peerwal
November 16, 2021, 3:24pm
#1
Hi everyone,
since a couple of days ago I am getting that terrible message .…Invalid signature detected. C heck secure boot policy in setup ***. **Secure boot ahs been enabeled in both Yast and BIOS settings. Also, I am sure I didn t install unsigned kernels but I installed a couple of packages, where I was asked whether I would trust them. Maybe they weren’t (properly) signed.
However, I am not quite sure what to check or try to repair in the BIOS secure boot setup section.
Would it make sense to enroll the vendor keys/signatures and what exactly would be the steps to do so?
Are there any other measures that can be taken except for disabeling secure boot?
Do you still have a working kernel that will boot?
Sometimes, after installing a kernel update, there will be a blue screen to enroll a key. Do you enroll that key, or just ignore it?
peerwal
November 16, 2021, 7:30pm
#3
Oh yes, sorry, the system is booting fine using the latest kernel. I just get that Secure boot violation message in the beginning, so I don*t get a bluescreen either.
peerwal
November 16, 2021, 7:48pm
#5
The command issues
sudo efibootmgr -v
[sudo] Passwort für root:
BootCurrent: 0001
Timeout: 1 seconds
BootOrder: 0000,0001,0006,0007
Boot0000* opensuse HD(1,GPT,53000538-2cd6-4eaf-a7cb-cee7b41accd5,0x800,0x100000)/File(\EFI\OPENSUSE\GRUBX64.EFI)
Boot0001* opensuse-secureboot HD(1,GPT,53000538-2cd6-4eaf-a7cb-cee7b41accd5,0x800,0x100000)/File(\EFI\OPENSUSE\SHIM.EFI)
Boot0006* UEFI: PXE IPv4 Realtek USB Ethernet Controller PciRoot(0x0)/Pci(0x14,0x0)/USB(15,0)/USB(3,0)/MAC(00e04c0b02e6,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0007* UEFI: PXE IPv6 Realtek USB Ethernet Controller PciRoot(0x0)/Pci(0x14,0x0)/USB(15,0)/USB(3,0)/MAC(00e04c0b02e6,0)/IPv6(::]:<->::]:,0,0)..BO
I’m pretty sure that’s your problem.
Your first choice for booting is opensuse without secure-boot.
Your BIOS sees the secure boot violation, and moves onto the second choice. But it also reports the secure-boot violation.
Most of the BIOS that I have seen just move on to the next choice, but do not report the secure-boot violation.
You can try removing the first choice
efibootmgr -b 0001 -B
but it might come back after future updates.
peerwal
November 17, 2021, 10:42am
#7
Unfortunately, removing 0001 did not change the behaviour. First choice is now 0008, whatever this is. Should I change the order in the NVME boot priority list,as here I have the secure boot option in the second place only?
hcvv
November 17, 2021, 11:59am
#8
peerwal:
Unfortunately, removing 0001 did not change the behaviour. First choice is now 0008, whatever this is. Should I change the order in the NVME boot priority list,as here I have the secure boot option in the second place only?
When you changed something and want to talk further about it, then please post it again. People can not comment on what they do not see.
Your BIOS is changing the boot order.
Try getting into your BIOS settings. There should be a place there where you can change the boot order to put the secure-boot entry first.
Didn’t you advice OP to delete that entry?
nrickert:
… You can try removing the first choice
efibootmgr -b 000**1 **-B
but it might come back after future updates.
peerwal:
sudoefibootmgr-v
[sudo] Passwort für root:
BootCurrent: 0001
Timeout: 1 seconds
BootOrder: 0000,0001,0006,0007
Boot0000* opensuse HD(1,GPT,53000538-2cd6-4eaf-a7cb-cee7b41accd5,0x800,0x100000)/File(\EFI\OPENSUSE\GRUBX64.EFI)
Boot000**1*** opensuse-secureboot HD(1,GPT,53000538-2cd6-4eaf-a7cb-cee7b41accd5,0x800,0x100000)/File(\EFI\OPENSUSE\**SHIM.EFI**)
Boot0006* UEFI: PXE IPv4 Realtek USB Ethernet Controller PciRoot(0x0)/Pci(0x14,0x0)/USB(15,0)/USB(3,0)/MAC(00e04c0b02e6,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0007* UEFI: PXE IPv6 Realtek USB Ethernet Controller PciRoot(0x0)/Pci(0x14,0x0)/USB(15,0)/USB(3,0)/MAC(00e04c0b02e6,0)/IPv6(::]:<->::]:,0,0)..BO
I guess you wanted OP to delete B0000 but made a typo.
I would say OP will have to re-create that entry for shim and then change the boot order to put it in the first place.
Regards
susejunky
Oops. It looks as if you are right about that.
Should still be bootable using the install media, and choosing “boot from hard drive”. Then, once in, run Yast bootloader to fix.
peerwal
November 18, 2021, 12:56pm
#12
susejunky:
Didn’t you advice OP to delete that entry?I guess you wanted OP to delete B0000 but made a typo.
I would say OP will have to re-create that entry for shim and then change the boot order to put it in the first place.
Regards
susejunky
Thanks to everyone. So, if I deleted the wrong entry, what would be the best way to receate it?
peerwal
November 18, 2021, 1:22pm
#13
I just changed the order of the NVME Boot Priorities in the uefi setup and made the secure boot option appear in the first place. This resulted in the **secure boot violation **message not showing up anymore when booting the system and the output for the boot order using the shell command now says
sudoefibootmgr-v
[sudo] Passwort für root:
BootCurrent: 0008
Timeout: 1 seconds
BootOrder: 0008,0000,0006,0007,0001,0002,0003
Boot0000* opensuse HD(1,GPT,53000538-2cd6-4eaf-a7cb-cee7b41accd5,0x800,0x100000)/File(\EFI\OPENSUSE\GRUBX64.EFI)
Boot0001* UEFI:CD/DVD Drive BBS(129,,0x0)
Boot0002* UEFI:Removable Device BBS(130,,0x0)
Boot0003* UEFI:Network Device BBS(131,,0x0)
Boot0006* UEFI: PXE IPv4 Realtek USB Ethernet Controller PciRoot(0x0)/Pci(0x14,0x0)/USB(15,0)/USB(3,0)/MAC(00e04c0b02e6,0)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0007* UEFI: PXE IPv6 Realtek USB Ethernet Controller PciRoot(0x0)/Pci(0x14,0x0)/USB(15,0)/USB(3,0)/MAC(00e04c0b02e6,0)/IPv6(::]:<->::]:,0,0)..BO
Boot0008* opensuse-secureboot HD(1,GPT,53000538-2cd6-4eaf-a7cb-cee7b41accd5,0x800,0x100000)/File(\EFI\OPENSUSE\SHIM.EFI)..BO
I guess I can keep itlike that?
Regards