808108 – Enable Secure Boot is not enabled by default when in secure boot mode

Bug 808108 - Enable Secure Boot is not enabled by default when in secure boot mode

Summary: Enable Secure Boot is not enabled by default when in secure boot mode

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE 12.3
Classification:	openSUSE
Component:	Release Notes (show other bugs)
Version:	RC 2
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Karl Eichwalder
QA Contact:	Stephan Kulow

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	808614
	Show dependency tree / graph

Clone This Bug

Reported:	2013-03-07 16:25 UTC by Ludwig Nussel
Modified:	2013-03-14 07:16 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2013-03-07 16:25:06 UTC

+++ This bug was initially created as a clone of Bug #807839 +++

This only affects machines in UEFI mode with secure boot enabled.
YaST does not automatically detect if the machine has secure boot enabled and will therefore install an unsigned bootloader by default which will not be accepted by the firmware. To have a signed bootloader installed the option "Enable Secure" boot has to be manually checked.

Comment 1 Karl Eichwalder 2013-03-11 12:44:40 UTC

Thanks, fixed in SVN:

3.4. Crypted LVM in UEFI Mode Needs /boot Partition

This only affects installations in UEFI mode.

In the partitioning proposal when checking the option to use LVM (which is
required for full disk encryption) YaST does not create a separate /boot
partition. That means kernel and initrd end up in the (potentially encrypted)
LVM container, inaccessible to the boot loader. To get full disk encryption
when using UEFI, partitioning has to be done manually.

Comment 2 Karl Eichwalder 2013-03-11 12:46:14 UTC

Grrhhh.  c&p error.  This one:

3.3. Enable Secure Boot in YaST Not Enabled by Default When in Secure Boot Mode

This only affects machines in UEFI mode with secure boot enabled.

YaST does not automatically detect if the machine has secure boot enabled and
will therefore install an unsigned bootloader by default. But the unsigned
bootloader will not be accepted by the firmware. To have a signed bootloader
installed the option "Enable Secure" boot has to be manually enabled.

Comment 3 Swamp Workflow Management 2013-03-13 19:05:03 UTC

openSUSE-RU-2013:0449-1: An update that has 7 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 804773,808104,808108,808111,808116,808595,808614
CVE References: 
Sources used:
openSUSE 12.3 (src):    release-notes-openSUSE-12.3.6-1.6.1

Comment 4 Christian Boltz 2013-03-13 22:49:00 UTC

(In reply to comment #2)
> installed the option "Enable Secure" boot has to be manually enabled.

Just courious - shouldn't this be ... "Enable Secure boot" has ... (move the quotation mark around)?

Comment 5 Karl Eichwalder 2013-03-14 07:16:45 UTC

Yes, it is fixed in the meantime--typo reported separately: https://bugzilla.novell.com/show_bug.cgi?id=809141