Comment # 110 on bug 1173158 from Martin Wilck

(In reply to Reinhold Patzer from comment #104)

> I ask myself: Why must the kernel check certificates if
> secureboot isn't enabled?

Kernel module signature checking is an independent feature that goes along well
with secure boot. That doesn't mean it is, or should be, tied to SB.
Various circumstances can cause the kernel to treat missing or bad module
signatures as fatal errors; SB is one of them, because it enables "integrity"
lockdown mode. Check the contents of /sys/kernel/security/lockdown to see if
lockdown is enabled on your system.

However, I don't see any evidence in your posts on this bug that the issue
you're seeing is related to signature checking. 

> [ ... BIOS setup options, Windows WHQL ... ]

If you find your BIOS setup options illogical, misleading, and too
Windows-focused, you're not alone. Please talk to your HW vendor.

> I see neither BIOS boot, nor BIOS setup nor opensuse boot menu:
> it boots right into the first opensuse boot manager entry,
> without any chance to intervene.

That's normal behavior. The EFI boot manager has a default entry, which is
immediately booted when set. You have to hit a key (usually F12) during boot to
enter the BIOS boot menu.

> I did choose the opensuse-secureboot to boot

To be clear: that doesn't mean this option enables secure boot. It just takes
the necessary steps for booting _when secure boot is enabled in the BIOS_. You
can only enable or disable secure boot in the BIOS.

> still, no /var/lib/nvidia-pubkeys directory exists

I don't understand what you need it for. You are not using secure boot.