Leap Grub won't start Tumbleweed

English Install/Boot/Login
1

I have two partitions on my SSD, one with Leap and the other with Tumbleweed.
When I start the Leap partition, I can select the Tumbleweed installation in Grub.
However, it doesn’t start with the message:

error: …/…/grub-core/kern/efi/sb.c:192:bad shim signature.
error: …/…/grub-core/loader/i386/efi/linux.c:168:you need to load the kernel first.

Press any key to continue…

The same thing happens in reverse.

Within both partitions, I selected “probe foreign OS” in yast->‘boot loader’->‘bootloader options’ as well as “secure boot support” in ‘boot code options’.

How can I start Tumbleweed from Leap Grub?
Selecting it via the BIOS boot menu is very cumbersome (time-critical).

Regards

2
  1. While running Leap, mount the root partition from Tumbleweed at “/mnt”.
  2. Look in “/mnt/etc/uefi/certs”. There should be a file “4659838C-shim-opensuse.crt”. That’s the certificate that the Tumbleweed shim loads.
  3. Enroll that certificate. You can usemokutil --import mnt/etc/uefi/certs/4659838C-shim-opensuse.crt
  4. Reboot. You should get a blue MokManager screen. Follow the prompts to enroll.

After that, you should be able to boot Tumbleweed from the Leap grub menu.

(Note that the “mokutil” command will ask you for a password. And the actual enrolling with the blue screen will also ask for that password).

3

An addendum.

I have enrolled the Tumbleweed shim certificate while running Leap, and I have enrolled the Leap shim certificate while booted to Tumbleweed (from BIOS boot manager). After doing that, I have no trouble booting either Leap or Tumbleweed from either boot menu.

4

@nrickert

Thanks, this is the solution.

Two additional questions:

  1. how often do I have to do this procedure?
  2. Apparently, the certificates depend on the EFI entry used. Where are they stored, and where can I find out more?
5

On my current desktop computer, I did that with Leap 15.5 (the first system that I installed). I have no needed to redo it.

If the release manager changes to a newer CA certificate, then you will need to redo it.

The certificate is actually in “shim” itself. And there’s a copy in "/etc/uefi/certs. The EFI entry used is what decides which version lf “shim”. Tumbleweed uses the openSUSE CA certificate, while Leap uses the SUSE CA certificate.

6

@nrickert
:+1:

1 Like
7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.