(In reply to John Shaw from comment #30) > (In reply to Martin Wilck from comment #29) > > (In reply to Gary Ching-Pang Lin from comment #27) > > > I'm working on the shim update to install MokManager to \EFI\Boot. > > > > Just in case someone else is wondering, too: I asked myself what effect this > > might have on dual-boot or multi-boot systems, where \EFI\Boot is shared > > between OSes. I talked to Gary about that, and he explained to me that the > > shim-install script will only touch \EFI\Boot if it detects an (open)SUSE > > shim.efi (by looking at the CA cert). So it shouldn't be an issue. > > I just installed the new shim package with this fix. I have kernel > 5.3.18-lp152.36 as the default, and this still does not boot with SecureBoot > enabled in the BIOS (at least it boots if its disabled;). I verified that > /boot/efi/efi/boot contains: bootx64.efi fallback.efi MokManager.efi > Could you elaborate the failure? Was there any message? Did the grub2 menu show? > Reading some other comments, it looks like this really should have worked. > The newer kernel was in place before the new shim package was installed. Do > I have to do something else like (with Yast) reinstall the boot loader or > clear the old certificates from the BIOS? I am running OpenSuSE leap 15.2 on > an Asus Z170-A MB (latest BIOS). Yast still offers the old version 14 of the > shim package. Could you post the output of the following commands? $ mokutil --list-new $ pesign -S -i /boot/efi/EFI/boot/bootx64.efi $ pesign -S -i /boot/efi/EFI/boot/MokManager.efi $ pesign -S -i /boot/efi/EFI/boot/fallback.efi $ pesign -S -i /boot/efi/EFI/opensuse/shim.efi