My error was –
- I had too many Keys in the UEFI Key Exchange Key Signature database (KEK).
- I deleted – using the Mainboard’s UEFI BIOS setup menus – all the openSUSE/SUSE keys which weren’t “Secure Boot CA” …
> mokutil --kek | grep -iE 'Subject:|SHA1 Fingerprint:'
SHA1 Fingerprint: 29:76:43:59:2d:af:e8:1f:6b:11:6e:89:d9:6d:57:75:2f:1a:b8:0b
Subject: CN=ASUSTeK MotherBoard KEK Certificate
SHA1 Fingerprint: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
SHA1 Fingerprint: ec:56:e9:13:44:95:92:5f:d8:db:b4:8e:2c:31:8a:0d:79:e8:f8:e3
Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
>
> mokutil --kek | grep -i ' Validity' --after-context\=3
Validity
Not Before: Dec 26 23:34:59 2011 GMT
Not After : Dec 26 23:34:58 2031 GMT
Subject: CN=ASUSTeK MotherBoard KEK Certificate
--
Validity
Not Before: Jun 24 20:41:29 2011 GMT
Not After : Jun 24 20:51:29 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
--
Validity
Not Before: Apr 12 11:12:51 2012 GMT
Not After : Apr 11 11:12:51 2042 GMT
Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
--
Validity
Not Before: Apr 18 14:33:41 2013 GMT
Not After : Mar 14 14:33:41 2035 GMT
Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
--
Validity
Not Before: Jan 22 14:20:08 2013 GMT
Not After : Dec 18 14:20:08 2034 GMT
Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
>
Also, before rebooting and deleting the extraneous KEK keys, I re-ran the YaST Bootloader setup.
And then, the mokutil “Blue Screen” appeared at the next boot with, the Secure Boot OS Type set to “Windows UEFI Mode” …
The current UEFI secure boot signature store (db) keys are:
> mokutil --db | grep -iE 'Subject:|SHA1 Fingerprint:'
SHA1 Fingerprint: 16:b3:6b:31:bb:b6:cb:eb:a3:b1:2e:dd:5a:32:32:e9:93:f3:7d:d1
Subject: CN=ASUSTeK MotherBoard SW Key Certificate
SHA1 Fingerprint: 62:b5:1e:d2:e6:c7:5e:27:33:52:c8:b0:52:1a:97:48:18:e9:23:3e
Subject: CN=ASUSTeK Notebook SW Key Certificate
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
SHA1 Fingerprint: 4a:aa:0b:54:67:76:1e:cf:c0:0a:42:32:b1:7a:b4:8b:3e:09:a3:bf
Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
SHA1 Fingerprint: 40:90:59:99:c6:a8:81:6f:68:f7:17:bc:9f:e3:76:fd:6e:4c:3c:ef
Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
SHA1 Fingerprint: 1f:67:32:97:da:56:8a:e0:de:df:db:7c:8c:c6:8f:9e:cb:85:72:75
Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
>
And now, the Secure Boot is just fine – systemd Journal entries:
0.000000] kernel: secureboot: Secure boot enabled
0.000000] kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
0.005643] kernel: secureboot: Secure boot enabled
But, I have keys being loaded from both the UEFI “db” and, the MOKvar table (MokListRT) –
0.839252] kernel: Loading compiled-in X.509 certificates
0.839293] kernel: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
0.843207] kernel: integrity: Loading X.509 certificate: UEFI:db
0.868671] kernel: integrity: Loaded X.509 cert 'ASUSTeK MotherBoard SW Key Certificate: da83b990422ebc8c441f8d8b039a65a2'
0.868677] kernel: integrity: Loading X.509 certificate: UEFI:db
0.869088] kernel: integrity: Loaded X.509 cert 'ASUSTeK Notebook SW Key Certificate: b8e581e4df77a5bb4282d5ccfc00c071'
0.869090] kernel: integrity: Loading X.509 certificate: UEFI:db
0.869134] kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
0.869137] kernel: integrity: Loading X.509 certificate: UEFI:db
0.869182] kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
0.869184] kernel: integrity: Loading X.509 certificate: UEFI:db
0.869459] kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'
0.869460] kernel: integrity: Loading X.509 certificate: UEFI:db
0.869482] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 5a240449d29fd0d8a7a187e6fc0e26b95d1aa87b'
0.869483] kernel: integrity: Loading X.509 certificate: UEFI:db
0.869682] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
0.869683] kernel: integrity: Loading X.509 certificate: UEFI:db
0.869707] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
0.869708] kernel: integrity: Loading X.509 certificate: UEFI:db
0.869726] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
0.869945] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.870177] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
0.870179] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.870199] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
0.870200] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.870407] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
0.870408] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.870429] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 5a240449d29fd0d8a7a187e6fc0e26b95d1aa87b'
0.870430] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.870631] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
0.870632] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.871269] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: 3d4d40cf938539024b1cfc5a12dedfe8b17e755f'
0.871270] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.871290] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
0.871291] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.871310] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
0.871311] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.871514] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
0.871515] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.871534] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 5a240449d29fd0d8a7a187e6fc0e26b95d1aa87b'
0.871543] kernel: Loading compiled-in module X.509 certificates
0.871562] kernel: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
How that needs to be cleaned up, remains as an open work item …