Secure boot issues in a dual boot

Im currently running a dual boot setup with windows 11 and z16 on my surface laptop go. The following has happened twice:
Zorin lets me know I have packages ready to upgrade - i run the upgrades through terminal - a “configuring secure boot” dialogue appears within the terminal window in the middle of the update, asking me to set a password to proceed with mok key enrolment (i have no idea what this means), so I set a password and the upgrade continues and completes with no issues or gaps. Both times, upon rebooting (as requested by the update manager), grub fails to load, so i cannot get into zorin no matter what - the screen is stuck on manufacturer logo. Ive gone into bios and set the boot order to windows first and windows worked perfectly fine. I tried turning off secure boot, and all that did was make this red bar with an open lock symbol appear on the screen with the manufacturer logo - no GRUB. I did a lot of digging around and couldn’t find anyone with this exact issue, but I did find out about the boot repairer, so i created a live usb with the zorin 16 image and ran the boot repair - this has worked both times and my computer is fine right now. However, at the end of the repair the boot repairer says something about NVRAM being locked, and asks me to turn off secure boot in bios - as described above, i had already tried that by this point so i ignored that message and yet after rebooting there were no issues, so the boot repair must have done something.

Note: i am fairly certain both upgrades that caused this problem involved nvidia drivers, and i have definitely rum upgrades that did NOT cause these issues - i do vaguely remember the mok enrolment window saying something about proprietary drivers as well, but i am not sure about this.
Another note: i used ventoy to create the live usb and put zorin on it, both for installation and for both of these repairs. When booting up the usb for repair, i was prompted with an mok management screen where i clicked “enroll key”, entered the password and clicked reboot, which then allowed me to get into zorin.
Finally, my question: i would just appreciate any insight on why this happened and what i can do to either prevent it or fix it in a more precise way in the future, since boot repair feels like a throw in the dark. Is the mok management screen what actually fixed my problem? If so, why do i have to boot from a usb to see it, instead of booting normally?
I’ve been considering going from dual boot to zorin only because of space restrictions on my 128 gb drive, and this is a source of worry as to zorin’s stability so i would like to be prepared if something like this happens when i don't have windows to fall back on. This has also been the only thing to actually render linux unbootable for me so far.
Thanks a lot in advance.

The mok key is usually an element needed when it comes to installing Windows 11 and I vaguely remember using the Windows version of Ventoy which stated that it now had the mok key present to enable installation of Windows 11. This was for a non-compliant pc that does not have TPM 2.0 and installed on my eldest's machine without issue. I think there should be some sort of reference to the mok key in your BIOS EFI settings. It might be that it isn't sticking.

UPDATE: Enroll kernel keys thru MOK []

Why was zorin prompting me to enrol it if mok is related to windows installation?
And why does this affect me at all if windows was always installed?

Perhaps this article will assist you:

So it seems ventoy’s compatibility with mok manager allowed me to enrol the mok key which let zorin proceed as usual. Thanks for that article, it was very helpful.
Any idea why zorin itself couldnt start the mok installation process? Is it somehow blocked by the dual boot, it wasnt clear in the link you provided.

Zorin OS can and does.

MOK enrollment manages utilizing Secure Boot, which is programmed into the Motherboard, not into the Windows Operating System.

Remember, your Motherboard has an operating system of its own. That is BIOS and it communicates with your Operating System (Whether Windows or GnuLinux) through drivers.
The way Secure Boot works is like an attendee list at an event - Programs must be signed off to be allowed to initialize at boot. If the program is not on the list, they are not permitted to init.

Certain proprietary drivers, like Nvidia provides, are left unsigned. This can lead to the graphics being disabled from init during boot - which all indicators point to being your experience.
Disabling Secure Boot would resolve this: Except that you already enrolled MOK.
What is your terminal output for

mokutil --sb-state

1 Like

It says secure boot enabled.
Why did disabling secure boot not resolve the issue earlier?
Should i disable it now, since it seems to be working with secure boot? And does this render the windows partition unusable?

Did you re-enable Secure Boot after disabling it earlier?
I am not aware of Windows demanding Secure boot with the same ferocity as they demand TPM be enabled; though I could be wrong. It won't destroy your disk or data though, so you can boot Windows to check.

If using Proprietary Nvidia drivers are having issues with Secure Boot, then yes, disabling it can help resolve it. If you have gotten your proprietary Nvidia drivers to pass through MOK, that also can help you resolve the issue.
You may run into the same issue when you upgrade your Nvidia drivers in the future.

Im quite sure that I didn’t re-enable secure boot before trying to boot zorin and failing. I will try disabling it later and see how everything works.
With regards to this happening again, is MOK enrolment not a one time process? Or will a new key be requested to sign off on drivers every time i update them?

You may run into the issue again. Your enrollment is a one time event, however the signing of the Nvidia drivers packages is up to the maintainer.

Ah, i see. Thanks for all the insight to you both. Im a lot more comfortable with the idea of going full linux now.