Help Needed with Installing openSUSE and NVIDIA Drivers: Issues with Secure Boot and Disk Encryption

Hello everyone,

I’m looking for assistance with installing openSUSE in a way that allows for easy updates of NVIDIA drivers without too much hassle, especially with Secure Boot enabled. I’ve tried multiple times with different settings, but I keep running into problems. Here are the main issues I’m facing:

Disk Encryption Prompts During installation, I get two prompts to decrypt my disk. Often, my keyboard driver hangs and restarts during this process. I’ve tried different keyboards, but I still encounter issues. As a result, I’m unable to use capital letters for my password on the encryption screen. Is there a known issue with using capital letters in disk encryption?.

Secure Boot: After managing to install the drivers and update the system, I can’t enable Secure Boot. On one occasion, I reached the MOK (Machine Owner Key) verification screen to enroll the NVIDIA driver, but the password option was not present. Is there an error in the documentation regarding this? Do I need to set the password in the terminal before restarting to the MOK screen?

Any guidance or step-by-step instructions to resolve these issues would be greatly appreciated. Thank you!

I did a type in my first post problem i have are after installation every time i boot up i get two prompt to decrypt what i think is the same drive withe the same password but the secound time i can’t write capital letters. I also want to ask if I back up the Secure Boot keys from the UEFI BIOS menu on my current system and use them on the new system to maintain the same Secure Boot configuration? Will this approach allow the installation to work seamlessly on the new hardware, or are there additional steps required?

Hello @Jmiller82,

You seem to be addressing a couple of issues here. And it is not clear whether you have successfully installed or not. And to simply answer the one simple question here, there is no issue with using capital letters in encryption pass phrases.

One:

You have to enter a decryption key more than once.

You should not have to this. If your root partition is encrypted and the passphrase used to decrypt it is the same for subsequent filesystems, then it will not have to be re-entered. You can also use keyfiles to decrypt subsequent filesystems with an entry in /etc/crypttab.

I strongly suspect that you have an encrypted root filesystem that also contains boot. This will force you to enter the passphrase twice, once to decrypt the boot image and again to decrypt the root filesystem itself. The way I know to avoid this annoyance is to have a separate unencrypted boot partition.

If you are writing about installation, then you will be given an opportunity to decrypt each encrypted filesystem the installer encounters.

Two

You seem to be having trouble using moc to bless/sign/un-taint (don’t know the right word) the nvidia kernel modules. There is information in abundance as to how to tackle this, but I have not had to do it and don’t feel confident enough to summarize what I have read on the subject. I suspect it is something you don’t need to do either. How did you go about installing / trying to install the nvidia drivers?

On a fresh tumbleweed install, it should be as easy as typing “zypper inr”.

I am running Leap 15.6 on my desktop computer with secure boot and the nvidia G06 driver. I have never had to mess with moc.

I installed tumbleweed on an older laptop just a few days back, also with the nvidia G06 driver and no issues. This is a bit of a cheat however because I have secure boot disabled on that system in the bios.

Three

Keyboard crashing? Is it wireless? I really don’t know how I might help with that one except maybe to use the text based install option in yast.

1 Like

Hi!

Thanks for your assistance.

I’m preparing for a fresh install and would appreciate guidance on the best approach. As a new Linux user, I’m not very familiar with filesystems, so I let the installer handle the partitioning. I selected my drive, gave it full permissions, and chose Btrfs for the system and ext4 for the home directory, hoping this would be ideal for backups. I also matched the RAM size for hibernation, but I’m unsure if this could cause problems if I upgrade my RAM later.

I’m considering switching to openSUSE Leap, but I’m worried about missing out on updates for KDE and GNOME. I remember seeing a forum post about an issue with a missing or incorrect file in Tumbleweed affecting secure boot, but I can’t locate it now.

During the first boot, I used the software center and update center to install NVIDIA drivers, which worked fine as long as secure boot was disabled.

Regarding the keyboard issue, I’m using a wireless keyboard and will try unplugging the receiver when testing other keyboards.

Any advice would be greatly appreciated!

Best regards.

Do you know how long it typically takes for openSUSE Leap to receive updates for GNOME, KDE, and NVIDIA drivers? Given my recent installation experience, I’m leaning towards stability over a rolling release. :smile:

@Jmiller82 Look at Aeon Desktop, systemd-boot, FDE OTB if you have a later TPM 2.0 version, then no secure boot is needed… It is still RC3ish…

Hi, I’m currently running Windows 11. Are you recommending that I turn off Secure Boot? I’m fairly certain I have TPM 2.0, as I’m using an ASUS Z390 motherboard. I’m aiming for the most secure system possible, including backups and encryption.

If Secure Boot might be updated in the future to support this setup, I’m open to turning it off temporarily. My main concern now is setting up the disks so that I don’t have to type the password twice to decrypt and log in. Is there a way to configure it so I either don’t need to enter the password more than once or have multiple attempts to type it correctly?

@Jmiller82 No password entered with TPM 2.0 and systemd-boot, there is a recovery key presented. Aeon doesn’t support dual boot :frowning_face:

nvme0n1       259:0    0 238.5G  0 disk  
├─nvme0n1p1   259:1    0     4G  0 part  /boot/efi
└─nvme0n1p2   259:2    0 234.5G  0 part  
  └─aeon_root 254:0    0 234.5G  0 crypt /usr/local
                                         /opt
                                         /home
                                         /srv
                                         /.snapshots
                                         /var
                                         /root
                                         /

You can leave secure boot on AFAIK

Aeon looks promising, but I’d like to keep the option to boot Windows until I decide if Linux is right for me. By the way, do you think my encrypted Fedora installation might be causing issues? It’s on a separate disk with its own GRUB menu where I can select either Windows or Fedora.

Hello again @Jmiller82,

Knowing that you have an Asus Z390 is a double help to me. Generally, it is good to know what you are working with. Secondly, my box has an Asus Tuf Z290 mobo, which is very similar! ( I don’t think the z290 supports pcie bifurcation … I KNOW the z390 does … I really should have spent the extra few bucks )

First Issue: wireless keyboard

Use a wired keyboard for the installation. If you don’t have one, go buy a cheap one. The last cheap keyboard I bought cost me a wopping $15.00, and it wasn’t even the cheapest in the store! Once the installation completes, you can enjoy the wireless keyboard in so much as any wireless keyboard can be enjoyed. ( I have a keychron k5 pro … it supports both wired and wireless … I usually use it in wired mode … just works better) Same advice for the mouse, except wireless mice are not nearly as f lackey as wireless keyboards, so you might get away with it …

It is also good to know that you are new to gnu/linux!

Because you are new to the gnu/linux ecosystem, I strongly recommend using Leap. I am NOT new to the ecosystem, my first gnu/linux install was slackware somewhere around 1993 or 1994 and I strongly recommend Leap for myself! While it is true that the packages in Leap are generally not the “latest and greatest”, they are generally recent and well tested. I use Leap on my main computer because it is ROCK SOLID! Tumbleweed has a tendency to get broken by updates from time to time, and getting broken by an update is much more likely if you are using the proprietary Nvidia drivers. I don’t think I have ever had Leap broken by an update … and I have used it since before it was called Leap.

You should also know that if you need a newer version of a software package than is currently available in Leap, there may very well be a safe, easy and reliable way to get it. For example, I use inkscape. There version available in Leap is 1.01 and has been going back at least three releases. However, I can install inkscape 1.3 in flatpack form from flathub. (Don’t worry if you don’t know what this means … just an example to show that if you need a newer package, you can probably get it)

SECURE BOOT and TPM

You can certainly leave secure boot enabled ( I do ), although I am not convinced that it even makes sense for a computer sitting in my bedroom :slight_smile: . I know almost nothing about TPM, but if it makes your life easier to turn it off …

FILESYSTEMS

I recommend using ext4 for EVERYTHING! The big feature of btrfs is the ability to take system snapshots. I have tried it … it is extremely cool … it works well … and for my purposes … useless, a very cool gimmick. ext4 is easier to repair (like after a power failure, it is unlikely you will have to do anything at all … the boot system will do what is needed for you), less complicated, and ROCK SOLID. btrfs has many interesting and compelling features in addition to snapshots, and because of that, it is much more complicated than ext4. In my admittedly limited experience, it is difficult, if not impossible, to recover a corrupted btrfs filesystem, and it can get corrupted. (If you want see corruption in action, install btrfs on top of mdraid … I’ve made that mistake)

Use a seperate unencrypted boot partition and encrypt root ( / ) and home ( /home ) with luks2 using the same passphrase. At boot, you will be prompted to provide a passphrase to unlock root, and the system will do everything else.

When done, your disk should look something like:

root@nanus# parted /dev/sda p
Model: ATA ST1000LM024 HN-M (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system     Name                          Flags
 1      1049kB  274MB   273MB   fat32           EFI System Partition          boot, esp
 2      274MB   290MB   16.8MB                  Microsoft reserved partition  msftres
 3      290MB   325GB   325GB   ntfs            Basic data partition          msftdata
 4      325GB   326GB   950MB   ntfs                                          hidden, diag
 5      326GB   327GB   500MB   ext4            BOOT
 6      327GB   365GB   38.2GB                  ROOT
 7      365GB   992GB   627GB                   HOME
 8      992GB   1000GB  8214MB  linux-swap(v1)  SWAP                          swap

This table is from a laptop that dual boots tumbleweed and windows 10. I recommend making BOOT just a little larger, 600 or even 750 MB.

The swap size SHOULD be equal to or greater than ram size IF you want to use hibernation. It does not HAVE to be greater or equal. Hibernation is not necessarily broken if it is smaller. It has to be large enough to accommodate used memory at the time of hibernation. I usually test hibernation to make sure it works and then immediately disable it. I don’t like the feature.

After you have the system installed, install the Nvidia drives by simply running “zyyper inr” as the root user and reboot when it completes.

Cheers!

It will not interfere or cause problems. The fact that you can boot it tells me that you have legacy boot enabled in the system bios. That won’t present any technical problems, but it might cause you a little confusion. I would turn it off during the install, not because you have to, but it will limit the options presented.

I looked into Leap, and it seems impressive! I really wish for HDR support. Since I haven’t figured out why I can’t boot Tumbleweed with Secure Boot, I’ll likely switch to Leap instead. How did you set up your recovery if you use ext4 for everything? I thought Btrfs was required for system recovery.

Hello again @Jmiller82,

I’m not sure what you mean by “recovery”. Btrfs allows snapshots. For example, you take a snapshot of a running system. Then you manually do something extra dumb that makes your entire system unstable, which in reality is fairly difficult to do. You can reboot into the “snapshot” as in boot the system as it existed before you exercised your right to be dumb. If that is what you mean by recovery, my approach is to avoid flagrant acts of stupidity :slight_smile: .

All silliness aside, btrfs is not required to restore a system from a backup. It is just one of many different filesystems one could choose to use. If you want to use it, you should make a somewhat larger root filesystem to accommodate snapshots. I did not find snapshots to be a particularly useful feature, though I will gladly admit that it is way cool!

I could be wrong, but I don’t think you will find HDR support in gnu/linux. (maybe in the steam game engine ???, something like that maybe ???) Personally, I think HDR is a hokey gimmick, a sad substitute for the actual implementation of expanded color space in the UHD specification (aka 4K, even though they are not quite the same thing, but close enough to be used synchronously). I have no idea when that might actually happen, but the last time I researched it, the only thing close in the real world (other than HDR) was the implementation of expanded RGB ( sRGB? ) on some systems from Apple. Realistic greens are on the way … but not quite here yet!

Cheers!

@Jmiller82 and System firmware is all up to date with respect to secure boot certificates etc fwupdmgr get-devices

hi
Thank you for the detailed explanation!

Regarding the “recovery,” I indeed meant having a reliable backup system in place, which is crucial for my needs

As for HDR, I have to say that HDR 1000 works wonderfully with Wayland and KDE 6. The visual quality is outstanding, and it’s been a great experience for me.

I managed to get around the keyboard problems by setting the keyboard layout to US. Unplugging all USB devices and using a new keyboard didn’t work, but the US layout did. This was with the install media “openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240724-Media.” US layout works fine for me, so this can be marked as a solution.

However, I still haven’t solved the secure boot issue. The error code I get is: “Verifying shim SBAT data failed: Security policy violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.” This happens both with the install media “openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240724-Media” and “openSUSE-Tumbleweed-NET-x86_64-Snapshot20240726-Media” when secure boot is enabled. I also tried installing with secure boot set to “Other OS,” but when I set it back, I get the same error code.

Hello again @Jmiller82 ,

There have OBVIOUSLY been some developments in the march toward UHD since I last looked into it, which was a few years ago when I bought a new monitor. HDR in KDE?! WOW! I am genuinely surprised, though I guess I should not be. I am also surprised that your keyboard issue turned out to be as simple as using US layout. I am an English speaker from the USA. It would never occur to me to use anything other than US layout.

On a whim, I enabled secure boot on my laptop early this morning. It runs the latest and greatest Tumbleweed, or at least it will until I want to test something else. These are the steps I took:

  1. From a “root” prompt:
    root@nanus# mokutil --enable-validation

  2. Uninstall the nvidia drivers, as in ‘zypper rm nvidia-*G06 …’

This is necessary because when secure boot is enabled, the nvidia post install script(s) will generate a key that you need to register with mok. I could not figure out a way to get the key without uninstalling, and then re-installing the drivers. Perhaps someone more clever than myself has tackled this?

  1. Reboot!

When your system comes back up, you will be greeted with a mok popup that is fairly intuitive.

Once the system has been registered in MOK, you should be able to confirm with mokutil:

root@nanus# mokutil --sb-state
SecureBoot enabled
  1. Re-install the nvidia drivers … " zypper inr" … and anything extra you might want. With secure boot enabled, the nvidia install will generate a keyfile.

As per documentation, I used “mokutil --import /usr/share/nvidia-pubkeys/MOK-nvidia-driver-G06-550.100-25.1-default.der”. This DID NOT work for me!

  1. Reboot and register using the mok popup utility. There are decent instructions here:

https://en.opensuse.org/SDB:NVIDIA_drivers

I found the process of registering the nvidia drivers in mok easy, but counter-intuitive. I thought I would have to browse to the specific keyfile, but I did not. Follow the instructions exactly as presented in the above link.

Oooops!

Before doing any of the above, make sure secure boot is enabled in the system bios.

Mok Example