Restore Secureboot Signatures

Hi,

my laptops RTC battery died and all settings in the UEFI menu were gone. So I replaced the battery, but the laptop warns me that the secure boot signatures are missing. After that it does boot Tumbleweed.

Is it possible to restore the secure boot signatures and if so, how?

The system says secure boot is still enabled:

mokutil --sb-state
SecureBoot enabled

Show the exact message. Make a photo of it.

I would be rather surprised if the content of EFI NVRAM were protected by RTC battery.

I find it weird too, but basically this is all that happened,. I got a secure boot error and the system refused to boot with secure boot on. I noticed the UEFI settings were all gone and the date/time was reset. So I checked that battery, it was oxidised and not working/not reading any voltage from it. I replaced it, restored all settings and I was left with this notification, but the system does boot again after I press Ok on this notification.

It does not look like anything coming from the MokManager or shim. Most likely it comes from your BIOS. Show the full output of efibootmgr.

It’s the BIOS indeed.

BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0000,0001,0002,0003
Boot0000* opensuse HD(1,GPT,3eb2a8ce-7996-47c2-a206-3e4da1ea32cd,0x800,0x100000)/File(\EFI\OPENSUSE\GRUBX64.EFI)
Boot0001* opensuse-secureboot HD(1,GPT,3eb2a8ce-7996-47c2-a206-3e4da1ea32cd,0x800,0x100000)/File(\EFI\OPENSUSE\SHIM.EFI)
Boot0002* UEFI: PXE IPv4 Realtek PCIe GBE Family Controller PciRoot(0x0)/Pci(0x1,0x2)/Pci(0x0,0x0)/MAC(b025aa4f9c49,0)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
Boot0003* UEFI: PXE IPv6 Realtek PCIe GBE Family Controller PciRoot(0x0)/Pci(0x1,0x2)/Pci(0x0,0x0)/MAC(b025aa4f9c49,0)/IPv6([::]:<->[::]:,0,0)0000424f

It is not signed, that is where error message comes from. Then BIOS continues with the next boot entry.

Please, use preformatted text for computer output.

Okay, weird… How do I fix that?

efibootmgr -o 0001,0000,0002,0003

I’d change the boot order in UEFI BIOS, put opensuse-secureboot first.

So I did that and the output changed, but after a reboot, it changes the boot order again:


efibootmgr -o 0001,0000,0002,0003
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0001,0000,0002,0003
Boot0000* opensuse	HD(1,GPT,3eb2a8ce-7996-47c2-a206-3e4da1ea32cd,0x800,0x100000)/File(\EFI\OPENSUSE\GRUBX64.EFI)
Boot0001* opensuse-secureboot	HD(1,GPT,3eb2a8ce-7996-47c2-a206-3e4da1ea32cd,0x800,0x100000)/File(\EFI\OPENSUSE\SHIM.EFI)
Boot0002* UEFI: PXE IPv4 Realtek PCIe GBE Family Controller	PciRoot(0x0)/Pci(0x1,0x2)/Pci(0x0,0x0)/MAC(b025aa4f9c49,0)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
Boot0003* UEFI: PXE IPv6 Realtek PCIe GBE Family Controller	PciRoot(0x0)/Pci(0x1,0x2)/Pci(0x0,0x0)/MAC(b025aa4f9c49,0)/IPv6([::]:<->[::]:,0,0)0000424f

After reboot BootOrder is again 0000,0001,0002,0003

You might have to change the boot order in BIOS settings. Some systems have a BIOS that resets the order on reboot. But you should be able to change the order in the BIOS settings.

You can simply delete /boot/efi/EFI/opensuse/grubx64.efi and delete this boot entry

efibootmgr -B 0000

It does not work anyway.

Thanks both. It worked. So I learned a bit about SecureBoot and EFI now :slight_smile:
And I think I now know how this came to be.

2 Likes