Moved 15.5 to Tumbleweed, presented with SBAT violation message

t_neo · September 25, 2023, 4:53pm

I upgraded an up-to-date 15.5 to Tumbleweed. Upon reboot I was presented with a SBAT violation message and the system shut down. I went into the BIOS and turned secure boot off. I have been poking at this based upon the UEFI article, but I’m not able to get secure boot turned back on as before. After the initial first boot of Tumbleweed I was presented with a blue mokutil screen, but I have no clue how I can force that to come forward again.

Restore to setup mode does not do much other than “mokutil --sb” reporting that secure boot is disable and in setup mode.
I installed the bootloader anew, as per what I read shim 15.4 is different than shim 15.7 which would be used in Leap 15.5. However that does not resolve the issue.
The openSUSE key is listed when I verify that with “mokutil --list-enrolled”.
After re-installing the bootloader I entered the BIOS again and selected “Restore Factory Keys” with the assumption it would take the SUSE key and it will be fine. However that turns me back to the SBAT violation message.

What can I try to resolve this to get secure boot to work again?

nrickert · September 25, 2023, 5:18pm

Do you still have Leap 15.5 available? You will need the shim from 15.5 to fix this. If you still have the 15.5 install media, that will suffice.

You can look HERE for details.

iamjiwjr · September 25, 2023, 5:33pm

Wow! That suggested fix… Ph.D level CLI band-aid! Not in my league for sure. You would think that, after 6 months of this problem, someone would think it might be a good idea to fix it. You would think that, anyway.

t_neo · September 25, 2023, 5:37pm

I only have a 15.5 live available. The 15.5 install is overwritten with Tumbleweed. Going through the live 15.5 CD when executing “mokutil --set–bat-policy delete” that fails with “Failed to set SbatPolicy”. Is a live CD sufficient to resolve or should I install Tumbleweed freshly?

nrickert · September 25, 2023, 5:56pm

That 15.5 live media should be adequate, though I have not tested this.

Try:
(1) make sure that secure-boot is disabled in your BIOS.
(2) Boot into Tumbleweed
(3) Use the command:

mokutil --set-sbat-policy delete

I’m pretty sure that you will need to be root for that command to work.

(4) Reboot, but make sure that you use the 15.5 live media for the reboot.
(5) Check with:

mokutil --list-sbat

Again, you will need to be root for that to do anything.

The output that I get from that command is:

# mokutil --list-sbat
sbat,1,2022052400
grub,2

but I’m not sure that’s what to expect. You might instead see:

sbat,1,2021030218

Either of those should be fine. If your output includes sbat,3 then something went wrong and you may have to repeat that sequence.

If it looks good, then re-enable secure-boot in your BIOS and see what happens.

arvidjaar · September 25, 2023, 5:58pm

Are you booted in EFI mode?

t_neo · September 25, 2023, 7:09pm

@nrickert Thanks for the help. My issue is resolved. Difference between your steps and the wiki was to boot to TW first to run the mokutil --set-sbat-policy delete command.

nrickert · September 25, 2023, 7:21pm

I’m glad you have it fixed.

The “mokutil” in Tumbleweed is newer than the “mokutil” in Leap. But the “shim” (and “MokManager”) in Leap is newer than that in Tumbleweed.