using-efi-secure-boot-you-may-need-to-sign-the-kernel-modules-vboxdrv-vboxnetflt-vboxnetadp-vboxpci-before-you-can-load-them
cd /root/module-signing
chmod 700 /root/module-signing/sign-vbox-modules
./sign-vbox-modules
module-signing does not exist.
Please advise what procedure and resourses and location of mthem with links
If this is in the wrong section please repost in the correct section
Your assistance is most appreciated
Chris Gidden

chrisgidden · October 11, 2022, 8:14pm

I have searched most of OpenSuSE and drawn a blank hence the posting

larryr · October 11, 2022, 8:23pm

The openSUSE virtualbox is signed - when installed you have to reboot and allow the update of signed packages at boot.

search mokutil on this site for how to do it.

dcurtisfra · October 12, 2022, 12:07pm


 > rpm --query --whatprovides /etc/uefi/certs/1F673297-kmp.crt
openSUSE-signkey-cert-20220613-lp154.2.3.1.x86_64
 >

Provided that, you have something resembling a US-English Keyboard and, your root password doesn’t have characters which do not match to the US-English Keyboard keys on your Keyboard, when you install the package “openSUSE-signkey-cert” and reboot, a “Blue Screen” should appear before the openSUSE Splash appears –

Enter your Root password and enroll the presented Key and then, select, in the “Blue Screen”, “reboot”.

If you’re not using an US-English environment then, you may have to do it all manually via “mokutil” with simple passwords using characters where your Keyboard’s keys match to the US-English Keyboard layout.

After the reboot has completed, you should have a Key in the “MokListRT” with the Subject “CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de”.

And, the systemd Journal entries for the boot should have entries as follows:


    0.863363] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.863608] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
    0.863609] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.863628] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
    0.863629] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.864233] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: 3d4d40cf938539024b1cfc5a12dedfe8b17e755f'
 .
 .
 .
    9.338881] vboxdrv.sh[1005]: vboxdrv.sh: Starting VirtualBox services.
    9.341012] vboxdrv.sh[1093]: Starting VirtualBox services.
    9.393208] kernel: vboxdrv: loading out-of-tree module taints kernel.
    9.400510] kernel: vboxdrv: Found 8 processor cores
    9.400989] systemd-udevd[639]: vboxdrv: /usr/lib/udev/rules.d/60-vboxdrv.rules:1 Only network interfaces can be renamed, ignoring NAME="vboxdrv".
    9.401607] systemd-udevd[657]: vboxdrvu: /usr/lib/udev/rules.d/60-vboxdrv.rules:2 Only network interfaces can be renamed, ignoring NAME="vboxdrvu".
    9.423214] kernel: vboxdrv: TSC mode is Invariant, tentative frequency 3693261096 Hz
    9.423218] kernel: vboxdrv: Successfully loaded version 6.1.36_SUSE r152435 (interface 0x00320000)
    9.641889] kernel: VBoxNetFlt: Successfully started.
    9.660807] systemd-udevd[639]: vboxnetctl: /usr/lib/udev/rules.d/60-vboxdrv.rules:3 Only network interfaces can be renamed, ignoring NAME="vboxnetctl".
    9.660604] kernel: VBoxNetAdp: Successfully started.
    9.669672] vboxdrv.sh[1106]: VirtualBox services started.
    9.671019] systemd[1]: Started VirtualBox Linux kernel module.
    9.673566] systemd[1]: Starting vboxautostart-service.service...
    9.680525] vboxautostart-service.sh[1107]: vboxautostart-service.sh: Starting VirtualBox VMs configured for autostart.
    9.681690] vboxautostart-service.sh[1110]: Starting VirtualBox VMs configured for autostart.
    9.686947] systemd[1]: Started vboxautostart-service.service.

[HR][/HR]If the MokUtil “Blue Screen” doesn’t appear at reboot – due to Monitor “wake up” issues, you’ll have to repeat the manual “mokutil” steps and power off and then power on to have the MokUtil “Blue Screen” appear after the UEFI/BIOS splash …

chrisgidden · October 13, 2022, 9:50am

Well done “dcurtisfra” that nailed the problem. Went to LA CA now back in London UK. ;).
One now wonders where we go to get machines to work irrespective of location.
Put this on my todo list to get responsible organizations to make this work irrespective of locale
Thanks Again.
Chris