I installed slowroll on a laptop with self-upgraded SSD. The laptop needed servicing, so I sent it back with the factory SSD, and it has been returned to me with the BIOS reset.
How do I configure Secure Boot to boot from my already setup SSD? It currently will not boot due to secure boot, and from what I can glean from web searches, openSUSE should support secure boot, but I am not sure how to setup.
Start by downloading the live Tumbleweed media. You should be able to boot that with secure-boot on.
Then you did something wrong during installation or you misinterpret what you see. openSUSE is by default installed with Secure Boot support.
It just happens during installation. As you did not provide any information about the error(s) you see it is impossible to even guess why it does not work.
Start with showing a photo of the error you get during boot.
The BIOS says
Secure Boot Violation
Invalid signature detected. Check Secure Boot Policy in Setup.
I installed slowroll. Any installation changes to the BIOS secure boot key storage (not sure of the exact term) has been erased as the laptop has been restored to factory settings. My SSD still has the openSUSE installation on it, as I swapped out the factory SSD to put the openSUSE one back upon receiving it back. Do I still need the Tumbleweed installation media to be able to boot my existing drive?
With the Agama installer, I have tried booting with starting with BIOS boot options:
USB HDD
USB FDD
USB CD
All give me the same secure boot violation message.
Also, openSUSE boots fine with secure boot disabled. So the problem is definitely secure boot.
Maybe you need redo the signatures, maybe something like this: Restore Secureboot Signatures
Boot openSUSE, show
ls -l /boot/efi/EFI/Boot
ls -l /boot/efi/EFI/opensuse
efibootmgr
lsblk -f -o +partuuid
ls -l /boot/efi/EFI/Boot
total 1872
-rwxr-xr-x 1 root root 965528 Mar 29 13:51 bootx64.efi
-rwxr-xr-x 1 root root 90496 Mar 29 13:51 fallback.efi
-rwxr-xr-x 1 root root 852312 Mar 29 13:51 MokManager.efi
ls -l /boot/efi/EFI/opensuse
total 4400
-rwxr-xr-x 1 root root 58 Mar 29 13:51 boot.csv
drwxr-xr-x 2 root root 4096 Feb 18 15:27 fw
-rwxr-xr-x 1 root root 68744 Dec 17 07:50 fwupdx64.efi
-rwxr-xr-x 1 root root 407 Mar 29 13:51 grub.cfg
-rwxr-xr-x 1 root root 2111344 Mar 29 13:51 grub.efi
-rwxr-xr-x 1 root root 487424 Mar 29 13:51 grubx64.efi
-rwxr-xr-x 1 root root 852312 Mar 29 13:51 MokManager.efi
-rwxr-xr-x 1 root root 965528 Mar 29 13:51 shim.efi
efibootmgr
BootCurrent: 0000
Timeout: 2 seconds
BootOrder: 0000,0001,0022,001F,0020,0021,0023,0024,0025,0026,0027
Boot0000* opensuse-secureboot HD(1,GPT,65f756ff-c258-44f7-8266-4fc956be753c,0x800,0x100000)/File(\EFI\opensuse\shim.efi)
Boot0001* Windows Boot Manager HD(1,GPT,65f756ff-c258-44f7-8266-4fc956be753c,0x800,0x100000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000039000100000010000000040000007fff0400
Boot0010 Setup FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0011 Boot Menu FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0012 Diagnostic Splash Screen FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0013 Lenovo Diagnostics FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0014 ThinkShield secure wipe FvFile(3593a0d5-bd52-43a0-808e-cbff5ece2477)
Boot0015 ThinkShield Passwordless Power-On Device Manager FvFile(08448b41-7f83-49be-82a7-0e84790ab133)
Boot0016 Wi-Fi Configuration FvFile(d3aaff0f-cb22-4792-896c-802c2e9383ba)2d004100700070000000
Boot0017 Reinstall Windows from Cloud FvFile(3edbaac4-5017-4870-8cc4-721f9ef1974f)2d004100700070000000
Boot0018 Intel(R) MEBx FvFile(29a70110-7762-4211-ae88-fab19b7665be)
Boot0019 Startup Interrupt Menu FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot001A Rescue and Recovery FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot001B Regulatory Information FvFile(478c92a0-2622-42b7-a65d-5894169e4d24)
Boot001C Asset Information FvFile(da465b87-a26f-4c12-b78a-0361428fa026)
Boot001D Lenovo Memory Self Repair FvFile(4ddd67e7-bdf5-4473-8ab0-02821c084338)
Boot001E Lenovo OneKey Recovery FvFile(04970e59-fccc-47cc-b945-7976ee7dbb7a)
Boot001F* USB CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot0020* USB FDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot0021* NVMe0 VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
Boot0022* USB HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot0023* PXE BOOT VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
Boot0024* LENOVO CLOUD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri(https://download.lenovo.com/pccbbs/cdeploy/efi/boot.efi)
Boot0025* ON-PREMISE VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri()
Boot0026 Other CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35400)
Boot0027 Other HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ca88c2349e7ae947beeb43038a5aeae700)
Boot0028* IDER BOOT CDROM PciRoot(0x0)/Pci(0x14,0x0)/USB(11,1)
Boot0029* IDER BOOT Floppy PciRoot(0x0)/Pci(0x14,0x0)/USB(11,0)
Boot002A* ATA HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
Boot002B* ATAPI CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)
lsblk -f -o +partuuid
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS PARTUUID
nvme0n1
├─nvme0n1p1
│ vfat FAT32 3F29-D943 504.8M 1% /boot/efi 65f756ff-c258-44f7-8266-4fc956be753c
├─nvme0n1p2
│ │ crypto 2 c20d2ea8-3d62-4e2b-86f3-03dba22b8c2d 449e24c5-6807-4f2b-8877-78981920cbdc
│ └─cr_root
│ btrfs 3358e00c-278e-4e8b-b90e-fffcbf595eac 36.3G 29% /var
│ /usr/local
│ /srv
│ /root
│ /boot/grub2/x86_64-efi
│ /boot/grub2/i386-pc
│ /opt
│ /.snapshots
│ /
├─nvme0n1p3
│ │ crypto 2 10bff603-b53a-41df-83ba-6fc06ad39bcf 4a642218-2e67-44f0-8bcf-64a55f240328
│ └─cr_swap
│ swap 1 a5b0a073-ff27-4fb7-949d-60a857aabae9 [SWAP]
└─nvme0n1p4
│ crypto 2 48321ee0-72cb-4a87-bad5-83aef16d5f35 63accd04-6f9a-4df0-8119-1c5dbecdd3b4
└─cr_home
xfs 8b5327e9-8ce6-4477-b64f-b295ccde847b 1.6T 10% /home
Your post is barely readable. Always use preformatted text for computer output. You see how I post computer commands, do not you?
Anyway - it all looks good. Sounds like you do not have the expected certificate(s) in your BIOS. Show
mokutil --db
sbverify --list /boot/efi/EFI/opensuse/shim.efi
You probably need to install sbsigntools first.
mokutil --db
[key 1]
Owner: 3cc24e96-22c7-41d8-8863-8e39dcdcc2cf
SHA1 Fingerprint: 7b:9e:6c:c3:c2:2e:2a:f2:4f:5b:eb:27:d5:df:f7:3d:5d:74:e1:66
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:45:63:7a:d8:c2:20:df:61:ea:52:44
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=Lenovo Ltd. Root CA 2012
Validity
Not Before: Jun 29 10:47:31 2012 GMT
Not After : Jun 24 10:47:31 2032 GMT
Subject: C=JP, ST=Kanagawa, L=Yokohama, O=Lenovo Ltd., CN=ThinkPad Product CA 2012
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d7:56:37:db:a8:c3:70:67:8e:5f:ee:64:67:7a:
16:04:71:4f:4c:c9:eb:89:2e:e9:24:3e:eb:c7:e4:
a4:74:57:ed:d2:5f:f3:a5:9f:92:8a:e3:9f:59:e3:
98:ae:66:b9:2d:01:fc:75:47:bb:b8:71:b0:b1:e6:
64:7f:1e:74:16:d6:0a:4c:1d:29:94:e1:61:41:37:
37:5e:17:d0:de:37:6a:4b:e4:30:79:62:33:cd:a0:
da:3e:b6:62:a0:69:43:27:1a:be:51:a1:73:61:13:
c7:b5:93:0b:7a:b9:25:1f:b8:0c:e3:fe:14:5b:05:
ff:84:58:a2:3b:c0:9e:e8:8a:26:49:b9:74:00:0f:
5f:1e:12:a3:6a:8b:73:de:59:35:a4:34:b3:62:70:
16:cd:73:87:7c:09:b0:77:87:91:e7:99:f7:e5:bc:
10:52:da:d7:57:27:05:54:7e:94:62:cc:33:52:1b:
5a:7b:37:10:14:47:44:2e:13:8a:d6:62:a5:22:e9:
32:54:66:02:6d:8d:5f:f3:82:cf:48:b0:21:5f:ca:
ca:88:4a:86:5a:f1:f6:2d:0b:c5:24:28:2a:49:90:
03:a0:c8:dc:39:8f:4d:41:d3:8f:cb:2b:b9:c5:cf:
8c:6e:f9:34:2c:13:1f:dc:c6:c1:db:f8:f8:b5:63:
ca:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
83:8B:1F:54:C1:55:04:63:F4:5F:98:70:06:40:F1:10:69:26:59:49
X509v3 Authority Key Identifier:
EF:81:91:F6:CD:17:16:41:0A:68:50:6E:54:7E:70:CD:92:05:61:6B
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
ab:e4:4e:ce:fa:c2:39:f5:e1:eb:3c:93:35:a8:a8:9c:95:36:
18:c4:8e:98:be:47:fd:28:bf:42:28:8b:22:49:9b:38:23:43:
a3:69:05:58:8b:fc:47:f7:81:c5:87:3c:25:f6:bb:db:08:24:
b6:9f:cd:bf:6d:18:d7:22:14:40:01:18:73:5f:1f:79:44:cc:
74:fd:c8:f9:a9:4b:5b:3b:a3:80:c4:28:e6:42:15:26:eb:a0:
73:ec:cb:9a:83:c1:28:00:e9:27:ba:d0:e6:26:83:8a:41:2f:
09:2d:f4:65:aa:8b:24:bf:d8:c0:8e:12:b8:01:77:61:f8:9b:
61:30:00:78:90:5b:23:6c:26:b3:14:b3:24:af:4f:a6:a2:ae:
43:54:8b:3c:d6:0c:5b:82:50:b2:73:27:70:27:4c:6b:40:58:
d6:e7:24:6a:31:9e:53:0d:e8:58:50:42:60:df:b7:89:da:c9:
31:00:e0:f3:0f:88:c6:d1:9c:f3:67:f1:c8:4b:36:17:da:04:
c6:f8:c4:05:89:b3:8f:bf:0c:27:55:df:fc:da:d4:ab:34:9a:
0e:2d:63:1a:e2:50:ad:c5:5c:51:ee:be:ac:d7:4a:7d:4d:dc:
51:e1:25:4d:8e:cc:46:5c:71:d2:46:1b:f9:e2:d6:e0:50:64:
8a:8e:40:c0
[key 2]
Owner: 3cc24e96-22c7-41d8-8863-8e39dcdcc2cf
SHA1 Fingerprint: cb:02:59:71:48:26:c8:67:d1:42:2c:31:0b:88:15:01:60:39:8f:0b
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:09:48:62:90:34:75:92:87:34:95:87:23:09:4d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=North Carolina, O=Lenovo, CN=Lenovo UEFI CA 2014
Validity
Not Before: Jan 24 16:14:24 2014 GMT
Not After : Jan 19 16:14:24 2034 GMT
Subject: C=US, ST=North Carolina, O=Lenovo, CN=Lenovo UEFI CA 2014
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:3b:83:b8:70:b0:8b:93:4a:c8:2a:af:17:c9:
b1:99:1f:45:65:13:27:3c:0c:63:df:07:fd:f0:09:
3e:28:7c:e5:ea:2d:50:9e:d2:8a:22:d9:b4:e6:31:
54:be:7b:65:ed:aa:30:1b:cb:27:3c:7a:53:e1:4d:
8c:1f:bd:36:aa:bf:9f:74:c3:aa:a3:e8:5f:c6:43:
69:39:98:84:f1:0b:4e:89:ca:5f:24:5e:3b:19:45:
9e:7e:9f:ad:63:87:b0:60:23:14:75:f8:ca:6f:2e:
e2:c4:cf:3b:c9:9a:a0:ef:b0:bc:99:56:c3:32:47:
8c:dd:d1:1e:0e:d7:d6:12:63:71:fe:50:12:b1:42:
f0:0a:62:8a:cc:62:1a:66:1b:9c:04:97:b0:03:d3:
cb:25:87:0c:4b:ec:2f:89:d9:90:6d:63:87:b1:5f:
46:74:04:e5:7e:d1:ea:95:af:e8:5e:f9:6f:8e:af:
e8:2a:c4:8e:03:5a:8c:41:2c:0e:b2:36:5b:8c:bc:
c1:07:49:85:c9:26:9a:05:33:d9:67:c6:d8:a5:6e:
52:fc:a3:f5:10:b1:3c:88:8a:f9:b0:43:60:d0:09:
40:18:8b:ba:ae:5c:25:66:ce:00:3b:10:30:ae:f0:
16:c9:86:c8:b2:20:57:11:d5:ce:a3:ac:22:71:f9:
a4:e3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:91:A6:87:32:EA:EF:DD:2C:8F:FF:FC:6B:02:7E:C3:44:9E:9C:8F
X509v3 Authority Key Identifier:
4B:81:C7:50:AC:1E:A5:1F:CB:5F:FA:18:1B:74:32:CB:2D:68:62:8E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
05:53:5b:d7:2e:69:e0:a0:fa:47:14:3f:e5:97:2a:75:3e:41:
18:ca:c3:51:60:67:1c:08:2c:ff:f3:86:ac:19:57:e7:77:07:
67:db:26:c0:9f:6a:d3:9e:53:87:c4:08:87:67:e8:ad:59:18:
eb:3d:b2:92:c8:18:3f:e9:81:7f:7f:20:c4:d4:8e:94:9a:1a:
61:64:21:67:f4:f3:19:83:bf:1c:e9:40:1c:e9:79:fc:73:98:
3f:e3:cb:ca:c3:e6:9c:9f:1d:06:27:17:9e:26:fc:cd:2f:a3:
5b:ea:5c:e8:92:2d:c1:86:38:2d:42:14:ec:30:46:93:7f:e2:
d0:ce:6e:81:ee:a1:00:23:31:ae:7e:60:77:58:83:79:97:e3:
6b:fe:d8:6b:1b:05:0a:c6:55:81:e1:9e:16:ac:ec:df:9e:36:
26:24:f2:dd:a4:9b:4a:ae:92:5b:ea:4a:2e:e6:44:16:fd:f0:
47:62:10:20:c2:b9:b1:84:27:e0:c3:30:fb:51:2b:d6:6b:d8:
9b:32:0b:6a:e4:07:ab:28:8b:01:c5:53:b0:1f:62:94:3d:68:
4b:f4:09:62:7d:f5:fb:ce:a0:ec:89:eb:1e:2a:3f:af:bf:34:
cb:bd:b0:b1:b7:1a:cf:05:67:16:f8:c8:cb:f3:4a:44:ff:2c:
85:5a:9d:dc
[key 3]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:07:76:56:00:00:00:00:00:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Oct 19 18:41:42 2011 GMT
Not After : Oct 19 18:51:42 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
48:03
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
04:cf:77:a4:62:1c:59:7e
[key 4]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 45:a0:fa:32:60:47:73:c8:24:33:c3:b7:d5:9e:74:66:b3:ac:0c:67
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:00:00:00:1a:88:8b:98:00:56:22:84:c1:00:00:00:00:00:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Validity
Not Before: Jun 13 18:58:29 2023 GMT
Not After : Jun 13 19:08:29 2035 GMT
Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bc:b2:35:d1:54:79:b4:8f:cc:81:2a:6e:b3:12:
d6:93:97:30:7c:38:5c:bf:79:92:19:0a:0f:2d:0a:
fe:bf:e0:a8:d8:32:3f:d2:ab:6f:6f:81:c1:4d:17:
69:45:cf:85:80:27:a3:7c:b3:31:cc:a5:a7:4d:f9:
43:d0:5a:2f:d7:18:1b:d2:58:96:05:39:a3:95:b7:
bc:dd:79:c1:a0:cf:8f:e2:53:1e:2b:26:62:a8:1c:
ae:36:1e:4f:a1:df:b9:13:ba:0c:25:bb:24:65:67:
01:aa:1d:41:10:b7:36:c1:6b:2e:b5:6c:10:d3:4e:
96:d0:9f:2a:a1:f1:ed:a1:15:0b:82:95:c5:ff:63:
8a:13:b5:92:34:1e:31:5e:61:11:ae:5d:cc:f1:10:
e6:4c:79:c9:72:b2:34:8a:82:56:2d:ab:0f:7c:c0:
4f:93:8e:59:75:41:86:ac:09:10:09:f2:51:65:50:
b5:f5:21:b3:26:39:8d:aa:c4:91:b3:dc:ac:64:23:
06:cd:35:5f:0d:42:49:9c:4f:0d:ce:80:83:82:59:
fe:df:4b:44:e1:40:c8:3d:63:b6:cf:b4:42:0d:39:
5c:d2:42:10:0c:08:c2:74:eb:1c:dc:6e:bc:0a:ac:
98:bb:cc:fa:1e:3c:a7:83:16:c5:db:02:da:d9:96:
df:6b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
AE:FC:5F:BB:BE:05:5D:8F:8D:AA:58:54:73:49:94:17:AB:5A:52:72
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
9f:c9:b6:ff:6e:e1:9c:3b:55:f6:fe:8b:39:dd:61:04:6f:d0:
ad:63:cd:17:76:4a:a8:43:89:8d:f8:c6:f2:8c:5e:90:e1:e4:
68:a5:15:ec:b8:d3:60:0c:40:57:1f:fb:5e:35:72:61:de:97:
31:6c:79:a0:f5:16:ae:4b:1c:ed:01:0c:ef:f7:57:0f:42:30:
18:69:f8:a1:a3:2e:97:92:b8:be:1b:fe:2b:86:5e:42:42:11:
8f:8e:70:4d:90:a7:fd:01:63:f2:64:bf:9b:e2:7b:08:81:cf:
49:f2:37:17:df:f1:f9:72:d3:c3:1d:c3:90:45:4d:e6:80:06:
bd:fd:e5:6a:69:ce:b3:7e:4e:31:5b:84:73:a8:e8:72:3f:27:
35:c9:7c:20:ce:00:9b:4f:e0:4c:b4:36:69:cb:f7:34:11:11:
74:12:7a:a8:8c:2e:81:6c:a6:50:ad:19:fa:a8:46:45:6f:b1:
67:73:c3:6b:e3:40:e8:2a:69:8f:24:10:e1:29:6e:8d:16:88:
ee:8e:7f:66:93:02:6f:5b:9e:04:8c:cc:81:1c:ad:97:54:f1:
18:2e:7e:52:90:bc:51:de:2a:0e:ae:66:ea:bc:64:6e:a0:91:
64:e4:2f:12:a8:bc:e7:6b:ba:c7:1b:9b:79:1a:64:66:f1:43:
b4:d1:c3:46:21:38:81:79:4c:fa:f0:31:0d:d3:79:ff:7a:12:
a5:1d:d9:dd:ac:a2:0f:71:82:f7:93:ff:5c:a1:61:ae:65:f2:
14:81:ed:79:5a:9a:87:ea:60:7b:cb:b3:4f:75:34:ca:ba:a1:
ef:a2:f6:a2:80:45:a1:8b:27:81:cd:d5:77:38:3e:ca:4e:dd:
28:ea:58:ba:c5:a0:29:de:86:8c:88:fc:95:27:51:dd:ab:d3:
d0:5b:0d:77:c7:6c:8f:55:d7:d4:a2:0e:5b:e4:34:46:14:16:
1d:e3:1c:d6:6d:99:ad:4c:ec:71:73:2f:ab:ce:b2:b4:29:de:
55:30:53:39:3a:32:8b:f0:ea:9c:88:12:3b:05:68:19:bf:cf:
87:52:10:fb:d6:13:60:f3:41:64:f4:08:57:81:cb:9d:11:a5:
8e:f4:e5:27:f5:a3:3a:ec:e4:3d:4a:b7:ce:f9:88:0d:9f:bd:
ca:6d:d2:4a:bc:58:76:8e:32:04:94:6e:dd:f4:cf:6d:47:6d:
c2:d7:6a:dc:87:71:ea:a4:bf:ef:67:97:9c:b8:c7:80:36:2a:
2a:59:c9:c0:0c:a7:44:a0:73:b5:8c:cf:38:5a:ae:f8:bb:86:
95:f0:44:ad:66:7a:33:ed:71:e4:45:87:83:e5:a7:ce:a2:40:
d0:72:d2:48:00:fa:f9:1a
sbverify --list /boot/efi/EFI/opensuse/shim.efi
warning: data remaining[838416 vs 965528]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
signature 2
image signature issuers:
- /CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
image signature certificates:
- subject: /CN=openSUSE Secure Boot Signkey/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
issuer: /CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
I guess you prefer side -scrolling?
As you see you do not have keys used by Microsoft to sign (third-party) shim. This really looks like Windows-only. Quoting Microsoft (emphasis mine)
You may try resetting Secure Boot keys to default in BIOS setup (if this option is not available, you may try resetting complete BIOS to default). If that still fails, this is the question to the vendor of your system. In principle, it may be possible to enroll your own PK and KEK to enable db update and then enroll Microsoft keys (including additional Microsoft KEK to allow automatic updates). But it still may cause firmware updates to fail.
I stay corrected. Your firmware does include the new Microsoft third party certificate “Windows UEFI CA 2023” which will phase out the old certificate “Microsoft Corporation UEFI CA 2011” that expires in year 2026. The problem is that currently openSUSE shim is still signed by the old certificate and for this reason rejected on your system.
It is unclear whether future shim binaries will be signed by both certificates.