kernel boot failed after deleting secure boot database and enabling secure boot in bios

Hi I am Rupesh from India and I have new PC with Intel i3 10th gen 10100 processor and asus prime h510 me motherboard. I have installed open suse tumbleweed and updated all new packages. Booting os from grub failed after deleting secure boot database and enabling secure boot mode in bios.

At the time of installation I have disabled secure boot in bios. I have ran the Linux system a number of times and recently I have issued the command mokutil and the output was

localhost:~/soft/help # mokutil --sb-state
SecureBoot disabled

Many sites suggested to enable secure boot mode in bios and so I have deleted secure key database and enabled secure boot. After deleting secure key database I have selected option install default keys.

After enabling secure boot mode I have tried to boot into windows 11 and it has shown message as updating system and after restarting I was logged into my system properly.

After that I have tried to boot into my Linux system and the login was successful and I have tried to open suse software manager and it has shown error as packagekit is running try to quit and I have selected option yes and again it has shown error as packagekit is running try to ask it quit and I have selected option yes. This happened upto 50 times and at last I have closed it.

After that I have opened terminal emulator and issued the command mokutil and the result is secure boot mode enabled and I am showing the output as below

localhost:~/soft/help # mokutil --sb-state
SecureBoot enabled

After that I have selected option shutdown in gnome Wayland desktop and it doesn’t happened and so I have pressed esc key to see what’s going on and found messages as

Stopped accounts service
Job running uid 0

The last message was something like job running to stop uid0 but I can’t remember.

As it taking much time I pressed reset button and after grub2 is loaded I think that kernel loaded successfully but failed to load modules and so after some time system has been halted with out any display manager screen.

At present my system has default and vanilla 5.6.11 kernels installed from yast package manager.

Unexpected halt happened only after enabling secure boot mode in bios.

At present I have open suse tumbleweed usb installation media and I able to run rescue mode and chroot and even make changes like creating new files or delete new files and install any package and run yast etc.,.

My request is how to install a new key to boot successfully into secure boot enabled uefi pc.

Your post is very confusing.

What does “deleting secure boot database” actually mean? Did you configure the bootloader for secure-boot support? What does:

mokutil -l

show? There’s no need to post the detailed output. But does it give a list of enrolled keys with at least 1 key in that list? Or does it say that the enrolled list is empty or give some other error.

When bought new PC two months back I think that secure boot was enabled and after that I made some changes in bios which I can’t remember and after that I have installed windows 11 and after that I have installed open suse tumbleweed.

After that I have ran the Linux system a number of times and recently I have issuprovides he command mokutil --sb-state and found that secure boot is disabled.

I am using asus prime h510 me motherboard and it has two options under secure boot section they’re

Os type: “windows uefi mode” or “other os”
Secure boot mode: standard or custom

Previously I have tried a number of ways to enable secure boot mode but failed and today I have selected the options as

Os type: windows uefi mode
Secure boot mode: standard

After selecting options such as other os and custom and issuing the command mokutil --sb-state I am getting output as secure boot mode disabled.

And after restarting into windows I have seen message as secure boot enabled and even I have seen secure boot mode enabled after issuing mokutil. I have failed to boot at second time.

In my motherboard bios under secure boot mode when I select secure boot mode as custom I am able to see options such as “clear secure boot keys” and “save all secure boot keys” under key management.

Deleted means I have selected clear secure boot keys option and after that I have selected “load default keys”

All these happened when I am in custom mode in the secure boot section of bios.

After returning to option standard the key management disappeared.

I have read from uefi page of wikipedia that uefi provides it’s own key to the os and the other is it provides a way to set os to set it’s own key.

At the time of installation secure boot was disabled and so the kernel and modules etc., was installed without any support for it.

As now the secure boot is enabled the system is unable to boot.

I have booted into rescue mode using usb installation media and issued the command mokutil -l and I able to see some numbers which may be signatures but not empty.

Is there any way to reconfigure the system like installing new package related to secure boot in rescue mode so that my system will boot properly

This is still confusing, but it is a little better than before.

So you cleared the secure-boot state in BIOS settings, which might have deleted all keys. But then you booted into Windows, which probably reinstalled the Microsoft key needed for Windows.

How your system handles linux has relatively little to do with that, except that it needs to be approved by the Microsoft key (which is what the “shim” package is supposed to do).

When you try to boot openSUSE, what happens? Is there a grub menu? Or is there an error before that?

If there is a grub menu, do you get a secure-boot violation on trying to load the kernel?

We need some more detail than just that it doesn’t boot.

You cannot boot anything if all keys are really deleted. Microsoft key is default and will likely be present if secure boot is enabled. BIOS may offer something like “custom mode” in which no default keys are present and you are able to enroll your own keys. But OP said “After deleting secure key database I have selected option install default keys”.

I am able to see grub2 and select operating system such as windows 11 and kernel default and kernel vanilla.

I have seen open suse secure boot page and I found the following

mokutil --revoke-cert

You still have not given us any useful information.

If you can use “mokutil” then you successfully booted. So what is the actual problem?

I have seen mokutil in the rescue mode and not after booting os.

Then what actually happens when you boot the OS?

In grub2 menu I have selected kernel default to boot and after 8 seconds system halts without entering display manager like sddm.

After it starts to boot, hit the ESC key. Does it then give you a stream of messages from the starting system?

Yes I have pressed esc key to see what’s running and I have noticed some modules are being loaded and within two seconds the system halted and so I can’t notice at which point system halted.

Then your system seems to have loaded the kernel, so this is not a grub boot problem and not a secure-boot problem as far as I can tell based on what you describe.

Can you boot to multi-user mode (without the graphics)? To try this, hit ‘e’ on the grub menu line, scroll down to the line starting “linux” or “linuxefi” and then append " 3" to the end of that line (without those quotes). Use CTRL-X to resume booting. See if that boots up to a command line.

As you said I have added 3 to the end of line starting with linuxefi and after that I have seen console login instead of display manager screen. After that I have logged with root user permission and issued sddm and after that I have seen display manager screen.

After reboot I have tried to boot into system normal way but again failed.

If you want I am ready to provide any log messages so that the exact issue can be traced.

Try to solve my issue with patience.

Somewhere I read that kernel and modules must be signed to make system work properly.

May I know how to check whether my old kernel and modules are signed or not. If they’re not signed then can you suggest how to sign kernel and modules.

It looks as if there is some sort of graphic display problem. But if you can start SDDM as root, then it might only be a misconfiguration. I’m not an expert in details of graphic configuration, so I hope someone else can step in at this point.

If secure-boot is enabled, then you would not have been able to load the kernel at all if it were not signed. And you got past that point. So the kernel is signed.

Most of the modules come with the kernel, and are also signed. The only modules that could cause problems are ones that are added later, such as the Nvidia drivers or the virtualbox modules. Those are signed, too, but you might not have installed the key needed to verify those.

It is possible that your configuration depends on Nvidia drivers, and is failing because of that. Best for someone with more Nvidia experience to explore that. You can perhaps try:

mokutil --disable-validation

That will ask for you to provide a password. On the next boot, you should see a blue screen and you need to respond to that. It will ask questions about the password, and complete the disabling of validation. If that happens to be your problem, then this should allow you to boot properly into graphics mode. Then after you get that setup fixed, you can go back and enable validation.

This disables validation in shim. I am not sure whether this affects module validation by kernel. I see exactly one place where kernel queries EFI variable with current validation state and that happens in Xen code. I am really interested - have you tested it?

I have tested, but incompletely as I don’t have any signed modules that need checking. I have seen posts by other people suggesting that it works for Nvidia and for virtualbox, but I don’t have a way of directly testing that.