Enabling Secure Boot after dual boot already set up without it? Win 10 > 11 requirements

jrolph · March 11, 2025, 1:17pm

A few years ago I set up a dual-boot system with Windows 10 & Mint Cinnamon (A few months ago I hopped to OpenSUSE), and took a few steps to keep it stable such as disabling fast boot, Windows hibernate & other things like that. I think secure boot is one of those things I had disabled for this purpose (I might be wrong, but fact is its disabled), but now I want to switch from 10 to 11, Secure boot (And TPM 2) are required. I’m open to do this since I hear OpenSUSE supports Secure Boot, but there are some roadblocks I’m struggling to find more information on myself.

I hadn’t thought of secure boot in advance so I can’t recall if I enabled support for secure boot during installation of OpenSUSE as mentioned here. Is there a way to check if my install can handle them being enabled? That page suggested running this command to check if it’s enabled;
od -An -t u1 /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data
But there was no such file or directory.

While doing some googling on the topic I saw some advice suggesting that simply enabling secure boot can cause issues if Linux wasn’t installed with it already on. Is this accurate? If so, what are the steps to properly go about this?

Thanks

arvidjaar · March 11, 2025, 1:31pm

Show

efibootmgr

No.

jrolph · March 11, 2025, 3:47pm

This is the output of efibootmgr;

BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001,000A,0008,000B
Boot0000* rEFInd        HD(2,GPT,00a27705-2055-40b9-bbae-68f06aa88438,0x8000,0x32000)/File(\EFI\REFIND\REFIND_X64.EFI)
Boot0001* opensuse-secureboot   HD(2,GPT,00a27705-2055-40b9-bbae-68f06aa88438,0x8000,0x32000)/File(\EFI\OPENSUSE\SHIM.EFI)
Boot0002* Windows Boot Manager  HD(1,GPT,5ce5e933-9166-456f-aed1-606cc9a65919,0x800,0x32000)/File(\EFI\REFIND\REFIND_X64.EFI)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000061000100000010000000040000007fff0400
Boot0008* Windows Boot Manager  HD(2,GPT,00a27705-2055-40b9-bbae-68f06aa88438,0x8000,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)0000424f
Boot000A* opensuse      HD(2,GPT,00a27705-2055-40b9-bbae-68f06aa88438,0x8000,0x32000)/File(\EFI\OPENSUSE\GRUBX64.EFI)0000424f
Boot000B* ubuntu        HD(2,GPT,00a27705-2055-40b9-bbae-68f06aa88438,0x8000,0x32000)/File(\EFI\UBUNTU\SHIMX64.EFI)0000424f

I’ve been meaning to clean up my boot, I use rEFInd, ubuntu was my first distro & idk why there are 2 windows boot managers :')
I noticed the secureboot entry in rEFInd before but didn’t attribute it to the same meaning, I see it points to a shim but that’s about the extent of my knowledge about secure boots with linux to be honest.

arvidjaar · March 11, 2025, 5:56pm

Which is not signed by Microsoft and so will not work as the primary bootloader when Secure Boot is enabled.

So, openSUSE should just work with Secure Boot as long as you boot into openSUSE shim directly.

Svyatko · March 12, 2025, 10:17am

Works with additional settings:

https://www.rodsbooks.com/refind/secureboot.html