Bugzilla – Bug 1182641
Install a openSUSE kmp key package in appropriate pattern
Last modified: 2021-06-01 07:30:12 UTC
After Leap-SLE closing gap project, openSUSE Leap will use kernel binary from SLE, which means that all kernel modules (.ko) in KMPs must be signed by SLE kernel. Otherwise the ko file can not be loaded by kernel when secure boot is enabled. Some KMPs from SLE repo do not have this concern. But there still have some KMPs (or RPMs) in Leap repo on OBS, those kernel modules (.ko) are signed by openSUSE key, e.g. virtual-box. Which means that user should enrolls openSUSE key to MOK manually before using OBS-Leap KMPs. After a discussion on opensuse-kernel@opensuse.org, currently the best idea is to install a opensuse-leap-kmp-key RPM in appropriate pattern. The RPM will enroll openSUSE Leap key to MOK. On the other hand, in the latest step of YaST installation. YaST should guide user for what will user see after system first reboot. It should tell user that a mok-manager UI will show up after reboot, and user can follow the mok-manager UI to enroll openSUSE key to MOK.
I think that we need a openSUSE Jira. But I can not select 'openSUSE' product/project in the list on my Jira. I still create this bug.
(In reply to Joey Lee from comment #1) > I think that we need a openSUSE Jira. But I can not select 'openSUSE' > product/project in the list on my Jira. I still create this bug. Assigning to Lubos. I think he is the right person to move this forward.
I have created a opensuse-signkey-cert package and submit request to Base:System : https://build.opensuse.org/request/show/883721 This package will package the certificate of openSUSE signkey from OBS and calls mokutil to help user to enroll/remove signkey from MOK.
(In reply to Joey Lee from comment #3) > I have created a opensuse-signkey-cert package and submit request to > Base:System : > > https://build.opensuse.org/request/show/883721 > > This package will package the certificate of openSUSE signkey from OBS and > calls mokutil to help user to enroll/remove signkey from MOK. I have sent the v2 openSUSE-signkey-cert package to Base:System : https://build.opensuse.org/request/show/886524 It fixed install/update/delete problem against maintain MOK, and also use the start date of certificate as the package version.
openSUSE kmp signkey RPM be merged to factory https://build.opensuse.org/package/show/openSUSE:Factory/openSUSE-signkey-cert This RPM will auto-updated when openSUSE signkey key be updated. User can install this RPM to grab openSUSE signkey for openSUSE's KMP.
Can this package be automatically installed via pattern or such? Or would it be rather annoying for non-secureboot users?
(In reply to Takashi Iwai from comment #6) > Can this package be automatically installed via pattern or such? > Or would it be rather annoying for non-secureboot users? Max Lin is working on add this package to pattern for Leap 15.3.
I've added Recommends: openSUSE-signkey-cert to base pattern and Suggests: openSUSE-signkey-cert to release package just in case user don't install base pattern, also managed it to the media's packagelist. These change has not yet been published until we have a new and reviewed Leap build.
The Release notes text is here https://github.com/openSUSE/release-notes-openSUSE/pull/110/files Feel free to suggest any changes. We'll get it merged around noon.