Bug 1182641 - Install a openSUSE kmp key package in appropriate pattern
Install a openSUSE kmp key package in appropriate pattern
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Installation
Leap 15.3
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Lubos Kocman
Jiri Srain
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-24 06:41 UTC by Joey Lee
Modified: 2021-06-01 07:30 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joey Lee 2021-02-24 06:41:54 UTC
After Leap-SLE closing gap project, openSUSE Leap will use kernel binary from SLE, which means that all kernel modules (.ko) in KMPs must be signed by SLE kernel. Otherwise the ko file can not be loaded by kernel when secure boot is enabled.

Some KMPs from SLE repo do not have this concern. But there still have some KMPs (or RPMs) in Leap repo on OBS, those kernel modules (.ko) are signed by openSUSE key, e.g. virtual-box. Which means that user should enrolls openSUSE key to MOK manually before using OBS-Leap KMPs. 

After a discussion on opensuse-kernel@opensuse.org, currently the best idea is to install a opensuse-leap-kmp-key RPM in appropriate pattern.
The RPM will enroll openSUSE Leap key to MOK. 

On the other hand, in the latest step of YaST installation. YaST should guide user for what will user see after system first reboot. It should tell user that a mok-manager UI will show up after reboot, and user can follow the mok-manager UI to enroll openSUSE key to MOK.
Comment 1 Joey Lee 2021-02-24 07:36:43 UTC
I think that we need a openSUSE Jira. But I can not select 'openSUSE' product/project in the list on my Jira. I still create this bug.
Comment 2 Ancor Gonzalez Sosa 2021-02-26 11:35:05 UTC
(In reply to Joey Lee from comment #1)
> I think that we need a openSUSE Jira. But I can not select 'openSUSE'
> product/project in the list on my Jira. I still create this bug.

Assigning to Lubos. I think he is the right person to move this forward.
Comment 3 Joey Lee 2021-04-08 05:23:41 UTC
I have created a opensuse-signkey-cert package and submit request to Base:System :

https://build.opensuse.org/request/show/883721

This package will package the certificate of openSUSE signkey from OBS and calls mokutil to help user to enroll/remove signkey from MOK.
Comment 4 Joey Lee 2021-04-19 05:33:15 UTC
(In reply to Joey Lee from comment #3)
> I have created a opensuse-signkey-cert package and submit request to
> Base:System :
> 
> https://build.opensuse.org/request/show/883721
> 
> This package will package the certificate of openSUSE signkey from OBS and
> calls mokutil to help user to enroll/remove signkey from MOK.

I have sent the v2 openSUSE-signkey-cert package to Base:System :

https://build.opensuse.org/request/show/886524

It fixed install/update/delete problem against maintain MOK, and also use the start date of certificate as the package version.
Comment 5 Joey Lee 2021-05-06 08:10:13 UTC
openSUSE kmp signkey RPM be merged to factory
          
https://build.opensuse.org/package/show/openSUSE:Factory/openSUSE-signkey-cert

This RPM will auto-updated when openSUSE signkey key be updated. User can install this RPM to grab openSUSE signkey for openSUSE's KMP.
Comment 6 Takashi Iwai 2021-05-06 08:55:06 UTC
Can this package be automatically installed via pattern or such?
Or would it be rather annoying for non-secureboot users?
Comment 7 Joey Lee 2021-05-06 09:18:26 UTC
(In reply to Takashi Iwai from comment #6)
> Can this package be automatically installed via pattern or such?
> Or would it be rather annoying for non-secureboot users?

Max Lin is working on add this package to pattern for Leap 15.3.
Comment 8 Max Lin 2021-05-10 08:19:50 UTC
I've added Recommends: openSUSE-signkey-cert to base pattern and Suggests: openSUSE-signkey-cert to release package just in case user don't install base pattern, also managed it to the media's packagelist. These change has not yet been published until we have a new and reviewed Leap build.
Comment 9 Lubos Kocman 2021-06-01 07:30:12 UTC
The Release notes text is here https://github.com/openSUSE/release-notes-openSUSE/pull/110/files

Feel free to suggest any changes. We'll get it merged around noon.