Bug 808108

Summary: Enable Secure Boot is not enabled by default when in secure boot mode
Product: [openSUSE] openSUSE 12.3 Reporter: Ludwig Nussel <lnussel>
Component: Release NotesAssignee: Karl Eichwalder <ke>
Status: RESOLVED FIXED QA Contact: Stephan Kulow <coolo>
Severity: Normal    
Priority: P5 - None CC: aplanas, suse-beta
Version: RC 2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 808614    

Description Ludwig Nussel 2013-03-07 16:25:06 UTC 
+++ This bug was initially created as a clone of Bug #807839 +++

This only affects machines in UEFI mode with secure boot enabled.
YaST does not automatically detect if the machine has secure boot enabled and will therefore install an unsigned bootloader by default which will not be accepted by the firmware. To have a signed bootloader installed the option "Enable Secure" boot has to be manually checked.
Comment 1 Karl Eichwalder 2013-03-11 12:44:40 UTC 
Thanks, fixed in SVN:

3.4. Crypted LVM in UEFI Mode Needs /boot Partition

This only affects installations in UEFI mode.

In the partitioning proposal when checking the option to use LVM (which is
required for full disk encryption) YaST does not create a separate /boot
partition. That means kernel and initrd end up in the (potentially encrypted)
LVM container, inaccessible to the boot loader. To get full disk encryption
when using UEFI, partitioning has to be done manually.
Comment 2 Karl Eichwalder 2013-03-11 12:46:14 UTC 
Grrhhh.  c&p error.  This one:

3.3. Enable Secure Boot in YaST Not Enabled by Default When in Secure Boot Mode

This only affects machines in UEFI mode with secure boot enabled.

YaST does not automatically detect if the machine has secure boot enabled and
will therefore install an unsigned bootloader by default. But the unsigned
bootloader will not be accepted by the firmware. To have a signed bootloader
installed the option "Enable Secure" boot has to be manually enabled.
Comment 3 Swamp Workflow Management 2013-03-13 19:05:03 UTC 
openSUSE-RU-2013:0449-1: An update that has 7 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 804773,808104,808108,808111,808116,808595,808614
CVE References: 
Sources used:
openSUSE 12.3 (src):    release-notes-openSUSE-12.3.6-1.6.1
Comment 4 Christian Boltz 2013-03-13 22:49:00 UTC 
(In reply to comment #2)
> installed the option "Enable Secure" boot has to be manually enabled.

Just courious - shouldn't this be ... "Enable Secure boot" has ... (move the quotation mark around)?
Comment 5 Karl Eichwalder 2013-03-14 07:16:45 UTC 
Yes, it is fixed in the meantime--typo reported separately: https://bugzilla.novell.com/show_bug.cgi?id=809141