New Kernel update MOK key enrollment breaks Windows EFI key -

I have a relatively new install of Tumbleweed on my dell laptop which has NVIDIA graphics with dual boot to windows.

I have setup to use secure boot and it works, though on every kernel update to newer version and post build install it ends up with MoK requesting for the new key enrollment which I add and everything works as it should on the Linux side.

On subsequent reboot to windows I get a blue screen asking me to enter a new Microsoft recovery key from aka.ms/recoverykey . I have to login to my Microsoft account and enter the lengthy key. I have to do this every time post new MoK key enrollment.

Am I missing something in my setup, is there a workaround to avoid keying the recovery key for windows every time ?

Looking forward for suggestions and guidance

Thanks

How exactly do you reboot into Windows?

I have grub setup with one menu item for windows

I have setup a boot partition for efi as defined in suse wiki and have installed grub which has an item for booting to windows.

In which case on Secure Boot system you must be using shim.

As is common, you have not provided any details about your Windows, so educated guess - you are using Bitlocker with TPM Key Protector. Bitlocker TPM Key Protector binds auto-unlock to the Secure Boot state of the system. Adding new NVIDIA certificate changes Secure Boot state and invalidates Bitlocker protection so it refuses to unlock the key.

@arvidjaar - You assumptions are correct this is a new Dell laptop that follows latest Microsoft guidelines and I have not tinkered with windows install to change anything.

Is there a way we can avoid the secure boot invalidation ?

From the most simple to the most complicated

  • Do not use grub2 to chainload Microsoft bootloader, use your BIOS Boot menu to select it. It will bypass shim that adds all those certificates to the mix.
  • Do not use SUSE NVIDIA package, directly use NVIDIA run file, may be with DKMS to automate kernel updates. Create your own keypair, enroll your own certificate once and use your private key when building NVIDIA kernel driver.
  • Implement the same framework for SUSE NVIDIA package. I am pretty sure there was at least one openSUSE bug report where it was discussed. I believe it is 1211224 – How does Nvidia KMP work with dracut uefi_secureboot_cert solution when no MOK? (opensuse.org)

Thanks for the suggestions!

When you state use BIOS boot menu, do I still need to have grub for linux or just directly boot?

Also, for NVIDIA are you suggesting I use the proprietary NVIDIA package?

I have setup my NVIDIA repo to point to the link below is that correct ?
https://download.nvidia.com/opensuse/tumbleweed

Yes, you need grub for Linux.

Sorry? You are using the proprietary NVIDIA package already.

P.S. The fourth possibility is to change PCRs used by Bitlocker. Output of

manage-bde -protectors -get C:

would be interesting.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.