Unsigned Kernels

I have recently installed leap 42.3 on an Acer laptop (ES1-523) and the default kernel does not work correctly with the QCA9733 wifi. Thus I need to use a more recent kernel, namely 4.12.5 from repo: download.opensuse.org/repositories/Kernel:/stable/standard/x86_64/

After telling the EFI to trust the LEAP 42.3 secure boot key, and some fiddling with the BIOS to put grub before windows EFi boot, I did get opensuse working properly with secure boot. I used zypper to download kernel 4.12.5 and install it. Using secure boot the kernel is unsigned and not loaded, presubalbly by shim of grub. I would happily go back to the stock 4.4 kernel if there is a fix for the QCA9733 driver.

MY QUESTION:
Are all the updated/developer kernels unsigned? (The LEAP42.3 kernel was signed.) What is the normal way to get get the new kernel signed so I can use secure boot again?

Thank You.

Update kernels are signed, developer kernels are not signed with Leap key. Kernel:stable is not an update for Leap but independent project offering latest kernels.

They are signed with a different key.

I don’t know where to find the signing key (the publickey component). If you could find that, then add it with MokManager, and you will be set.

The other option is to create your own signing key, and add that to MokManager. Then you can sign the kernels yourself.

Or just leave secure-boot disabled.

On the very first page of project or directly https://build.opensuse.org/projects/Kernel:stable/public_key/key_dialog or using

bor@bor-Latitude-E5450:~$ osc signkey --sslcert Kernel:stable
Kernel:stable has no key, trying Kernel
-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIJAJfbUUv1M3lAMA0GCSqGSIb3DQEBCwUAMEcxGzAZBgNV
BAMMEktlcm5lbCBPQlMgUHJvamVjdDEoMCYGCSqGSIb3DQEJARYZS2VybmVsQGJ1
aWxkLm9wZW5zdXNlLm9yZzAeFw0xNzA2MTYxNDIwNDlaFw0xOTA4MjUxNDIwNDla
MEcxGzAZBgNVBAMMEktlcm5lbCBPQlMgUHJvamVjdDEoMCYGCSqGSIb3DQEJARYZ
S2VybmVsQGJ1aWxkLm9wZW5zdXNlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAOjf7YJfj+1mgYiijLtAXz4n3ivCvtOi/eRcUAOVev5obvMcyvOv
f3xCJIKYuwTuQnwNxqkcf5NpiunLnK5LTpFXh66GUmOjb5IcRxLNMYMiOs9MO8zw
pkTcJZmDJFNVmdOrttE+1WFIjORM83Il7UAwwNkfxhiAOCjTOV5lZHfDdUDvl0J8
ZRiMVOPKYAzZC3MrdYCDLCpkrQXbUwo4JRavPxkVsKZ1xmH+YBgOGY2UVw3qZlIT
/IPkTqmoYQXU+vh1/A/Q1s8GmxirzA/dPlMh1oPnCvfy7ZAk05HEIqLx+4Kql/sd
DHm/fHYRXPhWFHPNzfVM9XPUtfkw9vLzKkECAwEAAaN1MHMwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQUH7QVEqy8juvfgo2HfkNnv2xxmvMwHwYDVR0jBBgwFoAUH7QV
Eqy8juvfgo2HfkNnv2xxmvMwDgYDVR0PAQH/BAQDAgKEMBMGA1UdJQQMMAoGCCsG
AQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQDVecaa0GjaOh8y8cmz1nUaXNucpw+9
RahEaVJkWGUaQITwVeuA7QEMEFd5PDLuj3Q75Du2rpOmyloDDziXA2p+LIelG+Am
UEe8tAzDqgQqad59dlGSSOwNWLz3lRZ7zFn0zd+tEuhB7BQOAkyBE/YuoyLLleFA
Ci7WtH/tFXodBekvh/gd9GSs2uQmrPfax+zCZo3Ly5FZE9gyZbqMxsu4WO1Xelxk
UVMPV5xpe2j7UkIyfoc2P0w8oI6l0tZ+0UvRqJ2MEwbMI7MPrmC9CX8Ns29pf3fZ
NAhGwYKXgwvaN9ql3+n0XXJ3ot1bs89ROR/8qyflPbxkYDjkbW1ZgWvN
-----END CERTIFICATE-----
bor@bor-Latitude-E5450:~$ 

Thanks.

The direct link gives me a 404 (page not found). But we can at least try the cert that you included.

And a note to the OP:

Copy the part between the BEGIN and END lines (inluding those lines) into a file with name something.pem – I suggest “obs.pem”.

Then convert to DER format with:

openssl x509 -inform pem -outform der -in obs.pem -out obs.der

Copy that “obs.der” file to your EFI partition. It’s easiest to find at the top, so copy to “/boot/efi/.”

Use “mokutil” to add the certificate. Check the man pages for “mokutil”. It should actually be added by MokManager when you next boot.

Indeed. But the same link from the project page (Show Kernel:stable - openSUSE Build Service) works. Funny, may be referral is missing or some scripting magic.

Yes, that’s it. NB, Tumbleweed boots OK with secure boot on my machine, thus it appears to use the same sig as LEAP 42.3

There is no security value in blessing some downloaded binary with my own sig. I don’t know what’s in it.

IMO Secure Boot is security theater . If a bad actor can modify the boot chain they already own the machine. The best that secure boot can do is brick the system.

Yes, that’s true, but baddies do need physical access to the machine. It’s really Windows that benefits from secure boot. I do dual boot so I’d prefer it to be on.

The purpose of using a development kernel was to get my wifi (QCA9733) going in LEAP42.3. How can I find out if the fixed ath10k driver has been back ported to the stock 4.4.xx kernel ?