Dual Booting openSUSE Tumbleweed with Windows 11 and Secure Boot

Question

I would like to dual boot my laptop (Thinkpad T14 Gen 5) with openSUSE Tumbleweed, it has Windows 11 installed. However, I'm trying not to disable Secure Boot if possible. Supposedly, openSUSE is currently compatible with Secure Boot.

I’ve already partitioned my SSD and have created a bootable USB drive with the latest openSUSE Tumbleweed Offline Image (openSUSE-Tumbleweed-DVD-x86_64-Snapshot20240801-Media.iso) through Rufus.

When I try to boot from the USB, UEFI returns the following error:

Secure Boot Violation
Invalid signature detected. Check Secure Boot Policy in Setup.

My guess is that this is related to the Secure Boot Authorized Signature Database; my USB's signature probably isn't included in this Allow list so it won't allow it to boot.

My Secure Boot Authorized Signature Database includes:

• ThinkPad Product CA 2012
• Lenovo UEFI CA 2014
• Microsoft Windows Production PCA
• Windows UEFI CA 2023

The Forbidden Signature Database includes:

• Canonical Ltd. Secure Boot Signing
• Debian Secure Boot Signer

I'm guessing I have to enroll the OS's signature into the Authorized Signature Database, but UEFI doesn't recognize any keys/signatures. When I try to select a file to be enrolled, the only selectable items are the following (starting from root on the USB):

README.TXT  
    <EFI>  
        <Boot>  
            bootaa64.efi  
            bootarm.efi  
            boota32.efi  
            bootx64.efi  

My actual USB filesystem (viewing in Windows OS) has two GPG pubkeys and checksums (.asc files)

Hoping someone here has successfully added Linux signatures and gotten it working through Secure Boot. I saw someone install openSUSE with Win11 on YouTube who had no signature issues so seems like it's possible.

Answer 1

I figured it out. Posting solution here for others:

1. Disable Secure Boot through UEFI (Security > Secure Boot).
2. Boot into Linux installation USB and run installer. During the install make sure you enable Secure Boot support.
   • In the openSUSE installer, you can see this on the summary page (Installation Settings) after you have allocated a partition and selected all your settings. Under “Booting” there should be a list item saying “Enable Secure Boot: yes”. If it doesn’t say yes, change it.
3. After you install your OS, you need to grab the appropriate key that you’re going to add to UEFI’s Secure Boot Authorized Signature Database. Get a USB with FAT file format to copy the key into.
4. Go to /usr/share/efi/x86_64/ (lowest folder might be different based on your system architecture)
5. Copy grub.der into your flash drive.
6. Restart your system, boot into UEFI Settings. Go to Security > Secure Boot. One of the settings should be something like Key Management.
7. In Key Management, open the Authorized Signature Database (DB), then Enroll DB.
8. Select your USB drive, then select the “grub.der” file.
   • Signature GUID is optional (I left it as default)
9. After you enroll it, you should see your OS’s signature in the Authorized Signature Database. openSUSE should be "openSUSE Secure Boot CA". Re-enable Secure Boot and reboot your system. Linux should work with Secure Boot now. Note that Bitlocker will probably prompt you to enter your Recovery Key next time you boot into Windows 11 because you messed with Secure Boot.

Some slight variation of these steps should work for most hardware's UEFI versions and any distro that supports Secure Boot. I was able to figure this out based on info here: https://en.opensuse.org/openSUSE:UEFI