Can't boot Tumbleweed installer USB -- two problems

Everything was fine with my system (an old Tumbleweed install that had both Secure Boot and Trusted Boot selected when installed and maintained with daily zypper dup) until I updated Kubuntu to their latest version. (I have/had a multiboot system).

Suddenly, I couldn’t boot Tumbleweed, getting an error regarding revoked keys. I used “mokutil --set-sbat-policy delete” to clear things out. This didn’t really help.

I’ve uninstalled Kubuntu, deleted its partition and removed its UEFI directory. Still no progress.

In desperation, I erased Tumbleweed’s opensuse UEFI directory and regenerated it with grub2-install. This fully repopulated the opensuse UEFI directory, but things still didn’t work.

I decided to reinstall Tumbleweed with both TPM and Secure Boot enabled, as I had originally done a few years ago. However, I immediately ran into a problem. After clicking Install in the initial installer screen, I got the following:

Loading kernel …
Loading initial ramdisk …
error: …/…/grub-core/kern/mm.c:548:out of memory.

I searched and found a work around to this by turning off my TPM. Not my first choice, but it got me past this problem.

Question #1: Does anyone know a way to get the installer to boot without turning off the TPM?

My next problem is a SBAT data failure. Trying to boot the USB install media results in:

Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

Turning off Secure Boot bypasses this problem, but is very much something I don’t want to do.

The resulting installation also won’t boot with Secure Boot on, even though Yast’s Boot Loader utility shows Secure Boot Support enabled. If Secure Boot is on, it generates the same SBAT data error.

Question #2: how can I fix things so that I can boot the USB Tumbleweed install media with Secure Boot turned on and get an installed system that will also boot with Secured Boot turned on? (With the ideal goal of getting things to work with both TPM enabled, Secure Boot enabled and Trusted Boot enabled, as my system had originally been before everything decided to hit the rotating air moving device.)

My system is an HP Pavilion Laptop 15-eg0xxx with 16 GB RAM with a 512 GB NVMe storage device. My BIOS is from Insyde, version F.45 dated 11/07/2023.

I appreciate any help, even hints, that you can give. At this point, I’m almost ready to buy a new laptop, even though this one is only a few years old, just to get things working again.

I forgot to mention, in my attempts to fix things I cleared the TPM and reset all the UEFI keys to default.

You cannot change SBAT policy as long as Secure Boot is active.
https://en.opensuse.org/openSUSE:UEFI#Reset_SBAT_string_for_booting_to_old_shim_in_old_Leap_image

grub2-install is not suitable for use in Secure Boot at all.

Open bug report. https://bugzilla.opensuse.org/, same user-password as here.

See the wiki link above.

That is likely due to dbx update which may have been installed automatically. I am not sure what is the exact content and which binaries are blacklisted there. But that sounds different from SBAT policy. More details would be needed. But if you reset EFI keys, this probably is gone now.

Thank you for your help.

Skipping ahead a bit, I’ve made some progress.

I had Secure Boot off when I was trying “mokutil --set-sbat-policy delete”, but it wasn’t working.

Digging around, I found out that the version of shim used in Tumbleweed - 15.4 - does not support the above delete function. I temporarily installed shim version 15.8 on my installed Tumbleweed and then successfully ran the delete. I reverted to the default shim and I am now able to boot both the installation media and the installed system in Secure Boot mode.

The only thing still missing is the ability to set up Trusted Boot mode. I can turn on Trusted Boot support in Yast’s Boot Loader tool, but this hasn’t actually enabled Trusted Boot, since no key was written to the TPM.

So my remaining issue is how to get Trusted Boot working on an existing installation.

Any ideas what I should be doing next?

Thanks again for your assistance.

I am not sure what you are trying to do. grub2 can measure boot sequence into TPM PCRs and can automatically unlock LUKS recovery key based on these measurements. The latter obviously has to be setup in advance. What “key” are you talking about?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.