Error in Grub-efi for Debian and Lubuntu


I installed Leap 15 about a week or so ago.

Before that I had 4 OS’s W10, Leap 42.3, Lubuntu and Debian.

For the the last 2 years or more these 4 have co-existed, survived updates etc, Deb for 8.x to 9.x and W10 thru to 1803.

When I installed Leap 15 I got a warning message about possible boot problems, but went past that and I got my Boot Loader screen listing the same 4 OS’s just a different background picture.

W10 and Leap are fine.

Lubuntu and Debian won’t boot they generate an error message.

So what has happened when I ran the BootLoader as Secure Boot in YAST?

Tried Lubuntu with sudo update-secureboot-policy – enroll-key and --new-key.

Re-installed Lubuntu and still no boot.

Lubuntu installs it’s own version of grub and boots from that. So what have I done / not done to get Lubuntu added as a viable option in Grub?

If you turn off secure-boot, it should all work.

If you want it to work with secure-boot turned on, then try this:

(1) Boot Lubuntu
(2) Use:

mokutil --export

to store the Canonical certificate to a file. Copy that file to somewhere that can be accessed by openSUSE
(3) On openSUSE, use:

mokutil --import

to install that certificate in the openSUSE MokManager.
(3) Reboot. The importing is handled during the next boot.

(a) You probably need to be root to use some of those “mokutil” commands;
(b) The “man” pages for “mokutil” will give the details for the command.

This should get Lubuntu booting with openSUSE grub2-efi.

It won’t work for Debian. The openSUSE shim requires that the kernel is signed with a recognized certificate. As far as I know, Debian kernels are not signed.

If it is important to boot Debian this way, then you probably need to create your own “Machine Owner Key”, and then sign the Debian kernel with that key.

More notes:
I have Ubuntu 18.04 booting without a problem on one of my boxes. It is working about as described above. I used “mokutil --export” (while running Ubuntu) to put the canonical key in a file, then I used "mokutil --import (under openSUSE) to load that key for use during openSUSE boot.

I also have Deepin booting on that box. It is Debian based. I had to sign the kernel myself with the Machine Owner Key that I created.

An easier alternative might be to allow Ubuntu to control the booting. The Ubuntu shim is less fussy, and will boot just about any linux even if the kernel is not signed.


Thank you.

I have been doing a little digging and found similar info myself.

I can boot all 4 OS’s one way or another.

Insecure Booting like you suggest seems to be the LCD (Lowest Common Denominator).

In Debian I just ran

sudo mokutil --disable-validation

and with a passphrase it rebooted and Leap now says Insecure Booting.

So I will persevere, but I am greatly re-assured by your answer.

I did read through reams of grub config stuff and found this potential reason (highlighted errors).

linuxefi /boot/vmlinuz-4.15.0-29-generic root

[LEFT] ro quiet splash $vt_handoff
initrdefi /boot/initrd.img-4.15.0-29-generic

linux /boot/vmlinuz-4.15.0-29-generic root
[LEFT] ro quiet splash $vt_handoff
initrd /boot/initrd.img-4.15.0-29-generic
This thread can now be closed as I am happy with the answer.

When you use “linuxefi” and “initrdefi” (instead of “linux” and “initrd”), then the kernel signature is checked as part of the boot process.

The openSUSE shim insists on using “linuxefi” and checking the signature. The “ubuntu” shim does not insist, and will boot using “linux” and “initrd” without checking kernel signatures.

Consider that anyone that can modify the boot stack already owns your machine. So what does secure boot really protect you from?


Considering my password strength, it is not really relevant.

It is more about being tidy than secure.

So I wiped/vaped several partitions and re-installed Leap 15 (twice) and go scenarit a secure boot scenario for W10 and L15.

Added Lubuntu, which made it’s own bootloader, when I added it to Leap’s bootloader it went back to failing.
So booted using Lubuntu bootloader and ran mokutil

–sb-state just to check it was securely booting.

Then as advised earlier I did the --export and --import mok-0001.der, so now the L15 has booted Luntubu.

Hopefully adding in Debian will go as smoothly.

I have not recently used Debian. I suspect that Debian kernels are not signed.

I recently installed Deepin, which is based on Debian, and its kernel was not signed. This wasn’t a big problem for me. I simply signed the kernel myself. I had already created my own signing key and added that key to MokManager (with mokutil --import). You might need to do something similar if you want to keep secure-boot on and use openSUSE grub to boot Debian.