I am looking for some guidance / assurance in proceeding to active an installed kernel:stable:backports kernel 5.14.11. I have ‘secure boot’ enabled in BIOS.
The laptop in secure boot, boots/runs ok with the 5.3.18 kernel (with some aspects I want to investigate by trying a newer kernel).
I installed the kernel-default-5.14.11 from the kernel:stable:backports repository on my openSUSE-LEAP-15.3 on my Lenovo X1 Carbon Gen-9 laptop (which also pulled in suse-modules-tools-16.0.11-lp153.2.1 (so to obtain suse-kernel-rpm-scriplets) replacing the previous 15.3.6-1.1 version on my laptop).
When I first rebooted, after selecting the new kernel-default-5.14.11 in the openSUSE grub menu, I was sent to a blue grub screen on “Shim UEFI key management” and asked to “Press any key to perform MOK management”.
While I was pondering this, the screen timed out, and gave me a black screen with this error:
Loading Linux 5.14.11-lp153.2.g834dddd-default ... error: ../../grub-core/kern/efi/sb.c:151:bad shim signature. Loading initial ramdisk ... error: ../../grub-core/loader/i386/efi/linux.c:98:you need to load the kernel first. Press any key to continue
I pressed a key and it sent me back to the normal green grub boot screen, at which time I selected the regular openSUSE kernel boot to a 5.3.18 kernel.
I concluded I did not know what I was doing, and I needed to research more to know what was appropriate to do next to boot to the 5.14.11 kernel.
I would like to boot to this 5.14.11 kernel, but given I am unfamiliar with this, I don’t want to mess up my install if further blue screens are encountered after I “Press any key to perform MOK management”. I suspect the next screen might say “Enrol Key from disk” or “Enrol Hash from disk”. What do I select there? My guess is “Enrol key from disk” but I prefer not to guess.
Can anyone offer any experience here?
Should I select “Enrol key from disk” ? And if I select that, will I encounter more menus with different selections/decisions to make? ** I prefer not to screw this us.
or is my best/only approach to disable Secure Boot in BIOS and try again?
As a precaution I have now backed up my /boot/EFI directory to a USB stick.