openSUSE Tumbleweed needs to fix Secure Boot
After my recent rant about Enterprise Linux, the company where I work became a SUSE Linux partner. Therefore, I’m giving Enterprise Linux another go. After initially looking at SUSE Linux Enterprise Desktop (SLED), I decided to go with SUSE’s rolling offering, Tumbleweed.
A state-of-the-art desktop
The openSUSE Tumbleweed sales pitch sounds exactly like what I value in a Linux distribution:
With Tumbleweed you don’t have to take difficult decisions about things you value, either freedom or safety, either control or security, technology or stability – Tumbleweed lets you have your cake and eat it too!
Specifically, company requirements include Secure Boot support and a Mandatory Access Control (MAC) system for any GNU/Linux-based system that is to be installed on company equipment or interact with company resources.
Anyhow, there are a lot of upsides to running Tumbleweed, but this post is about a glaring deficiency that I am honestly dumbfounded is still unresolved.
Disable Secure Boot to install firmware updates
Unfortunately, openSUSE Tumbleweed users currently need to disable Secure Boot to be able to install firmware updates provided by fwupd. The issue revolves around a seemingly stuck process with getting a new UEFI shim loader reviewed and signed. And to make it worse, the signing request was raised 8 months ago and it’s still pending. I understand that this is an important and complicated process, but regardless, it does make for some interesting reading. Request for review: Shim 15.7 for openSUSE Tumbleweed.
I’m not saying unpaid volunteers need to work harder, but SUSE Linux, the company, should be able to throw some money and resources at this problem. In my opinion, it does reflect rather poorly on the company and its product.
I’m eagerly awaiting a fix :)
Update August 2024:
A new signed Shim for openSUSE Tumbleweed has been rolled out. Disappointing that the issue was pending for more than a year before it got sorted.