Grub fails to boot tumbleweed kernel

After upgrading from 12.3 to Tumbleweed grub (via EFI secure boot) fails to boot the tumbleweed kernel vmlinuz-3.8.8-3-desktop.

Error Message: “invalid signature”

Fortunately the 12.3 kernel vmlinuz-3.7.10-1.1-desktop is still present (i.e. was not deleted by zypper dup) and works

We have a Tumbleweed forum. That is were you have the best chance to meet your fellow Tumbleweed users.

This thread will be moved there and is CLOSED for the moment.

Moved from Install/Boot/Login and open again.

Two kernel updates and one grub update later grub will still only boot the 12.3 kernel, but not the Tumbleweed kernel.

You will have to disable secure-boot in your BIOS to boot the newer kernels.

It looks as if the newer Tumbleweed kernels are not suitably signed for secure-boot to work. I suppose you could report this as a bug. It is at least a documentation bug (the Tumbleweed Docs don’t tell you that secure boot is unsupported).

And yes, that happens to me. I can boot with the 3.7.10 kernel in secure boot mode. I have to turn off secure-boot to use the newer kernels.

Disabling secure boot did work.

But the next kernel update removed all boot entries, rendering the system unbootable. To fix this I had to re-enable secure boot, reboot from rescue and reinstall the boot loader. So my update procedure for tumbleweed kernel now looks like this:

  1. enable secure boot
  2. boot 12.3 kernel
  3. install tumbleweed update
  4. disable secure boot
  5. boot tumbleweed kernel.

That should not have happened. The update went fine here.

I’m not clear on whether you lost all grub entries or all UEFI boot entries. If the latter, you can probably put back the grub menu with a rescue boot in UEFI mode, and using “efibootmgr -c (with parameters)” to put back the boot entry that you need.

If you still have the “3.7.10-1.1” kernel installed, then you might want to upgrade that to the 3.7.10-1.4 kernel. See my blog post on that topic. That’s a kernel that you would be able to boot in secure mode.

I lost the UEFI entries (verified in BIOS Setup), used rescue to chroot into my root and used yast because i do not know all the new commands for UEFI boot yet. But also yast will delete all entries if secure boot is not enabled, that is the reason for my workaround above. (enable/install/disable)

It might be the BIOS that is deleting entries. My BIOS does that at times.

You should be able to put an entry back with:

# efibootmgr -c -d /dev/sda -p 1 -L "opensuse" -l '\EFI\opensuse\shim.efi'

or something similar. Change the “-d” and “-p” (partition number) appropriately.

You could do that from a command prompt while running a rescue boot in UEFI mode.

There’s a warning - don’t use “efibootmgr” on an Apple Mac system.