SecureBoot Enabled Boot fails when Secure Boot is enabled.

Hi all,

I have a strange problem:

My Windows 8.1 installation boots fine with Secure boot on/off. Though this situation only comes up because Windows 8.1 shows a Watermark in the bottom corner of the screen if Secure Boot isn’t enabled, I’d left it disabled until this point.

But I’m not so lucky with OpenSuse 13.2:
I have enabled Secure Boot support in YAST Bootloader module , and the opensuse-secureboot entry produced by such works fine when Secure Boot is disabled, but if I enable secure boot, then opensuse-secureboot goes to a black screen and stays there. Its not a UEFI signature failure since trying to launch the non-secureboot option with Secure Boot enabled results in a screen telling me there’s a signature failure. Any idea what’s going on here and how to fix it ? My best guess is that shim is passing signature verification and something goes wrong afterwards, perhaps rejecting the signature on GRUB2 ? Or perhaps my firmware doesn’t like the double signature on shim ? Is there a purely Microsoft key signed version of the shim file ?

Thanks

You seem a bit ahead of your time. Or were you referring to opensuse 12.3?

There is a problem with 13.1RC1 (and with 13.1Beta1 before that). Secure boot doesn’t work.

If you are installing factory, perhaps that says “13.2”, and I would expect secure-boot to not work there, either, until it is fixed for 13.1.

If your problem is with 12.3, then I have to wonder what is going wrong.

Clarification is needed.

Yeah, I meant 12.3 I managed to typo my correction too , somehow.

I’m not on Factory or Tumbleweed.

I did do a rolling update to 12.3 from the previous version instead of updating from DVD though.

For me, 12.3 has been working fine with secure-boot.

I did originally install without secure-boot, then changed to secure-boot afterwards. I don’t think that’s relevant.

There have been updates to shim, so you should make sure that you are fully up-to-date. However, I am doubting that would be the cause of your problem. Perhaps your UEFI firmware is a bit fussier than mine.

If the OP did a net update rather then a install he may not have the right settings for secure boot. Maybe they can be set in Yast. normally you need to check the secure boot box when a normal media update or install is done.The OS does not or can’t see if Secure boot is on so it does not know to use the shim stuff so you have to tell it.

If he has “shim.efi” in place in the EFI partition, then he likely has grub2-efi secure-boot set up properly. And his post at least suggests that “shim.efi” is in place.

Just noticed that this seems to be another Win 8.1 problem. Looks like MS is throwing monkey wrenches at Linux again.

That’s possible.

I have not yet decided whether to upgrade to Win 8.1. I don’t use the Win 8 anyway, except for testing its interaction with UEFI booting of opensuse. But I suppose I should upgrade to see if that causes problems.

In this case, apparently Win 8.1 is applying more pressure to use secure-boot. I don’t know if it is also causing other problems.

Well, I just mounted the EFI partition and had a poke around.

Shim, Mokmanager and grub2 are all there.

With secureboot disabled I can use my EFI shell to launch Mokmanager find, and to load shim which loads Grub2.

Unfortunately my UEFI firmware doesn’t come with a built in EFI shell and the EFI shell I’m using isn’t signed , so I can’t test anything with secureboot enabled. Unless someone knows of a Microsoft signed EFI shell that I could use. I might actually be able to see what’s causing the error that way instead of just black screening.

I notice mokutil is still broken though (can’t read MokTableRT) , is it possible that the key bank that MokUtil is supposed to be using to verify OpenSuse when secureboot is enabled isn’t being created ?

Well, I just mounted the EFI partition and had a poke around.

Shim, Mokmanager and grub2 are all there.

With secureboot disabled I can use my EFI shell to launch Mokmanager fine, and to load shim which in turn loads Grub2.

Unfortunately my UEFI firmware doesn’t come with a built in EFI shell and the EFI shell I’m using isn’t signed , so I can’t test anything with secureboot enabled. Unless someone knows of a Microsoft signed EFI shell that I could use. I might actually be able to see what’s causing the error that way instead of just black screening.

I notice mokutil is still broken though (can’t read MokTableRT) , is it possible that the key bank that MokManager is supposed to be using to verify OpenSuse when secureboot is enabled isn’t being created ?

You could try adding “set debug=all” at the top of grub.cfg just to test whether it outputs anything at all.

It could also be a problem with missing display driver in grub. Could you go in grub2 command line with secure boot disabled and do

set pager=1
terminal_output
videinfo

Note that videoinfo has all chances of hanging (it does for me right now on QEMU :slight_smile: )

What adapter is listed in videoinfo output as active?

If you can launch mokmanager, you could also test grub2 from 13.1/Factory. You will need to import new key, it has changed since 12.3.

Will try the set debug=all now.

I tried
set page = 1
(accepted no output)
terminal_output
Active: gfxterm , serial_output was also available.

videinfo:
Two inactive drivers (a Cirrus one, another one I don’t remember) and an active EFI GOP Driver with EDI Version 1.4.

Sorry I meant:
Set Pager = 1

terminal_output also had consol_serial_output_* available.

And the other inactive driver was a Bochs driver.

set debug = all , in setup.cfg has no effect at all with secure boot enabled. Still just a black screen.