Hello,
I’m trying to install Leap 15.6 / Tumbleweed on an MSI GL62 7RD notebook with an external SSD drive and Secure Boot enabled. I can complete the full installation process without any problems, but when I try to boot into the OS from the external drive, I get the error: “invalid signature detected. Check secure boot policy in setup.” I have Windows 10 installed on the internal SSD. This error message appears for both Leap and Tumbleweed.
Secure boot was checked during installation
I can boot into OS, but i have to disable secure boot in BIOS
When you installed Leap 15.6, was secure-boot enabled during the install?
Do you have both Leap 15.6 and Tumbleweed installed on the external drive?
What is the output from
efibootmgr -v
You may need to disable secure-boot for now so that you can boot the system to get that output.
I’ll note that I have both Tumbleweed and Leap installed here (on an internal drive). To get this to work with secure-boot enabled, I boot using the “shim.efi” from Leap 15.6. I will get SBAT errors if I try to boot with the “shim.efi” from Tumbleweed.
I have enrolled the certificate “4659838C-shim.crt” from Tumbleweed (it is at “/etc/uefi/certs”) so that the Tumbleweed kernel is not flagged as having an invalid signature when boot with the Leap shim.
I did a fresh install just before answering you and suddenly it started working!
This time, I completely wiped my disk using diskpart in Windows before the installation - maybe that made a difference (besides that, I did everything the same as before).
EDIT:
I removed the external SSD, booted windows, then plugged in the SSD again and tried to boot Leap - it no longer works and “opensuse-secureboot” entry in boot menu seems to be gone (i can only choose between “Windows boot manager” and “opensuse”).
On some systems, the EFI firmware will delete boot entries that no longer exist. And when you unplugged that SSD, the “opensuse-secureboot” entry no longer existed.
Here’s something you might try:
1: Delete that entry for “opensuse”. You can do that with:
efibootmgr -b 0006 -B
2: As root, set up booting in the directory: “/boot/efi/EFI/BOOT”
That’s the standard place for booting a removable drive. And that last part of the path might be “Boot” rather than “BOOT”.
Assuming that directory is your current directory:
When you next boot, there should be a boot entry, possibly with a name similar to “UEFI DISK” or “UEFI HD”. That should boot into your Leap system, and should work with secure-boot enabled.
Try erase ftpm nv for factory reset if your UEFI offers something like this. But be careful, if you use bitlocker in Windows, have the revovery key ready.
Then you have to start Leap or Tumbleweed with Secure Boot disabled and run YaST Boot Loader once.
I will try to do what @nrickert suggested. If that doesn’t help, I will just install Leap on internal disk (or stick to disabling secure boot when needed).