Comment # 32 on bug 1175626 from Gary Ching-Pang Lin

(In reply to John Shaw from comment #30)
> (In reply to Martin Wilck from comment #29)
> > (In reply to Gary Ching-Pang Lin from comment #27)
> > > I'm working on the shim update to install MokManager to \EFI\Boot.
> > 
> > Just in case someone else is wondering, too: I asked myself what effect this
> > might have on dual-boot or multi-boot systems, where \EFI\Boot is shared
> > between OSes. I talked to Gary about that, and he explained to me that the
> > shim-install script will only touch \EFI\Boot if it detects an (open)SUSE
> > shim.efi (by looking at the CA cert). So it shouldn't be an issue.
> 
> I just installed the new shim package with this fix. I have kernel
> 5.3.18-lp152.36 as the default, and this still does not boot with SecureBoot
> enabled in the BIOS (at least it boots if its disabled;). I verified that
> /boot/efi/efi/boot contains: bootx64.efi fallback.efi MokManager.efi
> 
Could you elaborate the failure? Was there any message? Did the grub2 menu
show?

> Reading some other comments, it looks like this really should have worked.
> The newer kernel was in place before the new shim package was installed. Do
> I have to do something else like (with Yast) reinstall the boot loader or
> clear the old certificates from the BIOS? I am running OpenSuSE leap 15.2 on
> an Asus Z170-A MB (latest BIOS). Yast still offers the old version 14 of the
> shim package.

Could you post the output of the following commands?

  $ mokutil --list-new

  $ pesign -S -i /boot/efi/EFI/boot/bootx64.efi
  $ pesign -S -i /boot/efi/EFI/boot/MokManager.efi
  $ pesign -S -i /boot/efi/EFI/boot/fallback.efi
  $ pesign -S -i /boot/efi/EFI/opensuse/shim.efi