To simplify the boot path, we always boot from shim.efi no matter whether Secure Boot is enabled or not. The kernel postinstall script always invokes "mokutil --import <signkey> --root-pw" and openSUSE Signkey is different from the key (openSUSE CA) embedded in shim, so MokManager shows. It's harmless and can be ignored anyway.