Another UEFI quirk

I have already mentioned this in my previous post, where I wrote:

I could not get secure boot to work on the Think Server.  Or, perhaps it works, but opensuse is broken.  If I turn on secure-boot, then I cannot boot opensuse.

The problem appears to be a limitation in the firmware of the ThinkServer.  My thanks to Gary Lin, from the suse team, who provided the insight needed to track the problem down.  For full details of the discussion, see Bug 869786.

Apparently the opensuse file “shim.efi”, used for secure boot, is digitally signed by both the Microsoft UEFI key and the opensuse key used for secure-boot.  It turns out that the firmware on the ThinkServer does not support multiple signatures, so does not recognize “shim.efi” as properly signed.

Gary Lin explained how I could remove the second signature.  With that done, I retested and secure-boot then worked.

I am guessing that there is probably other hardware out there, with the same limitation.



About Neil Rickert

Retired mathematician and computer scientist who dabbles in cognitive science.

Trackbacks / Pingbacks

  1. Opensuse 13.2 snapshot 20140528 | Thoughts on computing - 2014/05/31

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: