Everything was fine with my system (an old Tumbleweed install that had both Secure Boot and Trusted Boot selected when installed and maintained with daily zypper dup) until I updated Kubuntu to their latest version. (I have/had a multiboot system).
Suddenly, I couldn’t boot Tumbleweed, getting an error regarding revoked keys. I used “mokutil --set-sbat-policy delete” to clear things out. This didn’t really help.
I’ve uninstalled Kubuntu, deleted its partition and removed its UEFI directory. Still no progress.
In desperation, I erased Tumbleweed’s opensuse UEFI directory and regenerated it with grub2-install. This fully repopulated the opensuse UEFI directory, but things still didn’t work.
I decided to reinstall Tumbleweed with both TPM and Secure Boot enabled, as I had originally done a few years ago. However, I immediately ran into a problem. After clicking Install in the initial installer screen, I got the following:
Loading kernel …
Loading initial ramdisk …
error: …/…/grub-core/kern/mm.c:548:out of memory.
I searched and found a work around to this by turning off my TPM. Not my first choice, but it got me past this problem.
Question #1: Does anyone know a way to get the installer to boot without turning off the TPM?
My next problem is a SBAT data failure. Trying to boot the USB install media results in:
Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation
Turning off Secure Boot bypasses this problem, but is very much something I don’t want to do.
The resulting installation also won’t boot with Secure Boot on, even though Yast’s Boot Loader utility shows Secure Boot Support enabled. If Secure Boot is on, it generates the same SBAT data error.
Question #2: how can I fix things so that I can boot the USB Tumbleweed install media with Secure Boot turned on and get an installed system that will also boot with Secured Boot turned on? (With the ideal goal of getting things to work with both TPM enabled, Secure Boot enabled and Trusted Boot enabled, as my system had originally been before everything decided to hit the rotating air moving device.)
My system is an HP Pavilion Laptop 15-eg0xxx with 16 GB RAM with a 512 GB NVMe storage device. My BIOS is from Insyde, version F.45 dated 11/07/2023.
I appreciate any help, even hints, that you can give. At this point, I’m almost ready to buy a new laptop, even though this one is only a few years old, just to get things working again.