Trying to enable secure boot, but getting "This system doesn't support Secure Boot"

wikiti · April 27, 2026, 4:07pm

Hey folks! Have been running Tumbleweed for a couple of months, and I’m quite happy with it.

I installed it with secureboot enabled, and have been running quite nice. I have noticed that, after upgrading some nvidia drivers a couple of times, I’m no longer getting MOK during boot to prompt me to add the signing keys.

I have tried checking if secure boot is enabled by running mokutil --sb-state, but I’m getting this output:

❯ mokutil --sb-state
This system doesn't support Secure Boot

Which is weird, because I don’t recall disabling it. I checked the BIOS setting, and secure boot is enabled.

dmesg also hints that secure boot is disabled during boot sequence:

❯ sudo dmesg | grep secure
[    0.000000] [      T0] secureboot: Secure boot disabled
[    0.015388] [      T0] secureboot: Secure boot disabled

I recall a couple of weeks ago having to troubleshoot some NVIDIA drivers that were not properly signed, so I had to disable and re-enable secure boot to get the desktop to boot (maybe this is what currently causing this issue, who knows).

Here are the outputs of efibootmgr, in case it might be useful for debugging this:

❯ sudo efibootmgr -v
Timeout: 1 seconds
BootOrder: 0002,0000
Boot0000* Windows Boot Manager  HD(1,GPT,96c51cc3-625d-41b4-8b87-744102e29655,0x800,0x32000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d0000002e000100000010000000040000007fff0400
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 20 03 00 00 00 00 00 c3 1c c5 96 5d 62 b4 41 8b 87 74 41 02 e2 96 55 02 02 / 04 04 46 00 5c 00 45 00 46 00 49 00 5c 00 4d 00 49 00 43 00 52 00 4f 00 53 00 4f 00 46 00 54 00 5c 00 42 00 4f 00 4f 00 54 00 5c 00 42 00 4f 00 4f 00 54 00 4d 00 47 00 46 00 57 00 2e 00 45 00 46 00 49 00 00 00 / 7f ff 04 00
    data: 57 49 4e 44 4f 57 53 00 01 00 00 00 88 00 00 00 78 00 00 00 42 00 43 00 44 00 4f 00 42 00 4a 00 45 00 43 00 54 00 3d 00 7b 00 39 00 64 00 65 00 61 00 38 00 36 00 32 00 63 00 2d 00 35 00 63 00 64 00 64 00 2d 00 34 00 65 00 37 00 30 00 2d 00 61 00 63 00 63 00 31 00 2d 00 66 00 33 00 32 00 62 00 33 00 34 00 34 00 64 00 34 00 37 00 39 00 35 00 7d 00 00 00 2e 00 01 00 00 00 10 00 00 00 04 00 00 00 7f ff 04 00
Boot0002* openSUSE Boot Manager (grub2-bls)     HD(2,GPT,2e74af33-a2a5-40eb-ae63-bfc37e54aadb,0x200800,0x200000)/File(\EFI\opensuse\shim.efi)
      dp: 04 01 2a 00 02 00 00 00 00 08 20 00 00 00 00 00 00 00 20 00 00 00 00 00 33 af 74 2e a5 a2 eb 40 ae 63 bf c3 7e 54 aa db 02 02 / 04 04 32 00 5c 00 45 00 46 00 49 00 5c 00 6f 00 70 00 65 00 6e 00 73 00 75 00 73 00 65 00 5c 00 73 00 68 00 69 00 6d 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00

I tried running mokutil --enable-validation, but it still says that secure boot is not supported.

❯ sudo mokutil --enable-validation
This system doesn't support Secure Boot

Any help is appreciated for enabling back secure boot (and I might also need some help signing some kernel modules that might be currently unsigned). Thanks!

malcolmlewis · April 27, 2026, 4:25pm

@wikiti Hi, so what is the status of secure boot in the system BIOS? Sounds like it might be disabled there…

wikiti · April 27, 2026, 4:31pm

Hey @malcolmlewis ! Thanks for helping me. Secure boot is enabled, and CSM support is disabled.

malcolmlewis · April 27, 2026, 6:30pm

@wikiti Hi, can you show the output from inxi -GSaz and also fwupdmgr security | grep UEFI

wikiti · April 27, 2026, 7:44pm

❯ inxi -GSaz
System:
  Kernel: 6.19.11-1-default arch: x86_64 bits: 64 compiler: gcc v: 15.2.1
    clocksource: tsc avail: hpet,acpi_pm
    parameters: BOOT_IMAGE=/opensuse-tumbleweed/6.19.11-1-default/linux-77674407b4b58cc3dd24066c5547cffbb98cdee1
    splash=silent quiet security=selinux selinux=1
    rd.driver.blacklist=nouveau hibernate=no usbcore.autosuspend=-1
    mitigations=auto root=UUID=251dc5a0-5520-4e92-9cd9-cad9dd0e856c
    rootflags=subvol=@/.snapshots/448/snapshot
    systemd.machine_id=a1bafe186ff840fc9e78371ae33bede7
  Desktop: KDE Plasma v: 6.6.4 tk: Qt v: N/A info: frameworks v: 6.25.0
    wm: kwin_wayland tools: avail: xscreensaver vt: 2 dm: SDDM Distro: openSUSE
    Tumbleweed 20260425
Graphics:
  Device-1: Intel AlderLake-S GT1 vendor: Gigabyte driver: i915 v: kernel
    alternate: xe arch: Xe process: Intel 10nm built: 2020-21 ports:
    active: none empty: DP-1,HDMI-A-1,HDMI-A-2 bus-ID: 00:02.0
    chip-ID: 8086:4680 class-ID: 0380
  Device-2: NVIDIA AD107 [GeForce RTX 4060] vendor: Micro-Star MSI
    driver: nvidia v: 580.142 alternate: nouveau,nvidia_drm
    non-free: 550-580.xx+ status: current (as of 2025-11) arch: Lovelace
    code: AD1xx process: TSMC n4 (5nm) built: 2022+ pcie: gen: 4
    speed: 16 GT/s lanes: 8 ports: active: DP-2,DP-3 empty: DP-4,HDMI-A-3
    bus-ID: 01:00.0 chip-ID: 10de:2882 class-ID: 0300
  Device-3: Logitech BRIO Ultra HD Webcam
    driver: hid-generic,snd-usb-audio,usbhid,uvcvideo type: USB rev: 3.1
    speed: 5 Gb/s lanes: 1 mode: 3.2 gen-1x1 bus-ID: 2-3.4:4
    chip-ID: 046d:085e class-ID: 0300 serial: <filter>
  Display: wayland server: X.org v: 1.21.1.21 with: Xwayland v: 24.1.9
    compositor: kwin_wayland driver: X: loaded: nvidia
    gpu: nvidia,nvidia-nvswitch d-rect: 3840x1080 display-ID: 0
  Monitor-1: DP-2 pos: primary,left model: Acer KG251Q serial: <filter>
    built: 2020 res: mode: 1920x1080 hz: 165 scale: 100% (1) dpi: 90 gamma: 1.2
    size: 544x303mm (21.42x11.93") diag: 623mm (24.5") ratio: 16:9 modes:
    max: 1920x1080 min: 640x480
  Monitor-2: DP-3 pos: right model: Acer KG251Q serial: <filter>
    built: 2021 res: mode: 1920x1080 hz: 165 scale: 100% (1) dpi: 90 gamma: 1.2
    size: 544x303mm (21.42x11.93") diag: 623mm (24.5") ratio: 16:9 modes:
    max: 1920x1080 min: 640x480
  API: EGL v: 1.5 hw: drv: intel iris drv: nvidia platforms: device: 0
    drv: nvidia device: 2 drv: iris device: 3 drv: swrast gbm: drv: nvidia
    surfaceless: drv: nvidia wayland: drv: nvidia x11: drv: nvidia
    inactive: device-1
  API: OpenGL v: 4.6.0 compat-v: 4.5 vendor: nvidia mesa v: 580.142
    glx-v: 1.4 direct-render: yes renderer: NVIDIA GeForce RTX 4060/PCIe/SSE2
    memory: 7.81 GiB display-ID: :0.0
  API: Vulkan v: 1.4.341 layers: 8 device: 0 type: discrete-gpu
    name: NVIDIA GeForce RTX 4060 driver: nvidia v: 580.142
    device-ID: 10de:2882 surfaces: N/A device: 1 type: integrated-gpu
    name: Intel UHD Graphics 770 (ADL-S GT1) driver: mesa intel v: 26.0.5
    device-ID: 8086:4680 surfaces: N/A device: 2 type: cpu name: llvmpipe
    (LLVM 22.1.3 256 bits) driver: mesa llvmpipe v: 26.0.5 (LLVM 22.1.3)
    device-ID: 10005:0000 surfaces: N/A
  Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
    de: kscreen-console,kscreen-doctor gpu: nvidia-settings,nvidia-smi
    wl: wayland-info x11: xdpyinfo, xprop, xrandr

❯ fwupdmgr security | grep UEFI
Idle…: 0%
✔ Variables de servicio de arranque UEFI:Locked
✔ Clave UEFI de la plataforma:   Valid
✘ Protección de memoria UEFI:    Disabled
✔ BdD UEFI:                      Valid
✘ Arranque seguro UEFI:          Disabled
  2025-12-18 14:39:03:  ✔ The UEFI certificate store is now up to date

Seems like fwupdmgr is localized to Spanish. If that doesn’t work for you, please let me know

Thanks for your help @malcolmlewis !!

malcolmlewis · April 27, 2026, 9:03pm

So definately disabled…
Arranque seguro UEFI: Disabled
UEFI Secure Boot: Disabled

I don’t have any grub2-bls (anymore), just systemd-boot and grub2-efi.

What does grep -Ev '^$|^#' /etc/sysconfig/bootloader show?

Likewise, I’d expect you to be using the open driver on that GPU, which is already signed, so won’t see anything MOK related.

For my Quadro RTX4000 gpu I see;

zypper se -si nvidia

S  | Name                                           | Type    | Version                  | Arch   | Repository
---+------------------------------------------------+---------+--------------------------+--------+--------------
i  | kernel-firmware-nvidia                         | package | 20260408-1.1             | noarch | repo-oss
i  | libnvidia-cfg                                  | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | libnvidia-egl-gbm1                             | package | 1.1.3-11.1               | x86_64 | repo-non-free
i  | libnvidia-egl-wayland1                         | package | 1.1.22-57.3              | x86_64 | repo-non-free
i  | libnvidia-egl-x111                             | package | 1.0.5-26.1               | x86_64 | repo-non-free
i  | libnvidia-gpucomp                              | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | libnvidia-ml                                   | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | nvidia-common-G07                              | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | nvidia-compute-G07                             | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | nvidia-compute-utils-G07                       | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | nvidia-gl-G07                                  | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | nvidia-modprobe                                | package | 595.58.03-3.1            | x86_64 | repo-non-free
i+ | nvidia-open-driver-G07-signed-cuda-kmp-default | package | 595.58.03_k6.19.12_1-2.8 | x86_64 | repo-oss
i  | nvidia-persistenced                            | package | 595.58.03-2.1            | x86_64 | repo-non-free
i  | nvidia-userspace-meta-G07                      | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | nvidia-video-G07                               | package | 595.58.03-11.1           | x86_64 | repo-non-free
i  | openSUSE-repos-Tumbleweed-NVIDIA               | package | 20250728.9adc675-1.2     | x86_64 | repo-oss

I would expect to see the same for your GPU, which is running the older Nvidia driver.

wikiti · April 27, 2026, 9:20pm

❯ grep -Ev '^$|^#' /etc/sysconfig/bootloader
LOADER_TYPE="grub2-bls"
SECURE_BOOT="yes"
TRUSTED_BOOT="no"
UPDATE_NVRAM="yes"

Likewise, I’d expect you to be using the open driver on that GPU, which is already signed, so won’t see anything MOK related.

Nope, running the propietary driver (explained here). I don’t have any problems signing these, as I usually miss the time window during mok key enrollment

❯ zypper se -si nvidia
Loading repository data...
Reading installed packages...

S  | Name                             | Type    | Version                 | Arch   | Repository
---+----------------------------------+---------+-------------------------+--------+--------------
i  | kernel-firmware-nvidia           | package | 20260408-1.1            | noarch | repo-oss
i  | libnvidia-egl-gbm1               | package | 1.1.3-11.1              | x86_64 | repo-non-free
i  | libnvidia-egl-gbm1-32bit         | package | 1.1.3-11.1              | x86_64 | repo-non-free
i  | libnvidia-egl-wayland1           | package | 1.1.22-57.3             | x86_64 | repo-non-free
i  | libnvidia-egl-wayland1-32bit     | package | 1.1.22-57.2             | x86_64 | repo-non-free
i  | libnvidia-egl-x111               | package | 1.0.5-26.1              | x86_64 | repo-non-free
i  | libnvidia-egl-x111-32bit         | package | 1.0.5-26.1              | x86_64 | repo-non-free
i  | libnvidia-gpucomp-G06            | package | 580.142-49.1            | x86_64 | repo-non-free
i  | libnvidia-gpucomp-G06-32bit      | package | 580.142-49.1            | x86_64 | repo-non-free
i  | nvidia-common-G06                | package | 580.142-49.1            | x86_64 | repo-non-free
i+ | nvidia-compute-G06               | package | 580.142-49.1            | x86_64 | repo-non-free
i  | nvidia-compute-G06-32bit         | package | 580.142-49.1            | x86_64 | repo-non-free
i+ | nvidia-compute-utils-G06         | package | 580.142-49.1            | x86_64 | repo-non-free
i+ | nvidia-driver-G06-kmp-default    | package | 580.142_k6.19.11_1-49.1 | x86_64 | repo-non-free
i+ | nvidia-gl-G06                    | package | 580.142-49.1            | x86_64 | repo-non-free
i  | nvidia-gl-G06-32bit              | package | 580.142-49.1            | x86_64 | repo-non-free
i  | nvidia-libXNVCtrl                | package | 595.58.03-2.1           | x86_64 | repo-non-free
i  | nvidia-modprobe                  | package | 580.142-25.1            | x86_64 | repo-non-free
i  | nvidia-persistenced              | package | 580.142-2.1             | x86_64 | repo-non-free
i+ | nvidia-settings                  | package | 595.58.03-2.1           | x86_64 | repo-non-free
i  | nvidia-userspace-meta-G06        | package | 580.142-44.1            | x86_64 | repo-non-free
i+ | nvidia-video-G06                 | package | 580.142-49.1            | x86_64 | repo-non-free
i  | nvidia-video-G06-32bit           | package | 580.142-49.1            | x86_64 | repo-non-free
i  | nvidia-xconfig                   | package | 595.58.03-2.1           | x86_64 | repo-non-free
i+ | openSUSE-repos-Tumbleweed-NVIDIA | package | 20250728.9adc675-1.2    | x86_64 | repo-oss

I thought G07 was the beta driver, and G06 being the “stable” one I can update it after solving the secure boot issue tho

malcolmlewis · April 27, 2026, 9:44pm

@wikiti So it’s something up with your system BIOS as can be see in that output…

Have you done a BIOS or firmware update lately in Windows?

Likewise, development going forward is with the open driver, it’s all I use here, both with the run file (no secure boot) and currently with the rpms… FWIW I don’t even have the mokutil package installed so no need to do anything with the already signed driver…

wikiti · April 27, 2026, 10:21pm

Have you done a BIOS or firmware update lately in Windows?

Nope, I have barely used Windows in the past 6 months, much less doing BIOS/firmware updates. I haven’t updated BIOS/firmware from Linux as far as I know (unless it was something automatic)

Last time I had to disable Secure Boot was 1 month ago, after dist upgrade went weird, and had to do some snapper rollbacks too. I disabled it, did some testing, then enabled it in the BIOS settings, and everything seemed to be working again (except secure boot no longer works)

Any way to restore secure boot without having to re-install the distro?

Likewise, development going forward is with the open driver, it’s all I use here, both with the run file (no secure boot) and currently with the rpms… FWIW I don’t even have the mokutil package installed so no need to do anything with the already signed driver…

Just read everything about it. Seems like the NVIDIA openSUSE wiki page was updated as well. I’ll update once secure bug is fixed; thanks for letting me know!

malcolmlewis · April 27, 2026, 10:36pm

@wikiti So grub2-bls shows secure boot enabled, force the re-install of it with zypper in -f grub2-x86_64-efi-bls

wikiti · April 27, 2026, 11:18pm

So grub2-bls shows secure boot enabled, force the re-install of it with zypper in -f grub2-x86_64-efi-bls

Just reinstalled it with no errors whatsoever. Did a system reboot afterwards. Unfortunately, symptoms are still the same (secure boot not supported on mokutil --sb-state). Here’s the reinstall logs, in case I’m missing something:

❯ sudo zypper in -f grub2-x86_64-efi-bls
Actualizando el servicio 'NVIDIA'.
Actualizando el servicio 'openSUSE'.
Cargando datos del repositorio...
Leyendo los paquetes instalados...
Forzando la instalación de 'grub2-x86_64-efi-bls-2.14-9.1.noarch' desde el repositorio 'repo-oss'.
Resolviendo dependencias de paquete...

El siguiente paquete va a ser reinstalado:
  grub2-x86_64-efi-bls

1 paquete a reinstalar.

Tamaño de la descarga del paquete:   448,4 KiB

Cambio de tamaño de la instalación del paquete:
            |       1,3 MiB  requerido por los paquetes que se instalarán
       0 B  |  -    1,3 MiB  liberados por los paquetes que van a ser eliminados

Backend:  classic_rpmtrans
¿Desea continuar? [s/n/v/...? mostrar todas las opciones] (s): s
Precargando: grub2-x86_64-efi-bls-2.14-9.1.noarch.rpm [terminado]
Precarga finalizada. [correcto (10,8 KiB/s) ] ....................................................[terminado]
Obteniendo: grub2-x86_64-efi-bls-2.14-9.1.noarch (repo-oss)                              (1/1), 448,4 KiB

Buscando conflictos de archivos: .................................................................[terminado]
(1/1) Instalando: grub2-x86_64-efi-bls-2.14-9.1.noarch ...........................................[terminado]
Resultado de guion %transfiletriggerin(sdbootutil-1+git20260421.88e40c4-1.1.x86_64):
2.14-202603170640 == 2.14-202603170640
Ejecutando guiones postransacción ................................................................[terminado]

hcvv · April 28, 2026, 7:33am

@wikiti ,

When your system is not English and you want to post computer output here, then please precede your commands wikt LANG=C. E.g.

LANG=C zypper in -f grub2-x86_64-efi-bls

malcolmlewis · April 28, 2026, 11:34am

@wikiti I’d suggest disable secure boot in the system BIOS, reboot, then shutdown, remove power for 5-10 minutes, reboot, set to secure boot again and then reboot.

wikiti · April 28, 2026, 1:33pm

I did:

Reboot the computer
Open up BIOS, and disabled secure boot
Boot to OpenSUSE and inmediatly shutdown (1st reboot)
Removed power for 15 minutes
Booted and set to secure boot in BIOS to enabled
Rebooted

mokutil still reports secure boot state as not supported. In case they are useful, here are the first 200 lines of dmesg.

dmesg

❯ sudo dmesg | head -200
[    0.000000] [      T0] Linux version 6.19.12-1-default (geeko@buildhost) (gcc (SUSE Linux) 15.2.1 20260202, GNU ld (GNU Binutils; openSUSE Tumbleweed) 2.45.0.20251103-2) #1 SMP PREEMPT_DYNAMIC Sun Apr 12 17:36:53 UTC 2026 (c7234f7)
[    0.000000] [      T0] Command line: BOOT_IMAGE=/opensuse-tumbleweed/6.19.12-1-default/linux-b1af56a311373d636878b1a828737467972b2480 splash=silent quiet security=selinux selinux=1 rd.driver.blacklist=nouveau hibernate=no usbcore.autosuspend=-1 mitigations=auto root=UUID=251dc5a0-5520-4e92-9cd9-cad9dd0e856c rootflags=subvol=@/.snapshots/448/snapshot systemd.machine_id=a1bafe186ff840fc9e78371ae33bede7
[    0.000000] [      T0] x86/tme: not enabled by BIOS
[    0.000000] [      T0] x86/split lock detection: #AC: crashing the kernel on kernel split_locks and warning on user-space split_locks
[    0.000000] [      T0] BIOS-provided physical RAM map:
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000000000000-0x000000000009dfff] usable
[    0.000000] [      T0] BIOS-e820: [mem 0x000000000009e000-0x000000000009efff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x000000000009f000-0x000000000009ffff] usable
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000000100000-0x0000000030b92fff] usable
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000030b93000-0x0000000030b93fff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000030b94000-0x000000003184bfff] usable
[    0.000000] [      T0] BIOS-e820: [mem 0x000000003184c000-0x000000003494bfff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x000000003494c000-0x0000000034bc9fff] ACPI data
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000034bca000-0x0000000034cd5fff] ACPI NVS
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000034cd6000-0x0000000035bfefff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000035bff000-0x0000000035bfffff] usable
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000035c00000-0x0000000039ffffff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x000000003aa00000-0x000000003abfffff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x000000003b000000-0x00000000403fffff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000c0000000-0x00000000cfffffff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000fc000000-0x00000000fc00ffff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000fe000000-0x00000000fe010fff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000fed20000-0x00000000fed7ffff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x00000000ff000000-0x00000000ffffffff] reserved
[    0.000000] [      T0] BIOS-e820: [mem 0x0000000100000000-0x00000008bfbfffff] usable
[    0.000000] [      T0] NX (Execute Disable) protection: active
[    0.000000] [      T0] APIC: Static calls initialized
[    0.000000] [      T0] efi: EFI v2.8 by American Megatrends
[    0.000000] [      T0] efi: ACPI=0x34c53000 ACPI 2.0=0x34c53014 TPMFinalLog=0x34c20000 SMBIOS=0x3565b000 SMBIOS 3.0=0x3565a000 MEMATTR=0x2703b418 ESRT=0x2f7a2818 MOKvar=0x353a2000 INITRD=0x22a3af98 RNG=0x349ca018 TPMEventLog=0x349be018
[    0.000000] [      T0] random: crng init done
[    0.000000] [      T0] efi: Remove mem102: MMIO range=[0xc0000000-0xcfffffff] (256MB) from e820 map
[    0.000000] [      T0] e820: remove [mem 0xc0000000-0xcfffffff] reserved
[    0.000000] [      T0] efi: Not removing mem103: MMIO range=[0xfc000000-0xfc00ffff] (64KB) from e820 map
[    0.000000] [      T0] efi: Not removing mem104: MMIO range=[0xfe000000-0xfe010fff] (68KB) from e820 map
[    0.000000] [      T0] efi: Not removing mem105: MMIO range=[0xfec00000-0xfec00fff] (4KB) from e820 map
[    0.000000] [      T0] efi: Not removing mem106: MMIO range=[0xfed00000-0xfed00fff] (4KB) from e820 map
[    0.000000] [      T0] efi: Not removing mem108: MMIO range=[0xfee00000-0xfee00fff] (4KB) from e820 map
[    0.000000] [      T0] efi: Remove mem109: MMIO range=[0xff000000-0xffffffff] (16MB) from e820 map
[    0.000000] [      T0] e820: remove [mem 0xff000000-0xffffffff] reserved
[    0.000000] [      T0] secureboot: Secure boot disabled
[    0.000000] [      T0] SMBIOS 3.6.0 present.
[    0.000000] [      T0] DMI: Gigabyte Technology Co., Ltd. B660 GAMING X DDR4/B660 GAMING X DDR4, BIOS F33 09/19/2025
[    0.000000] [      T0] DMI: Memory slots populated: 4/4
[    0.000000] [      T0] tsc: Detected 3700.000 MHz processor
[    0.000000] [      T0] tsc: Detected 3686.400 MHz TSC
[    0.001071] [      T0] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
[    0.001098] [      T0] e820: remove [mem 0x000a0000-0x000fffff] usable
[    0.001105] [      T0] last_pfn = 0x8bfc00 max_arch_pfn = 0x400000000
[    0.001108] [      T0] MTRR map: 6 entries (3 fixed + 3 variable; max 23), built from 10 variable MTRRs
[    0.001109] [      T0] x86/PAT: Configuration [0-7]: WB  WC  UC- UC  WB  WP  UC- WT
[    0.001498] [      T0] e820: update [mem 0x3c000000-0xffffffff] usable ==> reserved
[    0.001501] [      T0] last_pfn = 0x35c00 max_arch_pfn = 0x400000000
[    0.015455] [      T0] esrt: Reserving ESRT space from 0x000000002f7a2818 to 0x000000002f7a28c8.                    [    0.015460] [      T0] e820: update [mem 0x2f7a2000-0x2f7a2fff] usable ==> reserved
[    0.015477] [      T0] Using GB pages for direct mapping
[    0.015792] [      T0] secureboot: Secure boot disabled
[    0.015793] [      T0] RAMDISK: [mem 0x02691000-0x0c0e9fff]
[    0.015797] [      T0] ACPI: Early table checksum verification disabled                                             [    0.015799] [      T0] ACPI: RSDP 0x0000000034C53014 000024 (v02 ALASKA)
[    0.015802] [      T0] ACPI: XSDT 0x0000000034C52728 00011C (v01 ALASKA A M I    01072009 AMI  01000013)
[    0.015807] [      T0] ACPI: FACP 0x0000000034BC7000 000114 (v06 ALASKA A M I    01072009 AMI  01000013)
[    0.015811] [      T0] ACPI: DSDT 0x0000000034B3E000 0883A8 (v02 ALASKA A M I    01072009 INTL 20200717)
[    0.015814] [      T0] ACPI: FACS 0x0000000034CD5000 000040
[    0.015816] [      T0] ACPI: FIDT 0x0000000034B3D000 00009C (v01 ALASKA A M I    01072009 AMI  00010013)
[    0.015818] [      T0] ACPI: SSDT 0x0000000034B31000 00B195 (v02 GBT    GSWApp   00000001 INTL 20200717)
[    0.015820] [      T0] ACPI: HWIN 0x0000000034BC9000 0000CC (v00 GBT    INTEL    00070000 AMI  01000013)
[    0.015823] [      T0] ACPI: SSDT 0x0000000034B2D000 0031C9 (v02 INTEL  DTbtSsdt 00001000 INTL 20200717)
[    0.015825] [      T0] ACPI: SSDT 0x0000000034BC8000 00038C (v02 PmaxDv Pmax_Dev 00000001 INTL 20200717)
[    0.015827] [      T0] ACPI: SSDT 0x0000000034B27000 005D34 (v02 CpuRef CpuSsdt  00003000 INTL 20200717)
[    0.015829] [      T0] ACPI: SSDT 0x0000000034B24000 002A81 (v02 SaSsdt SaSsdt   00003000 INTL 20200717)
[    0.015831] [      T0] ACPI: SSDT 0x0000000034B20000 00334F (v02 INTEL  IgfxSsdt 00003000 INTL 20200717)
[    0.015833] [      T0] ACPI: HPET 0x0000000034B1F000 000038 (v01 ALASKA A M I    01072009 AMI  01000013)
[    0.015835] [      T0] ACPI: APIC 0x0000000034B1E000 0001DC (v05 ALASKA A M I    01072009 AMI  01000013)
[    0.015837] [      T0] ACPI: MCFG 0x0000000034B1D000 00003C (v01 ALASKA A M I    01072009 AMI  01000013)
[    0.015840] [      T0] ACPI: SSDT 0x0000000034B14000 008595 (v02 ALASKA A M I    00001000 INTL 20200717)
[    0.015842] [      T0] ACPI: SSDT 0x0000000034B12000 001F1A (v02 ALASKA A M I    00001000 INTL 20200717)
[    0.015844] [      T0] ACPI: NHLT 0x0000000034B11000 00002D (v00 ALASKA A M I    01072009 AMI  01000013)
[    0.015846] [      T0] ACPI: LPIT 0x0000000034B10000 0000CC (v01 ALASKA A M I    01072009 AMI  01000013)
[    0.015848] [      T0] ACPI: SSDT 0x0000000034B0C000 002A83 (v02 ALASKA A M I    00001000 INTL 20200717)
[    0.015850] [      T0] ACPI: SSDT 0x0000000034B02000 0092F4 (v02 ALASKA A M I    00000000 INTL 20200717)
[    0.015852] [      T0] ACPI: DBGP 0x0000000034B01000 000034 (v01 ALASKA A M I    01072009 AMI  01000013)
[    0.015854] [      T0] ACPI: DBG2 0x0000000034B00000 000054 (v00 ALASKA A M I    01072009 AMI  01000013)
[    0.015856] [      T0] ACPI: SSDT 0x0000000034AFE000 00190A (v02 ALASKA A M I    00001000 INTL 20200717)
[    0.015858] [      T0] ACPI: DMAR 0x0000000034AFD000 000088 (v01 INTEL  EDK2     00000002      01000013)
[    0.015860] [      T0] ACPI: FPDT 0x0000000034AFC000 000044 (v01 ALASKA A M I    01072009 AMI  01000013)
[    0.015863] [      T0] ACPI: SSDT 0x0000000034AFA000 0019FA (v02 INTEL  xh_rps14 00000000 INTL 20200717)
[    0.015865] [      T0] ACPI: SSDT 0x0000000034AF6000 0039DA (v02 SocGpe SocGpe   00003000 INTL 20200717)
[    0.015867] [      T0] ACPI: SSDT 0x0000000034AF2000 0039DA (v02 SocCmn SocCmn   00003000 INTL 20200717)
[    0.015869] [      T0] ACPI: BGRT 0x0000000034AF1000 000038 (v01 ALASKA A M I    01072009 AMI  00010013)
[    0.015871] [      T0] ACPI: WPBT 0x00000000349CD000 000034 (v01 ALASKA A M I    00000001 GBT  20221021)
[    0.015873] [      T0] ACPI: PHAT 0x00000000349CC000 000A87 (v01 ALASKA A M I    00000005 MSFT 0100000D)
[    0.015875] [      T0] ACPI: TPM2 0x00000000349CB000 00004C (v04 ALASKA A M I    00000001 AMI  00000000)
[    0.015877] [      T0] ACPI: WSMT 0x0000000034B0F000 000028 (v01 ALASKA A M I    01072009 AMI  00010013)
[    0.015879] [      T0] ACPI: Reserving FACP table memory at [mem 0x34bc7000-0x34bc7113]
[    0.015880] [      T0] ACPI: Reserving DSDT table memory at [mem 0x34b3e000-0x34bc63a7]
[    0.015881] [      T0] ACPI: Reserving FACS table memory at [mem 0x34cd5000-0x34cd503f]
[    0.015881] [      T0] ACPI: Reserving FIDT table memory at [mem 0x34b3d000-0x34b3d09b]
[    0.015882] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b31000-0x34b3c194]
[    0.015882] [      T0] ACPI: Reserving HWIN table memory at [mem 0x34bc9000-0x34bc90cb]
[    0.015883] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b2d000-0x34b301c8]
[    0.015884] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34bc8000-0x34bc838b]
[    0.015884] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b27000-0x34b2cd33]
[    0.015885] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b24000-0x34b26a80]
[    0.015885] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b20000-0x34b2334e]
[    0.015886] [      T0] ACPI: Reserving HPET table memory at [mem 0x34b1f000-0x34b1f037]
[    0.015886] [      T0] ACPI: Reserving APIC table memory at [mem 0x34b1e000-0x34b1e1db]
[    0.015887] [      T0] ACPI: Reserving MCFG table memory at [mem 0x34b1d000-0x34b1d03b]
[    0.015887] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b14000-0x34b1c594]
[    0.015888] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b12000-0x34b13f19]
[    0.015888] [      T0] ACPI: Reserving NHLT table memory at [mem 0x34b11000-0x34b1102c]
[    0.015889] [      T0] ACPI: Reserving LPIT table memory at [mem 0x34b10000-0x34b100cb]
[    0.015889] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b0c000-0x34b0ea82]
[    0.015890] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34b02000-0x34b0b2f3]
[    0.015890] [      T0] ACPI: Reserving DBGP table memory at [mem 0x34b01000-0x34b01033]
[    0.015891] [      T0] ACPI: Reserving DBG2 table memory at [mem 0x34b00000-0x34b00053]
[    0.015892] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34afe000-0x34aff909]
[    0.015892] [      T0] ACPI: Reserving DMAR table memory at [mem 0x34afd000-0x34afd087]
[    0.015893] [      T0] ACPI: Reserving FPDT table memory at [mem 0x34afc000-0x34afc043]
[    0.015893] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34afa000-0x34afb9f9]
[    0.015894] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34af6000-0x34af99d9]
[    0.015894] [      T0] ACPI: Reserving SSDT table memory at [mem 0x34af2000-0x34af59d9]
[    0.015895] [      T0] ACPI: Reserving BGRT table memory at [mem 0x34af1000-0x34af1037]
[    0.015895] [      T0] ACPI: Reserving WPBT table memory at [mem 0x349cd000-0x349cd033]
[    0.015896] [      T0] ACPI: Reserving PHAT table memory at [mem 0x349cc000-0x349cca86]
[    0.015896] [      T0] ACPI: Reserving TPM2 table memory at [mem 0x349cb000-0x349cb04b]
[    0.015897] [      T0] ACPI: Reserving WSMT table memory at [mem 0x34b0f000-0x34b0f027]
[    0.016032] [      T0] No NUMA configuration found                                                                  [    0.016033] [      T0] Faking a node at [mem 0x0000000000000000-0x00000008bfbfffff]
[    0.016038] [      T0] NODE_DATA(0) allocated [mem 0x8bfbd5280-0x8bfbfffff]
[    0.016204] [      T0] Zone ranges:
[    0.016204] [      T0]   DMA      [mem 0x0000000000001000-0x0000000000ffffff]
[    0.016206] [      T0]   DMA32    [mem 0x0000000001000000-0x00000000ffffffff]
[    0.016206] [      T0]   Normal   [mem 0x0000000100000000-0x00000008bfbfffff]
[    0.016207] [      T0]   Device   empty
[    0.016208] [      T0] Movable zone start for each node
[    0.016209] [      T0] Early memory node ranges
[    0.016209] [      T0]   node   0: [mem 0x0000000000001000-0x000000000009dfff]
[    0.016210] [      T0]   node   0: [mem 0x000000000009f000-0x000000000009ffff]
[    0.016210] [      T0]   node   0: [mem 0x0000000000100000-0x0000000030b92fff]
[    0.016211] [      T0]   node   0: [mem 0x0000000030b94000-0x000000003184bfff]
[    0.016212] [      T0]   node   0: [mem 0x0000000035bff000-0x0000000035bfffff]
[    0.016212] [      T0]   node   0: [mem 0x0000000100000000-0x00000008bfbfffff]
[    0.016214] [      T0] Initmem setup node 0 [mem 0x0000000000001000-0x00000008bfbfffff]
[    0.016218] [      T0] On node 0, zone DMA: 1 pages in unavailable ranges
[    0.016219] [      T0] On node 0, zone DMA: 1 pages in unavailable ranges
[    0.016233] [      T0] On node 0, zone DMA: 96 pages in unavailable ranges
[    0.017087] [      T0] On node 0, zone DMA32: 1 pages in unavailable ranges
[    0.017173] [      T0] On node 0, zone DMA32: 17331 pages in unavailable ranges
[    0.017382] [      T0] On node 0, zone Normal: 9216 pages in unavailable ranges
[    0.017388] [      T0] On node 0, zone Normal: 1024 pages in unavailable ranges
[    0.017668] [      T0] ACPI: PM-Timer IO Port: 0x1808
[    0.017676] [      T0] ACPI: LAPIC_NMI (acpi_id[0x01] high edge lint[0x1])
[    0.017677] [      T0] ACPI: LAPIC_NMI (acpi_id[0x02] high edge lint[0x1])
[    0.017678] [      T0] ACPI: LAPIC_NMI (acpi_id[0x03] high edge lint[0x1])
[    0.017678] [      T0] ACPI: LAPIC_NMI (acpi_id[0x04] high edge lint[0x1])
[    0.017679] [      T0] ACPI: LAPIC_NMI (acpi_id[0x05] high edge lint[0x1])
[    0.017679] [      T0] ACPI: LAPIC_NMI (acpi_id[0x06] high edge lint[0x1])
[    0.017679] [      T0] ACPI: LAPIC_NMI (acpi_id[0x07] high edge lint[0x1])
[    0.017680] [      T0] ACPI: LAPIC_NMI (acpi_id[0x08] high edge lint[0x1])
[    0.017680] [      T0] ACPI: LAPIC_NMI (acpi_id[0x09] high edge lint[0x1])
[    0.017681] [      T0] ACPI: LAPIC_NMI (acpi_id[0x0a] high edge lint[0x1])
[    0.017681] [      T0] ACPI: LAPIC_NMI (acpi_id[0x0b] high edge lint[0x1])
[    0.017681] [      T0] ACPI: LAPIC_NMI (acpi_id[0x0c] high edge lint[0x1])
[    0.017682] [      T0] ACPI: LAPIC_NMI (acpi_id[0x0d] high edge lint[0x1])
[    0.017682] [      T0] ACPI: LAPIC_NMI (acpi_id[0x0e] high edge lint[0x1])
[    0.017683] [      T0] ACPI: LAPIC_NMI (acpi_id[0x0f] high edge lint[0x1])
[    0.017683] [      T0] ACPI: LAPIC_NMI (acpi_id[0x10] high edge lint[0x1])
[    0.017683] [      T0] ACPI: LAPIC_NMI (acpi_id[0x11] high edge lint[0x1])
[    0.017684] [      T0] ACPI: LAPIC_NMI (acpi_id[0x12] high edge lint[0x1])
[    0.017684] [      T0] ACPI: LAPIC_NMI (acpi_id[0x13] high edge lint[0x1])
[    0.017685] [      T0] ACPI: LAPIC_NMI (acpi_id[0x14] high edge lint[0x1])
[    0.017685] [      T0] ACPI: LAPIC_NMI (acpi_id[0x15] high edge lint[0x1])
[    0.017686] [      T0] ACPI: LAPIC_NMI (acpi_id[0x16] high edge lint[0x1])
[    0.017686] [      T0] ACPI: LAPIC_NMI (acpi_id[0x17] high edge lint[0x1])
[    0.017686] [      T0] ACPI: LAPIC_NMI (acpi_id[0x00] high edge lint[0x1])
[    0.017723] [      T0] IOAPIC[0]: apic_id 2, version 32, address 0xfec00000, GSI 0-119
[    0.017725] [      T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[    0.017726] [      T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[    0.017729] [      T0] ACPI: Using ACPI (MADT) for SMP configuration information
[    0.017730] [      T0] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[    0.017737] [      T0] e820: update [mem 0x2d490000-0x2d50efff] usable ==> reserved
[    0.017745] [      T0] TSC deadline timer available
[    0.017747] [      T0] CPU topo: Max. logical packages:   1
[    0.017748] [      T0] CPU topo: Max. logical nodes:      1
[    0.017748] [      T0] CPU topo: Num. nodes per package:  1
[    0.017749] [      T0] CPU topo: Max. logical dies:       1
[    0.017750] [      T0] CPU topo: Max. dies per package:   1
[    0.017752] [      T0] CPU topo: Max. threads per core:   2
[    0.017752] [      T0] CPU topo: Num. cores per package:    10
[    0.017753] [      T0] CPU topo: Num. threads per package:  16
[    0.017753] [      T0] CPU topo: Allowing 16 present CPUs plus 0 hotplug CPUs
[    0.017769] [      T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[    0.017770] [      T0] PM: hibernation: Registered nosave memory: [mem 0x0009e000-0x0009efff]
[    0.017771] [      T0] PM: hibernation: Registered nosave memory: [mem 0x000a0000-0x000fffff]
[    0.017772] [      T0] PM: hibernation: Registered nosave memory: [mem 0x2d490000-0x2d50efff]
[    0.017774] [      T0] PM: hibernation: Registered nosave memory: [mem 0x2f7a2000-0x2f7a2fff]

Again, thanks a lot for helping me out

malcolmlewis · April 28, 2026, 1:46pm

@wikiti you should add your user to the systemd-journal group
journalctl -b | grep -i secure

wikiti · April 28, 2026, 2:06pm

you should add your user to the systemd-journal group

Done!

journal logs from last reboot:

abr 28 15:24:10 localhost kernel: secureboot: Secure boot disabled
abr 28 15:24:10 localhost kernel: secureboot: Secure boot disabled
abr 28 15:24:10 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 28 15:24:10 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 28 15:25:15 localhost kernel: secureboot: Secure boot disabled
abr 28 15:25:15 localhost kernel: secureboot: Secure boot disabled
abr 28 15:25:15 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 28 15:25:15 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 28 15:25:59 localhost kernel: secureboot: Secure boot disabled
abr 28 15:25:59 localhost kernel: secureboot: Secure boot disabled
abr 28 15:25:59 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 28 15:25:59 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'

journal logs from last time secure boot was enabled (~2 weeks ago):

abr 16 09:59:20 localhost kernel: secureboot: Secure boot enabled
abr 16 09:59:20 localhost kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
abr 16 09:59:20 localhost kernel: secureboot: Secure boot enabled
abr 16 09:59:20 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 09:59:20 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 09:59:20 localhost kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762'
abr 16 10:04:25 localhost kernel: secureboot: Secure boot enabled
abr 16 10:04:25 localhost kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
abr 16 10:04:25 localhost kernel: secureboot: Secure boot enabled
abr 16 10:04:25 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 10:04:25 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 10:04:25 localhost kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762'
abr 16 10:08:40 localhost kernel: secureboot: Secure boot disabled
abr 16 10:08:40 localhost kernel: secureboot: Secure boot disabled
abr 16 10:08:40 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 10:08:40 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'

I have seen the X.509 cert error since I installed the distro; didn’t seem to have any effect on secure boot, and keys were properly enrolled and secure boot was working back then

malcolmlewis · April 28, 2026, 2:15pm

@wikiti so go back and work out which day it changed… eg;

journalctl -b 13 | grep -i secure
journalctl -b 12 | grep -i secure
....

wikiti · April 28, 2026, 2:40pm

Not sure if I pinpointed it right, but it seems like it switched to disabled on April 16th, during a morning boot after upgrading:

❯ journalctl -b 50 | grep -i secure
abr 16 09:57:50 localhost kernel: secureboot: Secure boot enabled
abr 16 09:57:50 localhost kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
abr 16 09:57:50 localhost kernel: secureboot: Secure boot enabled
abr 16 09:57:50 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 09:57:50 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 09:57:50 localhost kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762'
abr 16 08:58:13 localhost.localdomain ghostty[5123]: warning(gtk_ghostty_application): unimplemented action=.secure_input
abr 16 08:58:15 localhost.localdomain ghostty[5123]: warning(gtk_ghostty_application): unimplemented action=.secure_input

~ ······················································································· 03:35:25 p. m.
❯ journalctl -b 49 | grep -i secure
abr 16 09:55:45 localhost kernel: secureboot: Secure boot disabled
abr 16 09:55:45 localhost kernel: secureboot: Secure boot disabled
abr 16 09:55:45 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 09:55:45 localhost kernel: Loaded X.509 cert 'openSUSE Secure Boot Signkey: da89dc82efa50f451409029d285397e520ec4a61'
abr 16 08:56:10 localhost.localdomain ghostty[3739]: warning(gtk_ghostty_application): unimplemented action=.secure_input
abr 16 08:56:13 localhost.localdomain ghostty[3739]: warning(gtk_ghostty_application): unimplemented action=.secure_input

I have other days where the secure boot was switching between enabled and disabled

journalctl | grep 'Secure boot'

[before this day, secure boot was always enabled]
abr 07 15:53:20 localhost kernel: secureboot: Secure boot enabled
abr 08 10:15:38 localhost kernel: secureboot: Secure boot disabled
abr 08 10:15:38 localhost kernel: secureboot: Secure boot disabled
abr 08 10:20:36 localhost kernel: secureboot: Secure boot disabled
abr 08 10:20:36 localhost kernel: secureboot: Secure boot disabled
abr 08 19:25:52 localhost kernel: secureboot: Secure boot enabled
abr 08 19:25:52 localhost kernel: secureboot: Secure boot enabled
abr 08 19:27:11 localhost kernel: secureboot: Secure boot enabled
abr 08 19:27:11 localhost kernel: secureboot: Secure boot enabled
abr 08 19:28:41 localhost kernel: secureboot: Secure boot enabled
abr 08 19:28:41 localhost kernel: secureboot: Secure boot enabled
abr 08 19:31:47 localhost kernel: secureboot: Secure boot enabled
abr 08 19:31:47 localhost kernel: secureboot: Secure boot enabled
abr 08 19:32:37 localhost kernel: secureboot: Secure boot enabled
abr 08 19:32:37 localhost kernel: secureboot: Secure boot enabled
abr 08 19:35:08 localhost kernel: secureboot: Secure boot enabled
abr 08 19:35:08 localhost kernel: secureboot: Secure boot enabled
abr 08 19:36:36 localhost kernel: secureboot: Secure boot enabled
abr 08 19:36:36 localhost kernel: secureboot: Secure boot enabled
abr 08 19:37:32 localhost kernel: secureboot: Secure boot enabled
abr 08 19:37:32 localhost kernel: secureboot: Secure boot enabled
abr 08 19:39:06 localhost kernel: secureboot: Secure boot enabled
abr 08 19:39:06 localhost kernel: secureboot: Secure boot enabled
abr 08 19:41:46 localhost kernel: secureboot: Secure boot enabled
abr 08 19:41:46 localhost kernel: secureboot: Secure boot enabled
abr 08 21:31:16 localhost kernel: secureboot: Secure boot enabled
abr 08 21:31:16 localhost kernel: secureboot: Secure boot enabled
abr 08 21:41:20 localhost kernel: secureboot: Secure boot enabled
abr 08 21:41:20 localhost kernel: secureboot: Secure boot enabled
abr 08 21:43:42 localhost kernel: secureboot: Secure boot disabled
abr 08 21:43:42 localhost kernel: secureboot: Secure boot disabled
abr 09 10:31:24 localhost kernel: secureboot: Secure boot disabled
abr 09 10:31:24 localhost kernel: secureboot: Secure boot disabled
abr 10 10:00:12 localhost kernel: secureboot: Secure boot disabled
abr 10 10:00:12 localhost kernel: secureboot: Secure boot disabled
abr 10 14:34:52 localhost kernel: secureboot: Secure boot disabled
abr 10 14:34:52 localhost kernel: secureboot: Secure boot disabled
abr 10 22:32:11 localhost kernel: secureboot: Secure boot disabled
abr 10 22:32:11 localhost kernel: secureboot: Secure boot disabled
abr 11 10:54:42 localhost kernel: secureboot: Secure boot disabled
abr 11 10:54:42 localhost kernel: secureboot: Secure boot disabled
abr 11 20:21:20 localhost kernel: secureboot: Secure boot disabled
abr 11 20:21:20 localhost kernel: secureboot: Secure boot disabled
abr 12 11:43:02 localhost kernel: secureboot: Secure boot disabled
abr 12 11:43:02 localhost kernel: secureboot: Secure boot disabled
abr 13 10:21:39 localhost kernel: secureboot: Secure boot disabled
abr 13 10:21:39 localhost kernel: secureboot: Secure boot disabled
abr 13 17:28:27 localhost kernel: secureboot: Secure boot disabled
abr 13 17:28:27 localhost kernel: secureboot: Secure boot disabled
abr 14 10:19:50 localhost kernel: secureboot: Secure boot disabled
abr 14 10:19:50 localhost kernel: secureboot: Secure boot disabled
abr 15 10:26:49 localhost kernel: secureboot: Secure boot disabled
abr 15 10:26:49 localhost kernel: secureboot: Secure boot disabled
abr 15 10:44:28 localhost kernel: secureboot: Secure boot disabled
abr 15 10:44:28 localhost kernel: secureboot: Secure boot disabled
abr 16 09:19:17 localhost kernel: secureboot: Secure boot enabled
abr 16 09:19:17 localhost kernel: secureboot: Secure boot enabled
abr 16 09:24:37 localhost kernel: secureboot: Secure boot enabled
abr 16 09:24:37 localhost kernel: secureboot: Secure boot enabled
abr 16 09:29:16 localhost kernel: secureboot: Secure boot enabled
abr 16 09:29:16 localhost kernel: secureboot: Secure boot enabled
abr 16 09:32:32 localhost kernel: secureboot: Secure boot enabled
abr 16 09:32:32 localhost kernel: secureboot: Secure boot enabled
abr 16 09:40:12 localhost kernel: secureboot: Secure boot enabled
abr 16 09:40:12 localhost kernel: secureboot: Secure boot enabled
abr 16 09:41:31 localhost kernel: secureboot: Secure boot enabled
abr 16 09:41:31 localhost kernel: secureboot: Secure boot enabled
abr 16 09:42:34 localhost kernel: secureboot: Secure boot enabled
abr 16 09:42:34 localhost kernel: secureboot: Secure boot enabled
abr 16 09:44:33 localhost kernel: secureboot: Secure boot enabled
abr 16 09:44:33 localhost kernel: secureboot: Secure boot enabled
abr 16 09:45:29 localhost kernel: secureboot: Secure boot enabled
abr 16 09:45:29 localhost kernel: secureboot: Secure boot enabled
abr 16 09:50:59 localhost kernel: secureboot: Secure boot enabled
abr 16 09:50:59 localhost kernel: secureboot: Secure boot enabled
abr 16 09:55:45 localhost kernel: secureboot: Secure boot disabled
abr 16 09:55:45 localhost kernel: secureboot: Secure boot disabled
abr 16 09:57:50 localhost kernel: secureboot: Secure boot enabled
abr 16 09:57:50 localhost kernel: secureboot: Secure boot enabled
abr 16 09:59:20 localhost kernel: secureboot: Secure boot enabled
abr 16 09:59:20 localhost kernel: secureboot: Secure boot enabled
abr 16 10:04:25 localhost kernel: secureboot: Secure boot enabled
abr 16 10:04:25 localhost kernel: secureboot: Secure boot enabled
abr 16 10:08:40 localhost kernel: secureboot: Secure boot disabled
[from that, secure boot was always disabled]

malcolmlewis · April 28, 2026, 3:02pm

New Tumbleweed snapshot 20260415 released!
Which brought kernel-source (6.19.11 → 6.19.12)

So might be a regression for your hardware… Sounds like bug report time, there is a link in the Forum side panel.

wikiti · April 28, 2026, 4:13pm

Interesting. I though as well about the kernel version bump back when I was having issues. However, I tried booting with a different snapper image that uses 6.19.11, and I still see the same issue

❯ uname -r
6.19.11-1-default

❯ mokutil --sb-state
This system doesn't support Secure Boot

Would this be expected in this buggy situation?