Cannot boot with secureboot enabled after changing some system settings in BIOS

Hi.

I had UEFI + secure boot enabled. Everything worked Ok.
Then I wanted to change memory frequency. I’m using APU, i.e. memory shared between CPU and GPU.
I went to a BIOS and changed it. To perform memory test I loaded Memtest86 with openSUSE’s installer USB flash. To do so I needed to load openSUSE installer in CSM mode.
After test went Ok, I reverted settings to CSM = disable.
And now OS loads in text mode with secure boot enabled (BIOS parameter: OS UEFI type = Windows).

When I set BIOS parameter “OS UEFI type = Other” system loads in graphical mode successfully, but with secure boot disabled.

:~> dmesg | grep -i secur
    0.000000] secureboot: Secure boot disabled
...

To examine boot I changed BIOS setting back to “OS UEFI type = Windows” and modified kernel parameters: deleted “quiet” and “splash=silent”, and added “plymouth.enable=0”.
I got message:


[FAILED] Failed to start X Display Manager.
See 'systemctl status display-manager.service' for details.

After login I run this command and got:


:~> systemctl status display-manager.service
? display-manager.service - X Display Manager
   Loaded: loaded (/usr/lib/systemd/system/display-manager.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code)
   Process: (some #) ExecStart=/usr/lib/X11/display-manager start (code=exited, status=1/FAILURE)

How to fix this?
I.e. how to restore secure boot in graphical interface?

I have not run into anything like that.

What display manager do you use (SDDM, GDM, lightdm ?)

Are you using non-opensource drivers (such as Nvidia)? I think the modules for that do need to pass signature checks.

ILL after updating Mesa 3D and kernel secure boot is on:

:~> dmesg | grep -i secur    
    0.000000] **secur**eboot: **Secur**e boot enabled 
    0.000000] Kernel is locked down from EFI **Secur**e Boot mode; see man kernel_lockdown.7 
    0.004695] **secur**eboot: **Secur**e boot enabled 
    0.322436] LSM: **Secur**ity Framework initializing
...

I am using Mesa 3D open drivers + OpenCL part from amdgpu-pro.
ILL I get some blend of open + closed drivers. More at https://forums.opensuse.org/showthread.php/548518-Leap-TW-OpenCL-on-AMD-with-Mesa-3D-headless-amdgpu-pro?p=2998684#post2998684 .

If secure-boot is enabled, then signatures are checked on kernel modules. If you are using a module that isn’t part of the openSUSE distribution, then it either isn’t signed or it may be signed by a certificate that is not enrolled. Turning off secure-boot allows you to get past this.

If you have this problem, you can create your own key, enroll it, and use it to sign modules. Or turn off secure-boot. Or use

mokutil --disable-validation

to turn off some of the checking.