UEFI boot not secure - cannot seem to figure out how to fix.

I have been booting OpenSUSE 15.2 without secureboot - when I try secure boot I get all sorts of errors in grub2 when I select any entry.

Only OpenSUSE 15.2 upgraded from 43.2 > 15.0 > 15.1 > 15.2

Windows came with the laptop and I wiped it out - Here is everything I think that might be important - mokutil , bootctl. fdisk and ll /boot/efi.

I suspect that /boot/efi has the wrong flags as on msfsdata is set for that partition - what am I missing?

LLR7:~ # fdisk -l
Disk /dev/nvme0n1: 953.9 GiB, 1024209543168 bytes, 2000409264 sectors
Disk model: PC401 NVMe SK hynix 1TB                 
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: F3A18E11-4B87-4365-955F-A057CC87CF69

Device              Start        End    Sectors   Size Type
/dev/nvme0n1p1       2048    1050623    1048576   512M Microsoft basic data
/dev/nvme0n1p2    1050624 1933301759 1932251136 921.4G Linux filesystem
/dev/nvme0n1p3 1933301760 2000408575   67106816    32G Linux filesystem


Disk /dev/sda: 4.6 TiB, 5000947302400 bytes, 9767475200 sectors
Disk model: easystore 2647  
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 494884C7-5C9D-4A27-9FF5-B6631D36D85C

Device     Start        End    Sectors  Size Type
/dev/sda1   2048 9767473151 9767471104  4.6T Linux filesystem

LLR7:~ # mokutil --list-enrolled
MokListRT is empty
LLR7:~ # mokutil --list-new
[key 1]
SHA1 Fingerprint: 46:59:83:8c:82:03:fe:15:52:ad:19:e1:86:09:db:21:7e:3a:d2:4f
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
        Validity
            Not Before: Aug 26 16:12:07 2013 GMT
            Not After : Jul 22 16:12:07 2035 GMT
        Subject: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:de:df:61:92:7a:a4:fe:83:d1:7d:3b:68:0e:b1:
                    a7:f0:4e:92:93:fc:47:3e:70:2d:4e:88:dc:9a:9e:
                    fa:33:b4:a6:db:0e:23:c1:0d:a8:c1:d5:65:04:84:
                    04:ff:3a:48:18:4f:39:32:e4:ca:4e:f9:04:9e:9f:
                    0f:cd:20:5d:61:ab:a7:00:d8:a5:ff:2b:7f:be:e8:
                    47:c3:2f:5b:02:c8:bb:de:8e:1a:e9:46:d3:86:ef:
                    ff:88:99:90:eb:10:89:b8:8b:3f:3e:a8:07:c6:55:
                    7a:6e:d3:5f:fc:83:3c:3d:16:ed:26:c5:13:73:92:
                    b1:70:1e:22:95:c8:00:6c:25:76:46:f1:a2:d9:d0:
                    b0:98:68:0f:a7:2d:b1:0d:67:89:ca:94:4a:ea:12:
                    c5:91:55:76:7f:6c:7a:2e:f9:18:89:9f:f8:f4:24:
                    43:d5:35:6a:cb:00:0e:2e:ed:4b:e2:5d:09:d8:1b:
                    97:70:99:9e:5a:6f:a6:81:a8:9d:a9:58:76:7d:69:
                    71:82:d3:ba:3a:96:43:9b:f0:da:15:c6:4e:e9:c8:
                    15:b9:e9:cb:c7:e4:71:ce:ea:10:1b:6b:c4:2a:70:
                    01:a9:52:b4:17:de:00:52:cf:7d:e4:fd:0f:4d:03:
                    18:b2:90:28:d4:6f:c4:ae:56:bc:36:60:49:46:8b:
                    6b:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
            X509v3 Authority Key Identifier: 
                keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
                DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org
                serial:01

            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         8a:a3:89:c2:8e:d9:f9:82:0b:f3:33:ce:e9:19:17:17:a3:65:
         80:cd:33:ae:06:51:56:29:b6:38:87:7b:f4:9d:fc:28:8e:aa:
         e0:53:12:0e:3a:60:c7:06:d8:3a:61:76:3b:77:08:f4:94:a4:
         8c:7c:47:3a:99:d8:84:9b:17:cc:20:62:2e:e2:76:e4:c6:36:
         0d:26:e9:2e:53:35:0a:fb:3a:35:93:45:c3:93:82:c1:0b:f3:
         08:e9:57:1f:59:37:a9:d0:6c:69:fb:68:ea:7f:3b:af:d3:f7:
         59:27:8e:d4:c7:96:73:f4:0c:0a:f7:3e:e4:af:6c:8c:c7:7a:
         6f:09:79:f4:41:1f:e3:6f:11:fb:3e:6c:b1:a0:7b:e4:92:b7:
         ca:f9:32:f5:de:c3:b0:73:7d:e3:b3:82:5d:cd:ec:61:dc:fe:
         0c:3e:c6:b5:e7:6c:2d:5d:92:73:ff:ed:aa:6a:a9:9b:66:9e:
         5e:3a:6d:70:b0:31:c0:ce:df:2f:21:10:68:0c:87:f3:77:a0:
         33:31:0a:0f:15:f6:ee:32:88:c5:9a:53:71:cd:0d:1a:a1:28:
         89:d0:bf:f6:56:ac:4b:3b:36:06:2b:01:c5:eb:e5:dc:72:83:
         3d:94:ac:28:83:13:fb:c1:5d:27:9c:13:f6:32:5f:f6:1f:4a:
         b7:3e:53:8a
LLR7:~ # mokutil --list-enrolled 
MokListRT is empty
LLR7:~ # mokutil --sb-state 
SecureBoot disabled
LLR7:~ # bootctl status
File system "/boot/efi" has wrong type for an EFI System Partition (ESP).
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled
   Setup Mode: user

Current Loader:
      Product: n/a
          ESP: n/a
         File: └─n/a

Boot Loader Binaries:
          ESP: Cannot find or access mount point of ESP.

Boot Loader Entries in EFI Variables:
        Title: opensuse
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/e3f206ca-dc85-4f42-9856-7e138611e349
         File: └─/EFI/opensuse/grubx64.efi

        Title: UEFI: PC401 NVMe SK hynix 1TB, Partition 1
           ID: 0x0008
       Status: inactive, boot-order
    Partition: /dev/disk/by-partuuid/e3f206ca-dc85-4f42-9856-7e138611e349
         File: └─EFI/boot/bootx64.efi

        Title: Windows Boot Manager
           ID: 0x0000
       Status: active
    Partition: /dev/disk/by-partuuid/0cba2aae-06ac-48e2-b8d7-d53306fbd1a2
         File: └─/EFI/Microsoft/Boot/bootmgfw.efi

LLR7LLR7:~ # ll -R /boot/efi
/boot/efi:
total 8
drwxr-xr-x 4 root root 4096 Dec 20  2019 EFI
-rwxr-xr-x 1 root root 1144 Feb  3 14:16 shim-opensuse.der

/boot/efi/EFI:
total 8
drwxr-xr-x 2 root root 4096 Jan 23 23:04 boot
drwxr-xr-x 2 root root 4096 Oct  3 10:37 opensuse

/boot/efi/EFI/boot:
total 3728
-rwxr-xr-x 1 root root 1263312 Nov 16 09:03 MokManager.efi
-rwxr-xr-x 1 root root 1336112 Nov 16 09:03 bootx64.efi
-rwxr-xr-x 1 root root 1209656 Nov 16 09:03 fallback.efi

/boot/efi/EFI/opensuse:
total 3500
-rwxr-xr-x 1 root root 1158688 Dec 20  2019 MokManager.efi
-rwxr-xr-x 1 root root      58 Dec 20  2019 boot.csv
-rwxr-xr-x 1 root root     155 Dec 20  2019 grub.cfg
-rwxr-xr-x 1 root root 1062752 Dec 20  2019 grub.efi
-rwxr-xr-x 1 root root  139264 Feb  2 08:29 grubx64.efi
-rwxr-xr-x 1 root root 1208968 Dec 20  2019 shim.efi
LLR7:~ # 
:~ # 

AFAIK to begin with secure boot must be supported by the system and switched on in the BIOS.

Hi
Can you show the disk output via gdisk rather than fdisk. Looks to me like the efi partition is not type ef00, but 0700 hence the warning in your output.

It is hard to tell what is wrong from what you have provided. Can you give us the output from

parted -l

100% of all NVME machine have Secureboot in the BIOS. All new Dell’s cannot boot the internal drive in BIOS mode.

How do I change the 0700 to ef00 in parted or gparted - is that boot or some other flag?

LLR7:~ # parted -l
Model: WD easystore 2647 (scsi)
Disk /dev/sda: 5001GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  5001GB  5001GB  ext4


Model: NVMe Device (nvme)
Disk /dev/nvme0n1: 1024GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system     Name  Flags
 1      1049kB  538MB   537MB   fat32                 msftdata
 2      538MB   990GB   989GB   ext4
 3      990GB   1024GB  34.4GB  linux-swap(v1)


LLR7:~ # 

Hi
And here is mine to compare…


 parted -l
Model: ATA WDC WDS250G2B0B- (scsi)
Disk /dev/sda: 250GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system     Name              Flags
 1      1049kB  274MB   273MB   fat16           EFI System        boot, esp <=====
 2      274MB   1079MB  805MB   btrfs           Linux filesystem
 3      1079MB  248GB   247GB   xfs             Linux filesystem
 4      248GB   250GB   2020MB  linux-swap(v1)  Linux swap        swap


Model: WDC WDS250G1B0C-00S6U0 (nvme)
Disk /dev/nvme0n1: 250GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  43.0GB  42.9GB  btrfs
 2      43.0GB  250GB   207GB   xfs

Change the type to ef00 via gdisk.

That’s the boot flag.

Perhaps

parted /dev/nvme0n1 set 1 boot on

Or use “gdisk” and change the partition type to EF00. I normally use “gdisk” for that change.

OK that is changed but still not secureboot - what is next step to secure boot?

LLR7:~ # parted -l
Model: WD easystore 2647 (scsi)
Disk /dev/sda: 5001GB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  5001GB  5001GB  ext4


Model: NVMe Device (nvme)
Disk /dev/nvme0n1: 1024GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system     Name  Flags
 1      1049kB  538MB   537MB   fat32                 boot, esp
 2      538MB   990GB   989GB   ext4
 3      990GB   1024GB  34.4GB  linux-swap(v1)


LLR7:~ # mokutil --sb-state 
SecureBoot disabled
LLR7:~ # bootctl status
Using EFI System Partition at /boot/efi.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled
   Setup Mode: user

Current Loader:
      Product: n/a
          ESP: n/a
         File: └─n/a

Boot Loader Binaries:
          ESP: /boot/efi (/dev/disk/by-partuuid/e3f206ca-dc85-4f42-9856-7e138611e349)
systemd-boot not installed in ESP.
         File: └─/EFI/BOOT/bootx64.efi

Boot Loader Entries in EFI Variables:
        Title: opensuse
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/e3f206ca-dc85-4f42-9856-7e138611e349
         File: └─/EFI/opensuse/grubx64.efi

        Title: UEFI: PC401 NVMe SK hynix 1TB, Partition 1
           ID: 0x0008
       Status: inactive, boot-order
    Partition: /dev/disk/by-partuuid/e3f206ca-dc85-4f42-9856-7e138611e349
         File: └─EFI/boot/bootx64.efi

        Title: Windows Boot Manager
           ID: 0x0000
       Status: active
    Partition: /dev/disk/by-partuuid/0cba2aae-06ac-48e2-b8d7-d53306fbd1a2
         File: └─/EFI/Microsoft/Boot/bootmgfw.efi

LLR7:~ # 

Hi
So no windows on this system? If so I would remove the Windows boot mgr entry, can you post the output from;


efibootmgr -v

In the inerim, you should just be able to fire up YaST2 -> bootloader, ensure the secure boot is checked and remove the ‘probe foreign os’ if only single boot.

the yast bootloader tells me my config is invalid wants to make a new one.

LLR7:~ # efibootmgr -v
BootCurrent: 0001
Timeout: 2 seconds
BootOrder: 0001,0004,0005,0006,0007,0008
Boot0000* Windows Boot Manager    HD(1,GPT,0cba2aae-06ac-48e2-b8d7-d53306fbd1a2,0x800,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...a................
Boot0001* opensuse    HD(1,GPT,e3f206ca-dc85-4f42-9856-7e138611e349,0x800,0x100000)/File(\EFI\opensuse\grubx64.efi)
Boot0002  Onboard NIC(IPV6)    PciRoot(0x0)/Pci(0x1f,0x6)/MAC(98e7436ac947,0)/IPv6(::]:<->::]:,0,0)..BO
Boot0004* Diskette Drive    BBS(Floppy,Diskette Drive,0x0)..BO
Boot0005* USB Storage Device    BBS(USB,USB Storage Device,0x0)..BO
Boot0006* CD/DVD/CD-RW Drive    BBS(CDROM,CD/DVD/CD-RW Drive,0x0)..BO
Boot0007* Onboard NIC    BBS(Network,Onboard NIC,0x0)..BO
Boot0008  UEFI: PC401 NVMe SK hynix 1TB, Partition 1    HD(1,GPT,e3f206ca-dc85-4f42-9856-7e138611e349,0x800,0x100000)/File(EFI\boot\bootx64.efi)..BO
LLR7:~ # 

Run Yast Boot loader.

It should tell you that the boot loader is “GRUB for EFI”.

Check the box “Enable secure boot support”. That should reinstall booting and create the NVRAM entry needed.

After that, you should be able to turn on secure-boot in your BIOS.

I want to put up an image for yast-bootloader to show the unsupported configuration.

pastebin only does text?

Hi
If it’s not big, you can upload here or https://susepaste.org

Hi
So no windows present? If so as root user run;


efibootmgr -b 0 -B 0

That will remove it :wink: (I would probably remove 8 as well… but that’s just me…)

URL: https://susepaste.org/27916644

Just to jog my memory

This image started on a Dell D830 migrated to a Dell E7440 (ssd just moved - both were BIOS and no UEFI) The Dell E7440 had my first Secureboot OpenSUSE VirtualBox image 15.0 - it has upgrade with no issues 15.1 and 15.2.

Then I bought a Dell 7490 - no BIOS boot so I created the /boot/efi partition and copied the files from my USB bootable securebootable UEFI OpenSUSE 15.2.

I had to change all the UUID’s as they were /dev/sda and not /dev/nvme0n1 so I did all the proper changes to /etc/fstab and did the mkinitrd to point to the correct UUID’s but it never was secureboot.

I think I need to do something in the Grub boot menu to do something with mokutil but I have no idea what.

I have never used Sysadmin or Yast - always command line 48 years of Unix/Linux command line is hard to break. (I actually wrote a few Sysadmin scripts when I was AT&T - mostly to fsck broken file systems before journaling files systems were available.)

Hi
So what happens when you hit the propose button? likely will start pointing at the correct disk… did you check /etc/default/grub file?

I am afraid to do that until I back it up again. I think that caused the root file system to disappear on one try a few days ago. I had to restore it.

Am not sure if the nouveau.modeset=0 is needed but it does not cause any problems - I like the old eth0 names and the USB disconnect the attached drives without the usbcore entry.

LLR7:~ # cat /etc/default/grub
# If you change this file, run 'grub2-mkconfig -o /boot/grub2/grub.cfg' afterwards to update
# /boot/grub2/grub.cfg.

# Uncomment to set your own custom distributor. If you leave it unset or empty, the default
# policy is to determine the value from /etc/os-release
GRUB_DISTRIBUTOR=
GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=8
GRUB_CMDLINE_LINUX_DEFAULT="splash=verbose showopts nouveau.modeset=0 net.ifnames=0 usbcore.autosuspend=-1"
GRUB_CMDLINE_LINUX=""

# Uncomment to automatically save last booted menu entry in GRUB2 environment

# variable `saved_entry'
# GRUB_SAVEDEFAULT="true"
#Uncomment to enable BadRAM filtering, modify to suit your needs

# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
# GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
#Uncomment to disable graphical terminal (grub-pc only)

GRUB_TERMINAL="gfxterm"
# The resolution used on graphical terminal
#note that you can use only modes which your graphic card supports via VBE

# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE="1280x1024x32"
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
# GRUB_DISABLE_LINUX_UUID=true
#Uncomment to disable generation of recovery mode menu entries

# GRUB_DISABLE_LINUX_RECOVERY="true"
#Uncomment to get a beep at grub start

# GRUB_INIT_TUNE="480 440 1"
GRUB_BACKGROUND=
GRUB_THEME=/boot/grub2/themes/openSUSE/theme.txt
SUSE_BTRFS_SNAPSHOT_BOOTING="true"
GRUB_DISABLE_OS_PROBER="false"
GRUB_ENABLE_CRYPTODISK="n"
LLR7:~ # 

Hi
So nothing referring to the UUID it can’t find…

You can’t see that UUID in the output (as root user) from the blkid command?

I did it - I lost the green grub menu but I got Secure Boot I had to enable it in the BIOS - Thank You