My assessment of secure-boot

It is now a little over two years since I first acquired a computer with UEFI support.  That was a Dell Inspiron 660.  It came with Windows 8 (since upgraded to Windows 8.1).  I have left secure-boot enabled for most of that time, “to keep Windows happy”.  In fact Windows does not complain at all if I disable secure-boot.

My second UEFI box is almost one year old.  I do not have Windows installed there.  It is a Lenovo ThinkServer TS140.  When I first purchased it, secure-boot did not work all that well so I left it off most of the time.  I did turn it on for some testing, but it required modifying the opensuse “shim” to get it to work.  The problem that I had with secure-boot is described here under the heading “Booting the Machine that supports only one signature with vendor provided Keys”.  After a BIOS update a few months ago, secure-boot now works quite well on the TS140, so recently I have been leaving it enabled most of the time.

Read More…

Tumbleweed install, March 2015

As previously mentioned, I am doing an install every month.  This is mostly to test installing with the Tumbleweed DVD image.  You can think of it as early testing for opensuse 13.3.  So yesterday (March 12) was my install day for this month.

Downloading

I normally expect downloading to be unremarkable.  I usually don’t have problems.  I didn’t have problems with this download either, but it was surprisingly slow.

Browsing to the downloads site, I copied the download link.  I then used:

wget download-link.sha256
aria2c -V -R download-link

I have substituted “download-link” for the actual link, since that change every time so the actual link isn’t very useful for posting here.

Read More…

Clock setup with dual booting

It’s that time of year, when we change to daylight savings time in the USA.  Other parts of the northern hemisphere will change soon.  And folk in the southern hemisphere will be changing back to standard time.

The best way to handle this is to set you computer clock (BIOS clock, CMOS clock) to UTC (coordinated universal time).  Now that WinXP has been retired, the current Windows systems all support UTC with suitable registry entries.

I last posted on this several years ago.

As an administrator, create a new registry entry (assuming that one does not already exist):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal

Set that entry to be a dword, with value 1.

Read More…

Encrypted disk without a separate “/boot”

When support for legacy grub (or grub1) was dropped for opensuse 13.2, one of the reasons was to make it easier to support encryption without a separate unencrypted “/boot” partition.  Recent releases of grub2 have some support for accessing encrypted file systems, so it was mostly a matter of adding support to the installer.

I decided to test how that works.  So I did a test install of opensuse 13.2 into an encrypted LVM, without a separate “/boot”.  The Yast installer was happy with that.  It did not complain that there was no “/boot”.  So I continued through the full install.

There were no install errors reported.  But it didn’t work.  Instead, while booting, I got a grub shell.  And the grub shell did not offer any commands related to crypto.

Read More…

My February install

As previously mentioned, I am periodically doing a throwaway install of Tumbleweed to test the installer.  This one went smoothly, so this will be a short post.

Downloading

I downloaded the DVD installer for snapshot 20150201.  Apparently, just about everything was recompiled, so a simple update of my existing system would have downloaded almost as much as the DVD image.  As usual, I used “aria2c” to download.  And that went at about my usual speed (it takes a little under an hour for the download).  Again, as usual, I wrote the downloaded iso image to a USB flash drive and used that for the install.  I downloaded on Feb 03. Read More…

Legacy install on a UEFI box

In a recent post, I mentioned the issue of installing opensuse for legacy booting, even though the installer was booted using UEFI.  I suggested that it was possible.

I have since tested that, and it worked as expected.

Partitioning

In this case, I installed to an external drive, because my internal drives all used GPT partitioning.  And part of the issue was whether I could retain legacy partitioning.

If you want to try this, it is important that you create the partitions you want before you start the installer.  All of the evidence I have seen suggests that if you partition during the install, then the disk will be converted to GPT partitioning.  So partition first, install later.

I used an already partitioned 80G external drive.  It’s really an old IDE hard drive in an external enclosure.  It is partitioned with a 500M “/boot” (formatted “ext2″), and the rest of the disk in an encrypted LVM containing root, home and swap volumes. Read More…

Changes to “gpg”

After updating my Tumbleweed system last week, I noticed that something had changed with “gpg”.  Or, more explicitly, “gpg” was not working at all.  This was immediately noticeable, because I had configured “kdewallet” to use “gpg” for encryption.

Okay, that’s a bug.  It will presumably be fixed before opensuse 13.3 is released.  For now, I had to find out what was up and how to work around the problem.

What changed?

The specific Tumbleweed change was an update of gpg from version 2.1.0 to 2.1.1.  The major change was already there in 2.1.0, but I had not noticed it because everything that I was doing still worked.  The 2.1.1 update broke that.

The specific change was to remove support for old pgp2 keys.  These are the type of key introduced with pgp2 in the early 1990s.  They use RSA  (for the public key encryption) and the md5 digest algorithm for hashing.  These days, the md5 hash is considered too weak.

Read More…

Goodbye, Synaptiks

Yesterday, snapshot 20150115 for opensuse Tumbleweed showed up.  So I updated my system.  While updating, I noticed that “synaptiks” was being removed.

That’s not a problem on that system, since it is a desktop so does not have a touchpad.  But I have been relying on “synaptiks” for several years on my laptop, so I investigated.

Checking the repos

After the update, I rebooted.  Then I opened Yast Software Management to see if synaptiks was still in the repo.  It was.  So I selected it for install.

A conflict resolution dialog popped up.  I was hoping for that, as it would tell me something about why “synaptiks” was removed.

Read More…

Installing Tumbleweed, Jan 2015

I am planning to do a clean install of Tumbleweed every month.  This will usually be a throwaway install.  That is, I won’t be intending to keep the installed system.  Rather, I am trying out the installer and I will report any bugs that I might find.  I’m doing this because Tumbleweed is, in effect, a preview of the next mainline release (opensuse 13.3).

On this occasion, my install was to my laptop.  I actually installed to an external 80G hard drive connected to the laptop.

Quick summary

The quick summary is that install mostly went well.  I went with defaults for many options, so that the install resulted in the KDE desktop.  The main surprise was to notice that the default MTA (mail transfer agent) is now “exim” rather than “postfix”. Read More…

UEFI vs. Legacy booting; clearing some confusion

This post is prompted by a couple of case where people were having problems:

  • An opensuse mailing list thread here and continued here;
  • an opensuse forum thread here.

In both cases, the user had a UEFI capable computer, but wanted to install opensuse to use Legacy booting (also called MBR booting).  In both cases, they already had an installed Windows system that used legacy booting.  They wanted to install opensuse for legacy booting for better compatibility.

I usually prefer to install for UEFI booting.  That’s a better way of booting.  But in this case, the users were right that they should install for Legacy booting.

In both of these cases, the user thought that he had configured the BIOS to use legacy booting.  However, in both cases, the opensuse install  media was booted using UEFI.  And that is where things became confused. Read More…

Follow

Get every new post delivered to your Inbox.

Join 37 other followers