Moved 15.5 to Tumbleweed, presented with SBAT violation message

I upgraded an up-to-date 15.5 to Tumbleweed. Upon reboot I was presented with a SBAT violation message and the system shut down. I went into the BIOS and turned secure boot off. I have been poking at this based upon the UEFI article, but I’m not able to get secure boot turned back on as before. After the initial first boot of Tumbleweed I was presented with a blue mokutil screen, but I have no clue how I can force that to come forward again.

  • Restore to setup mode does not do much other than “mokutil --sb” reporting that secure boot is disable and in setup mode.
  • I installed the bootloader anew, as per what I read shim 15.4 is different than shim 15.7 which would be used in Leap 15.5. However that does not resolve the issue.
  • The openSUSE key is listed when I verify that with “mokutil --list-enrolled”.
  • After re-installing the bootloader I entered the BIOS again and selected “Restore Factory Keys” with the assumption it would take the SUSE key and it will be fine. However that turns me back to the SBAT violation message.

What can I try to resolve this to get secure boot to work again?

Do you still have Leap 15.5 available? You will need the shim from 15.5 to fix this. If you still have the 15.5 install media, that will suffice.

You can look HERE for details.

Wow! That suggested fix… Ph.D level CLI band-aid! Not in my league for sure. You would think that, after 6 months of this problem, someone would think it might be a good idea to fix it. You would think that, anyway.

I only have a 15.5 live available. The 15.5 install is overwritten with Tumbleweed. Going through the live 15.5 CD when executing “mokutil --set–bat-policy delete” that fails with “Failed to set SbatPolicy”. Is a live CD sufficient to resolve or should I install Tumbleweed freshly?

That 15.5 live media should be adequate, though I have not tested this.

(1) make sure that secure-boot is disabled in your BIOS.
(2) Boot into Tumbleweed
(3) Use the command:

mokutil --set-sbat-policy delete

I’m pretty sure that you will need to be root for that command to work.

(4) Reboot, but make sure that you use the 15.5 live media for the reboot.
(5) Check with:

mokutil --list-sbat

Again, you will need to be root for that to do anything.

The output that I get from that command is:

# mokutil --list-sbat

but I’m not sure that’s what to expect. You might instead see:


Either of those should be fine. If your output includes sbat,3 then something went wrong and you may have to repeat that sequence.

If it looks good, then re-enable secure-boot in your BIOS and see what happens.

Are you booted in EFI mode?

@nrickert Thanks for the help. My issue is resolved. Difference between your steps and the wiki was to boot to TW first to run the mokutil --set-sbat-policy delete command.

1 Like

I’m glad you have it fixed.

The “mokutil” in Tumbleweed is newer than the “mokutil” in Leap. But the “shim” (and “MokManager”) in Leap is newer than that in Tumbleweed.