Unsigned Kernels

I have recently installed leap 42.3 on an Acer laptop (ES1-523) and the default kernel does not work correctly with the QCA9733 wifi. Thus I need to use a more recent kernel, namely 4.12.5 from repo: download.opensuse.org/repositories/Kernel:/stable/standard/x86_64/

After telling the EFI to trust the LEAP 42.3 secure boot key, and some fiddling with the BIOS to put grub before windows EFi boot, I did get opensuse working properly with secure boot. I used zypper to download kernel 4.12.5 and install it. Using secure boot the kernel is unsigned and not loaded, presubalbly by shim of grub. I would happily go back to the stock 4.4 kernel if there is a fix for the QCA9733 driver.

Are all the updated/developer kernels unsigned? (The LEAP42.3 kernel was signed.) What is the normal way to get get the new kernel signed so I can use secure boot again?

Thank You.

Update kernels are signed, developer kernels are not signed with Leap key. Kernel:stable is not an update for Leap but independent project offering latest kernels.

They are signed with a different key.

I don’t know where to find the signing key (the publickey component). If you could find that, then add it with MokManager, and you will be set.

The other option is to create your own signing key, and add that to MokManager. Then you can sign the kernels yourself.

Or just leave secure-boot disabled.

On the very first page of project or directly https://build.opensuse.org/projects/Kernel:stable/public_key/key_dialog or using

bor@bor-Latitude-E5450:~$ osc signkey --sslcert Kernel:stable
Kernel:stable has no key, trying Kernel


The direct link gives me a 404 (page not found). But we can at least try the cert that you included.

And a note to the OP:

Copy the part between the BEGIN and END lines (inluding those lines) into a file with name something.pem – I suggest “obs.pem”.

Then convert to DER format with:

openssl x509 -inform pem -outform der -in obs.pem -out obs.der

Copy that “obs.der” file to your EFI partition. It’s easiest to find at the top, so copy to “/boot/efi/.”

Use “mokutil” to add the certificate. Check the man pages for “mokutil”. It should actually be added by MokManager when you next boot.

Indeed. But the same link from the project page (Show Kernel:stable - openSUSE Build Service) works. Funny, may be referral is missing or some scripting magic.

Yes, that’s it. NB, Tumbleweed boots OK with secure boot on my machine, thus it appears to use the same sig as LEAP 42.3

There is no security value in blessing some downloaded binary with my own sig. I don’t know what’s in it.

IMO Secure Boot is security theater . If a bad actor can modify the boot chain they already own the machine. The best that secure boot can do is brick the system.

Yes, that’s true, but baddies do need physical access to the machine. It’s really Windows that benefits from secure boot. I do dual boot so I’d prefer it to be on.

The purpose of using a development kernel was to get my wifi (QCA9733) going in LEAP42.3. How can I find out if the fixed ath10k driver has been back ported to the stock 4.4.xx kernel ?