(In reply to Reinhold Patzer from comment #104) > I ask myself: Why must the kernel check certificates if > secureboot isn't enabled? Kernel module signature checking is an independent feature that goes along well with secure boot. That doesn't mean it is, or should be, tied to SB. Various circumstances can cause the kernel to treat missing or bad module signatures as fatal errors; SB is one of them, because it enables "integrity" lockdown mode. Check the contents of /sys/kernel/security/lockdown to see if lockdown is enabled on your system. However, I don't see any evidence in your posts on this bug that the issue you're seeing is related to signature checking. > [ ... BIOS setup options, Windows WHQL ... ] If you find your BIOS setup options illogical, misleading, and too Windows-focused, you're not alone. Please talk to your HW vendor. > I see neither BIOS boot, nor BIOS setup nor opensuse boot menu: > it boots right into the first opensuse boot manager entry, > without any chance to intervene. That's normal behavior. The EFI boot manager has a default entry, which is immediately booted when set. You have to hit a key (usually F12) during boot to enter the BIOS boot menu. > I did choose the opensuse-secureboot to boot To be clear: that doesn't mean this option enables secure boot. It just takes the necessary steps for booting _when secure boot is enabled in the BIOS_. You can only enable or disable secure boot in the BIOS. > still, no /var/lib/nvidia-pubkeys directory exists I don't understand what you need it for. You are not using secure boot.