PDA

View Full Version : Where is SUSE shim certificate for secure boot?



robertyschen
13-Mar-2014, 06:52
Our x86_64 machine under development is using SLES (11sp3 and will use 12 once it's released).
The system is with UEFI Secure boot.

From SUSE Doc: Administration Guide, I learned


SUSE starts with shim—a small and simple EFI boot loader—which was originally developed by Fedora. It is signed by a certificate signed by the SUSE KEK and a Microsoft-issued certificate, based on which KEKs are available in the UEFI key database on the system.

(https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_uefi_secboot.html)

We want to enroll SLES bootloader shim's certificate into our firmware key database so that SLES installation/booting can run with secure boot enabled.
Where can I find SUSE shim's certificate?
Thanks.

malcolmlewis
13-Mar-2014, 14:47
On Thu 13 Mar 2014 05:54:01 AM CDT, robertyschen wrote:


Our x86_64 machine under development is using SLES (11sp3 and will use
12 once it's released).
The system is with UEFI Secure boot.

From SUSE Doc: Administration Guide, I learned

Code:
--------------------

SUSE starts with shim—a small and simple EFI boot loader—which was
originally developed by Fedora. It is signed by a certificate signed by
the SUSE KEK and a Microsoft-issued certificate, based on which KEKs
are available in the UEFI key database on the system.
--------------------

(https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_uefi_secboot.html)

We want to enroll SLES bootloader shim's certificate into our firmware
key database so that SLES installation/booting can run with secure boot
enabled.
Where can I find SUSE shim's certificate?
Thanks.




Hi
The der files should be down in ls /usr/lib64/efi/?

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.2 Kernel 3.11.10-7-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

robertyschen
14-Mar-2014, 11:55
Thanks, malcolmlewis.

I can also find the same certificate files (.der) in SLES_DVD/suse/x86_64/shim-xxxxx.x86_64.rpm