As a rolling release distribution, openSUSE Tumbleweed receives continually updated software. A few days ago, Linux kernel 6.2.1 also slipped onto users’ systems. However, the openSUSE team has set it up so that it only loads signed drivers when SecureBoot is activated. This closure, which was submitted largely without comment, immediately led to many problems.
Tumbleweed: locking the kernel with side effects
The screen remained black on many systems with proprietary Nvidia graphics card drivers, and the kernel modules of the VMware Workstation virtualization solution also refused to work. In addition to these drivers, all self-written kernel modules are also affected. In addition, hibernation no longer works and writing to the specified form record (MSR) is blocked. The latter uses tools to reduce processors, for example.
However, reversing the shutdown is not a good option for security reasons: SecureBoot aims to ensure that no malicious code is started and, in particular, that a tampered operating system kernel is not started during the boot process. If openSUSE Tumbleweed still allows unsigned drivers, attackers can use it to inject their own code and thus defeat SecureBoot. Therefore, many other large distributions have activated locking for a long time. Incidentally, this also applies to the sister distribution openSUSE Leap, which is why the current problems with Tumbleweed are surprising.
For self-developed and private drivers, there was initially a promising solution that was tried and tested on other distributions: after compiling the driver, you manually create your own certificate, which you then store in the BIOS as trustworthy. If you install Nvidia’s own driver from the corresponding community repository “nVidia Graphics Drivers”, you can even backtrack a bit in this regard. A few days ago, the developers modified the packages there so that they automatically generate a certificate during installation. You only need to confirm it once as valid after restarting your computer. You can live with this still somewhat cumbersome procedure – if it will work under openSUSE Tumbleweed. Kernel 6.2.1 currently only loads drivers signed directly by openSUSE.
The only solution is to completely disable SecureBoot in BIOS or turn off kernel module checking with the “mokutil –disable-validation” command. However, in both cases, the system security function is turned off. On a dual boot system with Windows, the latter rightfully refuses to start after disabling SecureBoot. If you just want to bring your Nvidia graphics card back to life, you can use the file
/usr/lib/modprobe.d/nvidia-default.conf Put a hash mark in front of the line inside it. This reactivates the free Nouveau driver, which still lacks many features of the proprietary driver.
Developers are currently discussing issues surrounding active lock in openSUSE factory mailing list.
Current status of major Unix and Linux distributions:
“Prone to fits of apathy. Zombie ninja. Entrepreneur. Organizer. Evil travel aficionado. Coffee practitioner. Beer lover.”