Installation Has Problems at 96% complete with Secure Boot

Budgie2 · February 12, 2016, 1:31am

Installing LEAP 42.1 on 64 bit IBM X3400 M3 server. I have had no problems with two network installations (first one had to be abandoned to revise RAID) with secure EFI boot on the same machine but the last time I tried the installation failed at the boot installation stage.

I was given the chance to remove mbr protection which I did but a retry still failed so I had to uncheck the secure boot option. Installation then completed.
I assumed the issue might have something to do with UEFI firmware on mobo but had reset the bios and restored defaults in machine setup before trying to install.

Now I have an “insecure” boot installation, is it possible to correct problem and return system to secure boot?
Budgie2

malcolmlewis · February 12, 2016, 1:39am

Hi
Go into YaST -> Bootloader and check secure-boot is enabled, then check via efibootmgr that it’s present in the efi nvram, eg;


 efibootmgr -v
BootCurrent: 0001
Timeout: 5 seconds
BootOrder: 0001,0000,0080
Boot0000* openSUSE    HD(1,800,64000,b9444bd2-9878-49a3-81fd-8dc36da19559)File(\EFI\opensuse\grubx64.efi)
Boot0001* openSUSE Secureboot    HD(1,800,64000,b9444bd2-9878-49a3-81fd-8dc36da19559)File(\EFI\opensuse\shim.efi)

If the shim.efi one is present, if the boot order is not correct, set it via efibootmgr;


efibootmgr -b 1,0,xxxx

Then reboot and re-enable secure boot in the BIOS and should be good to go.

Budgie2 · February 12, 2016, 4:08pm

Hi Malcolm,
Many thanks. In Bootloader what should I do with Protective MBR Flag?

malcolmlewis · February 12, 2016, 4:17pm

Hi
Shouldn’t need to touch that, by default gpt disk is protective, unless you have a funky hybrid one… you can check via gdisk, eg;


gdisk -l /dev/sdX | sed -n 4p

Where sdX == your disk.

Budgie2 · February 12, 2016, 4:26pm

Hi Malcolm,
Not sure what situation is with Protective MBR Flag but set it to leave as is for now.
Here is the result of my look at efi nvram:-

linux-vgan:~ # efibootmgr -v
BootCurrent: 000D
Timeout: 10 seconds
BootOrder: 000E,000D,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000A,000B,000C
Boot0000* CD/DVD Rom    ACPI(a0341d0,0)PCI(1f,2)ATAPI(0,0,0)CD-ROM(1,3b1,229c60)
Boot0001* Floppy Disk   Vendor(0c588db8-6af4-11dd-a992-00197d890238,00)
Boot0002* Hard Disk 0   Vendor(0c588db8-6af4-11dd-a992-00197d890238,08)
Boot0003* PXE Network   Vendor(0c588db8-6af4-11dd-a992-00197d890238,06)
Boot0004* Hard Disk 1   Vendor(0c588db8-6af4-11dd-a992-00197d890238,09)
Boot0005* Hard Disk 2   Vendor(0c588db8-6af4-11dd-a992-00197d890238,0a)
Boot0006* Hard Disk 3   Vendor(0c588db8-6af4-11dd-a992-00197d890238,0b)
Boot0007* USB Storage   Vendor(0c588db8-6af4-11dd-a992-00197d890238,03)
Boot0008* Diagnostics   Vendor(0c588db8-6af4-11dd-a992-00197d890238,da)
Boot0009* iSCSI Vendor(0c588db8-6af4-11dd-a992-00197d890238,04)
Boot000A* iSCSI Critical        Vendor(0c588db8-6af4-11dd-a992-00197d890238,05)
Boot000B* Legacy Only   Vendor(0c588db8-6af4-11dd-a992-00197d890238,ee)
Boot000C* Embedded Hypervisor   Vendor(0c588db8-6af4-11dd-a992-00197d890238,01)
Boot000D* opensuse      HD(1,800,4e000,446a5fac-7ea9-4190-b977-dc908f8bfea0)File(\EFI\opensuse\grubx64.efi)
Boot000E* opensuse-secureboot   HD(1,800,4e000,446a5fac-7ea9-4190-b977-dc908f8bfea0)File(\EFI\opensuse\shim.efi)
linux-vgan:~ #

i note current is Boot000D which is opensuse and boot order puts Boot000E first which looks to me as it should be, so here goes with reboot.

Fingers crossed!!!

Budgie2 · February 12, 2016, 4:46pm

Hi Malcolm,
Many thanks. My MBR flag is set Protective as you advised it should be and although my machine would not reboot from command, I had to press and hold power button, I am back up and running and all seems well.
A few other quirks, the reboot failure, terminal screen settings being volatile and reverting to default for example. Will keep using and hope they iron themselves out.
Once more many thanks,
Budgie2