Hello, guys. I need your help because I’ve migrated my work laptop from Tumbleweed to Leap 15.6 and now I cannot run Virtualbox machines because its drivers/modules seem to be unsigned for Secure Boot: Virtualbox works flawlessly in Leap with Secure Boot switched off but I’ve never had to switch it off with Tumbleweed and I need Secure Boot active. What could be the reason for not signing VBox modules in Leap when they’re signed in TW? Is this the normal behaviour of Virtualbox in Leap or is it a one-off problem?
I’m using Virtualbox from official repos (currently, 7.0.18_SUSE r162988) but I’ve tried Oracle’s repo with the same result (maybe that’s not strange being a third party repo). I leave an screenshot of the error window to be sure I’m not misreading it (although VBox works with SB off, so I think there’s little space for misunderstanding).
I enrolled a SUSE key that was available in the blue mok screen, and now I have 2 SUSE keys in mok:
key 1 with fingerprint: “bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8”,
key 2 with fingerprint “76:b6:a6:a0:b2:2b:cc:b1:3f:46:5f:7c:48:9e:79:39:fd:e0:9e:83”.
S | Name | Type | Version | Arch | Repository
---+------------------------+---------+-----------------------------------+--------+----------------------
i+ | virtualbox | paquete | 7.0.18-lp156.1.6 | x86_64 | repo-oss (15.6)
i+ | virtualbox | paquete | 7.0.18-lp156.1.6 | x86_64 | Repositorio principal
i+ | virtualbox-host-source | paquete | 7.0.18-lp156.1.6 | noarch | repo-oss (15.6)
i+ | virtualbox-host-source | paquete | 7.0.18-lp156.1.6 | noarch | Repositorio principal
i | virtualbox-kmp-default | paquete | 7.0.18_k6.4.0_150600.21-lp156.1.4 | x86_64 | repo-oss (15.6)
i | virtualbox-kmp-default | paquete | 7.0.18_k6.4.0_150600.21-lp156.1.4 | x86_64 | Repositorio principal
i | virtualbox-qt | paquete | 7.0.18-lp156.1.6 | x86_64 | repo-oss (15.6)
i | virtualbox-qt | paquete | 7.0.18-lp156.1.6 | x86_64 | Repositorio principal
I’m sorry that maybe “migrated” was a confusing term: I formatted the whole disk and performed a clean Leap installation; no data reused.
This is SUSE certificate SUSE Linux Enterprise Secure Boot CA.
I do not know what it is. On Leap 15.6 I see the certificate openSUSE Secure Boot Signkey with 1F:67:32:97:DA:56:8A:E0:DE:DF:DB:7C:8C:C6:8F:9E:CB:85:72:75 fingerprint. Show
My 2nd key has the same issuer and subject, the only difference is its validity from 1 March 2023 to 28 September 2033. I post a “mokutil list-enrolled”:
[key 1]
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
Validity
Not Before: Apr 18 14:33:41 2013 GMT
Not After : Mar 14 14:33:41 2035 GMT
Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cd:fd:ab:d7:2a:84:f8:81:c3:36:35:50:35:2c:
c7:ec:04:f1:f4:d6:cc:60:4b:c8:13:b3:74:9b:bd:
f6:c4:3f:63:3e:66:51:f2:7e:3f:6e:7c:76:7b:71:
9d:69:21:2a:15:9b:aa:a5:e5:56:c8:79:98:12:35:
cd:7b:63:8c:b8:37:29:ee:77:50:bc:b7:64:8f:fe:
26:4a:e5:83:18:1c:6c:5d:b4:87:ef:d7:33:c4:f8:
1a:3f:29:9a:84:5a:01:e0:d9:81:6d:31:77:62:29:
f5:c1:65:14:df:4a:1d:fb:b7:4a:46:3b:f3:90:8b:
a2:b8:26:2a:0a:c3:9e:54:b5:03:60:81:e3:d9:58:
35:ed:b0:0b:e2:4f:6b:ef:69:ba:8b:47:df:a4:c5:
da:d0:d2:25:aa:85:63:3e:2f:05:db:4c:69:02:a6:
0e:35:b3:c2:ae:70:b0:ff:25:80:31:c7:0d:39:74:
a3:c0:a4:50:cd:9f:3f:85:b7:62:fb:7b:92:6d:c8:
1e:12:d2:ee:0f:96:f4:01:30:d1:ed:e2:10:ec:d2:
b2:b8:a1:e1:c5:2d:b3:b1:1e:f8:c5:fa:79:68:9d:
e5:a1:92:0f:5e:4f:45:42:7e:90:18:55:8c:fe:c2:
13:31:b8:21:de:ac:30:9d:99:e1:6b:44:61:0c:43:
3d:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
X509v3 Authority Key Identifier:
keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
serial:01
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
12:be:2c:85:85:5a:94:59:cd:49:51:08:17:c1:d9:63:27:29:
d3:9e:9d:3f:15:03:99:24:14:9e:ed:77:41:18:f9:b2:f7:5f:
b7:21:3a:ab:5e:0c:aa:a3:fd:b5:f0:a2:12:89:09:79:dd:09:
70:a6:af:9c:22:21:91:02:26:b5:0f:ba:7b:c1:b8:3b:c2:c8:
3e:4e:bb:74:cd:91:57:7a:cd:f4:c1:f6:2a:e6:98:df:59:a7:
44:04:08:0d:09:f7:e4:07:3d:74:4d:28:cb:8d:0a:d5:c1:6e:
4d:fb:25:09:32:8a:be:af:ce:37:4f:35:79:e8:7b:b2:e8:b0:
4e:56:12:39:c9:3c:fb:5f:b8:b6:ad:22:58:7f:24:16:33:ca:
1e:1c:b8:fc:62:5e:4c:ac:e0:7d:83:24:ee:9b:10:78:98:e2:
e6:4a:ac:0a:cc:98:94:07:4a:69:18:fa:21:74:b5:12:48:42:
83:76:8e:8a:48:7f:c6:8d:1e:cc:ee:e0:62:73:09:f3:c0:90:
f7:49:57:d3:f6:7c:7d:1c:a1:76:9d:76:65:1e:fb:39:56:24:
10:ae:ed:ea:3f:5b:5c:ea:2d:1e:5c:49:cf:4d:85:b6:fb:39:
19:70:dd:1e:e6:21:f2:a3:31:19:1e:c3:b4:ae:f7:35:a7:a1:
b4:61:6b:4e
[key 2]
SHA1 Fingerprint: 76:b6:a6:a0:b2:2b:cc:b1:3f:46:5f:7c:48:9e:79:39:fd:e0:9e:83
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ca:fc:b5:d7:5e:c5:89:82
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
Validity
Not Before: Mar 1 13:56:59 2023 GMT
Not After : Sep 28 13:56:59 2033 GMT
Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:00:22:70:ef:90:9c:ca:3a:12:f1:f1:a2:16:
8b:94:54:2a:d9:ce:61:50:bc:d2:c2:3b:99:cc:8e:
e6:1c:81:59:e5:fc:8a:3a:78:53:fd:71:61:a8:af:
0b:23:c0:5b:9f:da:43:e7:c9:d4:84:b5:e5:f7:ef:
9a:fb:01:ee:9d:10:29:c7:f8:6e:ee:91:60:17:00:
43:56:d1:d3:ed:ad:b1:55:2f:be:0a:e6:38:bf:9b:
43:61:f7:7a:4f:cd:48:74:b2:a2:1e:e5:0c:4f:c4:
81:df:3a:8d:57:af:f5:10:f5:57:ee:74:75:19:c4:
49:ab:a4:70:0b:e1:a0:ef:ca:de:ac:4e:0a:ea:d6:
41:87:ff:e7:87:ef:e2:fd:19:5a:e9:e5:24:b9:65:
ce:3c:b1:fa:3f:f8:8f:41:93:70:e1:72:86:a0:29:
9e:58:6b:fa:81:28:63:80:90:de:3d:ac:61:e5:f0:
ed:df:86:6b:26:20:05:b6:a8:4d:c3:5f:95:14:77:
4a:42:f5:2b:ec:93:0c:8e:04:b6:23:12:56:b3:b2:
e0:1f:9c:97:47:ea:3a:1d:72:58:03:0d:f6:e0:95:
f9:00:2f:b3:b1:f7:ab:c9:b9:02:6b:a5:8a:63:7f:
66:dd:3f:18:15:9c:eb:be:0d:fc:cf:9d:d6:7a:3a:
e8:6b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A7:46:B6:4B:6C:B7:1F:13:38:56:38:05:5F:46:16:2B:AC:63:2A:CD
X509v3 Authority Key Identifier:
keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
serial:01
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a7:b7:86:b9:12:e9:92:12:17:6a:4e:80:7c:6c:82:25:01:8a:
18:7e:bf:94:f2:e0:57:71:96:13:9c:f6:ec:97:65:bc:61:ff:
18:9d:a2:95:e8:ad:5f:70:84:83:b7:fb:35:22:27:bd:c9:c9:
01:39:c1:a0:a4:a6:71:05:a0:45:ee:05:73:9e:be:2c:08:ea:
73:cb:b2:31:f3:d0:2d:3d:df:80:55:df:54:12:94:08:92:68:
3a:f7:5b:d8:b8:50:3f:e7:72:67:b0:9c:11:f1:58:32:a2:53:
38:91:f3:b3:9e:8a:de:04:4c:44:15:95:20:c1:e5:52:38:5a:
be:63:bd:b3:35:bb:45:21:8c:2d:90:bb:23:d0:b2:9d:09:f4:
16:bd:e9:ae:77:27:2d:f2:3d:89:f0:a4:83:9e:96:db:d4:63:
57:52:75:0a:f1:df:a6:a5:22:32:ec:16:a9:36:d5:a4:ae:39:
97:1b:95:b9:00:c4:7c:a9:90:c4:2c:ea:9a:7f:b7:c9:3a:84:
0f:54:78:17:d6:32:bf:46:f1:11:0e:00:26:77:cd:ee:04:e7:
44:a6:85:c2:3a:c5:69:4e:76:6a:d0:10:82:df:0e:d5:d1:8b:
a1:1b:36:c6:d6:c9:03:42:4b:db:e9:97:40:a6:1b:dc:e3:97:
ba:28:7f:a6
total 12
-rw-r--r-- 1 root root 1177 may 28 09:04 1F673297-kmp.crt
-rw-r--r-- 1 root root 1288 oct 2 10:47 76B6A6A0.crt
-rw-r--r-- 1 root root 1257 abr 18 2024 BCA4E38E-shim.crt
That’s solved the issue!! Thank you very very much @arvidjaar
I guess the blue screen of the Mok Manager appeared on first reboot after Leap installation and I didn’t notice it because, coming from TW, I didn’t expect it to appear; I take good note.