Without seeing the exact error message the educated guess is that you need to enroll Ubuntu certificate into the MokList.
It is not grub, it is shim which has embedded vendor certificate.
Chat-gpt recommends chainloading the ubuntu shim, or alternatively importing the keys, but it says that the latter is complicated. For my taste, importing keys sounds better, but only if I donât have to manually re-import them regularly after updates!
This may or may not work. Two shims may fight with each other over who is providing the protocols. Also, binary launched by firmware and binary launched by another binary will likely see different environment which may affect their behavior.
That is the question to Ubuntu - how often it changes its signing key.
1 Like
I found a more simple solution to boot ubuntu and tumbleweed. Iâm now booting with the grub from ubuntu-server where I can choose ubuntu and windows, with ubuntu as default. If I want to boot Tumbleweed I use âsudo efibootmgr -n xxxx && sudo rebootâ in ubuntu to one-time boot Tumbleweed from itâs own grub (with itâs own shims).
So itâs chainloading of ubuntu and tumbleweed instead of chainloading shims.
So headless I can use this solution, and if monitor, keyboard and mouse are connected (currently via monitor kvm-switch) I can either use this method, or use the bios-boot-menu.
Import the key.
Boot up ubuntu â either boot the live usb or dvd, or boot using the BIOS boot menu. Then, while running ubuntu:
mokutil --list-enrolled
If there are multiple keys, then make a note of which one is the canonical CA key. Best to write down both finger print and the key number.
Then:
mokutil --export
Find the canonical key among those exported, and copy it to a USB device or to a directory that you can reach from Tumbleweed (maybe in the EFI partition).
Now boot up Tumbleweed, and use
mokutil --import "path-to-key"
Reboot. You should see a blue screen where you can complete the importing of the key.
1 Like
Yes, that worked. Now letâs see how long the key lasts. If I have to change it often I will go back to my previous method with booting from ubuntu-grub and using âsudo efibootmgr -n xxxxâ to boot Tumbleweed.
THANKS ALOT!
1 Like
Fewer keystrokes to skip that command and hit your BIOS BBS hotkey during POST to choose TW.
1 Like
I cannot do that headless!
Hmm . . . slightly âhorrifyingâ to read through this thread as one of the few âmulti-bootersâ that are apparently alive and using grub2 + osprober to boot a number of systems. It seems like the grub-bls system was not thoroughly tested before being selected as the new bootloader???
Reason for posting, to the OP . . . one problem I have found in running various linux OSs together is that my ubuntu flavors behave in a similar way to grub-bls, in that it tends to see itself as the only system available to boot . . . . So I have used TW for the grub handling . . . fortunately I still have grub2 to do those chores??? Wowza . . . sometimes change just to change isnât the right choice???
1 Like
This posting has put me off trying grub2-bls.
Hi
So headless multi-boot system, just let it boot and then use the -n option with efibootmgr or change the order with the -o option and reboot?
I have a system running here with grub2-bls dual boot with Windows 11 Pro, I donât use it much, but also have the option to press the F12 key (or use that -n option) to get the boot menu just like most laptops (incl. Macâs) and desktops with monitors attached.
It works fine for me and my use case along with all the additional security features in brings with newer hardwareâŚ
Since I wanted to boot Ubuntu server as default, using the opensuse grub, I would have had to chroot into Tumbleweed and then execute grub-reboot to boot Tumbleweed headless. I even had a script for this, but then decided to boot from Ubuntu grub again and then use âsudo efibootmgr -n xxxxâ to boot a different boot manager once. For me, this seems to be the simplest/cleanest solution overall now. âGPT 5.1 Thinkingâ wrote me a nice script that simplifies the entries from âsudo efibootmgr -vâ, outputs them numbered, and after selecting a number, boots the corresponding boot manager once.
#!/usr/bin/env bash
set -euo pipefail
# nextboot â show EFI boot entries, set next boot once, then reboot with countdown
# Read boot entries: extract boot number and name
mapfile -t boot_entries < <(
sudo efibootmgr -v | awk -F'\t' '
/^Boot[0-9A-Fa-f]{4}/ {
if (match($1, /^Boot([0-9A-Fa-f]{4})\*?[[:space:]]*(.+)$/, m)) {
# m[1] = 4-digit hex ID, m[2] = name (e.g. "Ubuntu", "Windows Boot Manager")
printf "%s;%s\n", m[1], m[2];
}
}'
)
if (( ${#boot_entries[@]} == 0 )); then
echo "No boot entries found."
exit 1
fi
echo "Available boot entries:"
i=1
for entry in "${boot_entries[@]}"; do
IFS=';' read -r id label <<< "$entry"
printf "%2d) %s (%s)\n" "$i" "$label" "$id"
((i++))
done
echo
printf "Please enter the number of the desired entry (1-%d): " "${#boot_entries[@]}"
read -r choice
# Validate input
if ! [[ "$choice" =~ ^[0-9]+$ ]]; then
echo "Invalid input (not a number)."
exit 1
fi
if (( choice < 1 || choice > ${#boot_entries[@]} )); then
echo "Number out of valid range."
exit 1
fi
selected="${boot_entries[choice-1]}"
IFS=';' read -r id label <<< "$selected"
echo "Setting one-time next boot entry to: $label (Boot$id)"
sudo efibootmgr -n "$id" > /dev/null
echo "Done. This entry will be used for the next reboot only."
echo
# Countdown + reboot
countdown=5
echo "The system will now reboot."
echo "Press CTRL+C to cancel if you change your mind."
echo
while (( countdown > 0 )); do
printf "\rRebooting in %d seconds..." "$countdown"
sleep 1
((countdown--))
done
echo -e "\rRebooting now... "
sudo reboot
Idle question from the âmulti-booter advocate society (MBAS)â . . . would it not be possible to install TW as it is now provided, with grub-bls . . . which would leave the other installs intact but not âprobableâ for the interim.
Boot TW . . . run #zypper rm grub-bls" to surgically remove the non-multi-booting/non-os-prober app . . . and then run #zypper in grub2 . . . to install the traditional bootloader with capabilities to probe other OSs . . . ???
TWâs grub2 plays well with other OSs whereas I believe that Ubuntuâs seems to blacklist them???
I just did a fresh openSUSE Tumbleweed installation and switched from GRUB2-BLS to GRUB2-EFI while still in the installer.
1 Like
@susejunky hopefully you planned for the future and made /boot/efi 4GB?
1 Like
I do not use snapshots and rarely keep more than 3 kernels at a time. This currently takes approximately 150MB of my ESP âŚ
1 Like
OK . . . I thought I saw that possibility discussed in the Factory list-serve . . . but OP seems to be missing that chance during their installs??? Keeps coming up bls snake-eyes??
You have to click on the bootloader option and select there on the final install screen before you proceed. That option has been there for literally years, just like all the others for further customization before installingâŚ
2 Likes
Indeed I am familiar with needing to tic the âinstall bootloaderâ box as one of the final steps to prepare to install. So now there would be some options to select from among a few types of bootloaders . . . .
But, for the purposes of discussion, since the OP appears to have missed the option and installed the grub-bls âdefaultâ choice . . . is it possible or feasible to try the âremove blsâ and âinstall grub2â AFTER the installation??
Or, nope, the installer has to set up the various âEFIâ and âboot/efiâ directories, into which it then places the âgrub2â file?? So the bootloader canât be retroactively changed after the install? Asking for the OP.
1 Like
@non_space likely I think @nrickert has described? But it negates the purpose of Tumbleweed and any associated issues (openQA tests grub2-bls now) with flip flopping setups and any associated bugsâŚ
Sure Linux is like that, but there is also an expectation that consumers of this product understand itâs target audience, developers, sysadmins and ultimately users whom accept the defaults and use âas isâ⌠If not then Leap, Slowroll and Kalpa is probably worth investigating? Iâve not included Aeon as itâs single boot, likewise MicroOS.