Secure boot is always enabled here with stock Kernel, dual boot or not. We get a new kernel twice a week.
It is not rare that we have to boot in MoK to sign Linux Kernel modules or for a Grub update.
There are two types of question in that blue screen or MokManager when Secure Boot is enabled:
- A new Kernel and not always may ask to enroll the new Key. Just click continue to reboot to enroll it*.
- A Grub update comes with another type of message, but you have a clear indication on how to enroll the Key.
In both cases, avoid entering into other places in MoK, *opensuse applies a minimum change in that area.
-Root password is always asked when the machine boots in Mok by itself. If not working, try 12345678.
Make sure that entering Mok comes from a new Kernel or a Grub update=from opensuse, because you may have to deal with some malware instances.
So, check for incoming updates in the terminal, more specifically, for Grub (every 3 months on average) and/or a new Kernel that you compile by yourself or from regular updates.
A fresh install is another reason why the computer boots in MoK, but it implies a new Kernel or Kernel repo+ is enabled.
mokutil --help
If for some reason(s) MoK gets contaminated or in a no end loop, run the following cmd line or disable secure boot and run it after:
mokutil --reset
For security reasons, all of this is because Microsoft owns secure boot and let no one play there easily.
Check Secure Boot State
mokutil --sb-state
See the opensuse Keys or any other distros:
mokutil --list-enrolled