Results 1 to 5 of 5

Thread: Can I avoid secure boot policy violance message, but keep secure boot on?

  1. #1

    Default Can I avoid secure boot policy violance message, but keep secure boot on?

    Recently installed Tumbleweed KDE latest available from download server, written to usb by dd command. Both boot from usb and hard drive after installation usually drop me to the message shown below:

    ... when secure boot is on. I tried various ways to avoid it, ending by signing a bunch of efi entries (explained here -> https://en.opensuse.org/openSUSE:UEFI)
    But nothing helped out, however, there are many other methods I could miss to try, I primarily hoped on modded efi files.

    Can I take care of this?

    To reduce the range of solutions searching, iso file successfully past sha256 checking, as well as gpg verifying. The ways to write usb image I tried: live-fat-stick (failed, boot stuck at grub-minimal command line), dd, extract iso to usb (windows 10), Etcher (windows 10), imageusb (also windows 10).
    Oh, forgot to mention, I'm performing dual-boot with Windows 10 UEFI secure boot on.

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Can I avoid secure boot policy violance message, but keep secure boot on?

    Check this page: openSUSE:UEFI

    Look for the section that begins: Booting the Machine that supports only one signature with vendor provided Keys

    That is the most likely explanation for your problem. The web page gives a workaround. If there is a BIOS update for your system, that might be a better solution.

    At one time, I had that problem on one of my computers (a Lenovo ThinkServer). I could fix it as described in the web page, but I found it easier to turn secure-boot off. The trouble with the suggested fix, is that updates to the shim package will break that fix. And updates to grub will force a "shim-install" which also breaks the fix. Eventually, a suitable BIOS update became available, so I now leave secure-boot on.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  3. #3

    Default Re: Can I avoid secure boot policy violance message, but keep secure boot on?

    Quote Originally Posted by nrickert View Post
    Check this page: openSUSE:UEFI
    Sweet! Thank you very much! I could miss that section, it was not really shown in Russian localized page.
    After a reboot a blue screen with a question to sign new kernel modules appeared, so I pressed 'yes' and the OS runs okay.

    Quote Originally Posted by nrickert View Post
    If there is a BIOS update for your system, that might be a better solution.
    The latest BIOS update available for my machine is 3 months old, and doubtful the next one will bring something new to fix similar problems.
    Also, there were words that said shim update will undo the fix. How often does this happen (if shim update is automatic process), or is it user-depended only?

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,685
    Blog Entries
    3

    Default Re: Can I avoid secure boot policy violance message, but keep secure boot on?

    Quote Originally Posted by xt1zer View Post
    How often does this happen (if shim update is automatic process), or is it user-depended only?
    In Tumbleweed -- fairly often. In Leap, once in 6 months.

    However, even with Tumbleweed, it is usually an update of something related that causes this. Most of the time, it is still based on the original file "/usr/lib64/efi/shim-opensuse.efi". If you put your modified shim there (to replace that file), perhaps it will only happen every 6 months or so.

    If you decide to do that, I would rename the old file (perhaps "shim-opensuse.efi.original" or similar).
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  5. #5

    Default Re: Can I avoid secure boot policy violance message, but keep secure boot on?

    Quote Originally Posted by nrickert View Post
    In Tumbleweed -- fairly often. In Leap, once in 6 months.
    Oh, before reading your response, I just noticed shim appeared in software update process, so this must be the thing. Still, thanks for help!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •