Reinstall UEFI boot option: opensuse-secureboot

Hi there,
Triyng to fixe an issue with my motherboard, I made an UEFI/BIOS upgrade. What a mistake!
Now I can’t boot at all due to UEFI config.
In the UEFI setup, before I had in "Boot option priority, Boot option#1: opensuse-secureboot
Now I have or UEFI: Built-in EFI shell or AHCI P0: Samsung SSD …

My config is motherboard ASRock 970 Extrem4
Opensuse Leap 15.0

How to reinstall the good option?
I had lot of reading but can’t find a similaire issue as I don’t want to jupardise what is in my hard drive.

Thanks for your help

Hi
If you boot from the install media in rescue mode, then manually add the entries back via (assuming your efi partition is on /dev/sda);


efibootmgr -c -L "opensuse-secureboot" -l "\\EFI\\opensuse\\shim.efi"
efibootmgr -c -L "opensuse" -l "\\EFI\\opensuse\\grubx64.efi"

Thank you

At the first command I get the message

EFI variables are not supported on this system.

Any idea?

Looks like the installation media was not booted in UEFI-mode.

Set your UEFI to boot in UEFI-mode (not CSM-mode, not Legacy-mode, not any mixed mode and if you do not really need secureboot you could just disable that as well).

If the installation media is booted in UEFI-mode then the very first screen should NOT show the F-key selection on the bottom of the screen. If it does then the media was booted in CSM/legacy-mode.

Regards

susejunky

Load UEFI defaults and make sure CSM turned off. This does the trick with both my recent machines using ASROCK boards.

Well done! start again, fixed](https://forums.opensuse.org/member.php/740-malcolmlewis)malcolmlewis, susejunky, you made my day!

BTW I need to read more about UEFI and secureboot.
What is the best config for a home computer, I am the only user, in a 4 family computers network connected to Internet with wireless provider?

  • Boot option#1 #2 #3 #4 (opensuse, opensuse-secureboot, UEFI:buit-in EFI shell, AHCI P0: Samsung,Disabled)?
  • Secure boot (Disabled, Enabled)?

Thanks again

Only my opinion but if someone can change the boot stack then they already own the machine. Secure boot is security theater. If any of the stack up to the kernel is messed with it effectively bricks the machine until you reinstall the OS. :open_mouth:

So your system boots again? Congratulations!

Here a few links which helped me when i got my first UEFI machine 5 years ago:

https://en.wikipedia.org/wiki/UEFI
https://en.wikipedia.org/wiki/GUID_Partition_Table
http://www.rodsbooks.com/efi-bootloaders/
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf

“secureboot” is a security feature. You will have to decide yourself whether you want to use it (or not). I personally do not use secureboot on any of my machines.

Regards

susejunky

Hi
If secure boot is on you won’t (well shouldn’t be able to) get to UEFI:buit-in EFI shell, I have a Nvidia GT 640 here that even flashing the video BIOS doesn’t like secure boot… Unless you lock down your BIOS, I see little point in using it, but I do on some machines, on others I don’t but really only from a testing point of view.

These commands didn’t work for me. It turned out they assume the EFI partition is on a MBR partition table (and in the first partition), so this doesn’t work for GPT partition tables. If anyone ends up here, I suggest following the more complete instructions at https://www.reddit.com/r/openSUSE/comments/qwczfw/tumbleweed_guide_repairing_the_uefi_bootloader/

Secure boot works on the notebook. But most users don’t need it.

**notebook:~ #** efibootmgr  
BootCurrent: 0003 
Timeout: 0 seconds 
BootOrder: 0003,0005,0000,2002,2001,2003 
Boot0000* openSUSE 
Boot0001* EFI PXE 0 for IPv4 (7C-8A-E1-BF-FA-F3)  
Boot0002* EFI PXE 0 for IPv6 (7C-8A-E1-BF-FA-F3)  
Boot0003* opensuse-secureboot 
Boot0005* Windows Boot Manager 
Boot2001* EFI USB Device 
Boot2002* EFI DVD/CDROM 
Boot2003* EFI Network 
**notebook:~ #** logout 
Connection to notebook closed. 
**erlangen:~ #** efibootmgr  
BootCurrent: 0000 
Timeout: 1 seconds 
BootOrder: 0000,0001 
Boot0000* tumbleweed-nvme0n1p2 
Boot0001* tumbleweed-test 
**erlangen:~ #**

Presumably you are better off with erlangen’s boot.