I have a Lenovo laptop and I dual boot Win11 and OpenSUSE Tumbleweed. For some reason at the time, I wanted to have Secure Boot enabled and so I did it with a SUSE-signed MOK certificate enrolled in the UEFI. I also encrypted every linux partitions (LUKS).
It used to work fine, as I would enter the passphrase and be send to GRUB
Unfortunately, after an update of both Tumbleweed and Windows I now cannot launch Tumbleweed. After booting my laptop, I was welcome with a bluescreen and then automatically send to windows 11, bypassing the passphrase step and the bootloader.
I went on to disable Secure Boot. The blue screen vanished but it is still falling back to Windows. I’m getting these lines:
Malformed binary after Attribute Certificate Table
datasize: 2690048 SumOfBytesHashed: 2342912 SecDir->Size: 1904
hashsize: 335232 SecDir->VirtualAddress: 0x0023C000
Failed to load image: Invalid Parameter
start_image() returned Invalid Parameter, falling back to default loader
I tried booting Tumbleweed USB (fresh ISO), tried manual bootloader upgrade but got this warning:
Cannot upgrade the bootloader because of a mismatch of the boot technology. The upgraded system uses GRUB2 for EFI boot while the installation medium has been booted using GRUB2 with BLS boot.
Does someone have any idea on how I can rescue Tumbleweed ? (Guess I should I have kept things simple…)
If yours is a TW installation that uses grub2-efi, and you have access to a (backup of, or can rescue boot to get at the current one) /boot/grub2/grub.cfg, then you can type enough of it’s relevant content manually from a grub2-efi boot menu from rescue media on striking E from any menu selection. Once booted this way, grub2-install should fix it. At least, that was my experience after boot failure following cloning the old NVME to a new one ~11 days ago. For me it wasn’t very difficult, as I use volume labels and/or device names as necessary instead of trying to work with UUIDs — lots less to type. Also, for booting the most recently installed kernel, you can skip typing the complete lengthy kernel and initrd filename strings and type only vmlinuz and initrd in those spots on the kernel and initrd lines to boot via those two symlinks that kernel installation created. Note too secure boot was not involved here, so I have no idea what obstruction it might impose.
GRUB menu shows up and no dual boot issues anymore
I followed your suggestions @mrmazda, by booting into rescue mode but selecting it directly on the bootloader. (@malcolmlewis I used the tumbleweed iso I had on hand instead of leap)
I had to properly decrypt and mount my root partition then chroot into /mnt.
I had some issue where grub2-install failed. I needed to go back to also mount my efi partition on /mnt/boot/efi and tried to bind the following
mount --rbind /dev /mnt/dev
mount --rbind /proc /mnt/proc
mount --rbind /sys /mnt/sys
mount --rbind /run /mnt/run
Then grub2-install was successful.
Finally
grub2-mkconfig -o /boot/grub2/grub.cfg
update-bootloader --refresh
# umount everything then reboot
Thank you all again very much, i learned couple of new things
