Another UEFI quirk
I have already mentioned this in my previous post, where I wrote:
I could not get secure boot to work on the Think Server. Or, perhaps it works, but opensuse is broken. If I turn on secure-boot, then I cannot boot opensuse.
The problem appears to be a limitation in the firmware of the ThinkServer. My thanks to Gary Lin, from the suse team, who provided the insight needed to track the problem down. For full details of the discussion, see Bug 869786.
Apparently the opensuse file “shim.efi”, used for secure boot, is digitally signed by both the Microsoft UEFI key and the opensuse key used for secure-boot. It turns out that the firmware on the ThinkServer does not support multiple signatures, so does not recognize “shim.efi” as properly signed.
Gary Lin explained how I could remove the second signature. With that done, I retested and secure-boot then worked.
I am guessing that there is probably other hardware out there, with the same limitation.