I have a relatively new install of Tumbleweed on my dell laptop which has NVIDIA graphics with dual boot to windows.
I have setup to use secure boot and it works, though on every kernel update to newer version and post build install it ends up with MoK requesting for the new key enrollment which I add and everything works as it should on the Linux side.
On subsequent reboot to windows I get a blue screen asking me to enter a new Microsoft recovery key from aka.ms/recoverykey . I have to login to my Microsoft account and enter the lengthy key. I have to do this every time post new MoK key enrollment.
Am I missing something in my setup, is there a workaround to avoid keying the recovery key for windows every time ?
In which case on Secure Boot system you must be using shim.
As is common, you have not provided any details about your Windows, so educated guess - you are using Bitlocker with TPM Key Protector. Bitlocker TPM Key Protector binds auto-unlock to the Secure Boot state of the system. Adding new NVIDIA certificate changes Secure Boot state and invalidates Bitlocker protection so it refuses to unlock the key.
@arvidjaar - You assumptions are correct this is a new Dell laptop that follows latest Microsoft guidelines and I have not tinkered with windows install to change anything.
Is there a way we can avoid the secure boot invalidation ?
Do not use grub2 to chainload Microsoft bootloader, use your BIOS Boot menu to select it. It will bypass shim that adds all those certificates to the mix.
Do not use SUSE NVIDIA package, directly use NVIDIA run file, may be with DKMS to automate kernel updates. Create your own keypair, enroll your own certificate once and use your private key when building NVIDIA kernel driver.