After a system update, bad shim signature | Silverblue | F40

System Details Report


Report details

  • Date generated: 2024-06-17 22:48:02

Hardware Information:

  • Hardware Model: Micro-Star International Co., Ltd. Modern 15 A5M
  • Memory: 8.0 GiB
  • Processor: AMD Ryzen™ 5 5500U with Radeon™ Graphics × 12
  • Graphics: AMD Radeon™ Graphics
  • Disk Capacity: 512.1 GB

Software Information:

  • Firmware Version: E155LAMS.115
  • OS Name: Fedora Linux 40.20240613.0 (Silverblue)
  • OS Build: (null)
  • OS Type: 64-bit
  • GNOME Version: 46
  • Windowing System: Wayland
  • Kernel Version: Linux 6.8.11-300.fc40.x86_64

after a recent system update a strange error occured that I have mentioned in the attached screenshot that I took

Add images

i can not boot my system so i have switched to the backup system and reboot the system

:thinking: Maybe similar ?

1 Like

I’m experiencing the same issue with two of my Fedora Kinoite 39 devices. The error message is exactly the same as the one shown in your picture. Given the timing of the updates, the issue is related to the new kernel version 6.9.4 from your recent update.

Upgraded:
  dmidecode 1:3.5-1.fc39 -> 1:3.6-1.fc39
  kernel 6.8.11-200.fc39 -> 6.9.4-100.fc39
  kernel-core 6.8.11-200.fc39 -> 6.9.4-100.fc39
  kernel-headers 6.8.3-200.fc39 -> 6.9.4-100.fc39
  kernel-modules 6.8.11-200.fc39 -> 6.9.4-100.fc39
  kernel-modules-core 6.8.11-200.fc39 -> 6.9.4-100.fc39
  kernel-modules-extra 6.8.11-200.fc39 -> 6.9.4-100.fc39
  kernel-tools 6.8.11-200.fc39 -> 6.9.4-100.fc39
  kernel-tools-libs 6.8.11-200.fc39 -> 6.9.4-100.fc39

I applied the workaround mentioned above and resolved the issue.

Alternatively, you can also disable secure boot if you prefer not to use the workaround.

2 Likes

After recent kernel update still the issue persists… What would be the way out?
Notably I have no layered package.
kernel version :- 6.8.11-300.fc40.x86_64
I have tried to update 6.9.4 but the error still there because of the fact that the error still persists so system can not be updated . Please anyone can solve the issue

Have you tried the workaround? Specifically, the one from Fedora Silverblue’s issue tracker.
Here are the exact steps:

Warning: Do at your own risk, make backups

Here is the set of commands I’ve just used to update my (x86_64) EFI booted system successfully:

# Enter a root shell on the host (i.e. not in a toolbox)
$ sudo -i

# Make a backup of the content of the EFI partition
$ cd /boot/efi/
$ cp -a EFI EFI.bkp

# Copy updated bootloader versions
$ cp /usr/lib/ostree-boot/efi/EFI/BOOT/{BOOTIA32.EFI,BOOTX64.EFI,fbia32.efi,fbx64.efi} /boot/efi/EFI/BOOT/
$ cp /usr/lib/ostree-boot/efi/EFI/fedora/{BOOTIA32.CSV,BOOTX64.CSV,grubia32.efi,grubx64.efi,mmia32.efi,mmx64.efi,shim.efi,shimia32.efi,shimx64.efi} /boot/efi/EFI/fedora/

# Only needed if it exists already on your system
$ cp /usr/lib/ostree-boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/shimx64-fedora.efi

# Sync changes to the disk
$ sync

# Reboot

Once reboot is successful, you can remove the backup copies:

# Enter a root shell on the host (i.e. not in a toolbox)
$ sudo -i

# Make a backup of the content of the EFI partition
$ cd /boot/efi/
$ rm -ri ./EFI.bkp

# Sync changes to the disk
$ sync

Edit: Updated to add 32bits EFI binaries as well.

2 Likes

It was totally ok and now broken due to no reason
As a silverblue user this should be rock solid.

Version: 40.20240618.0 is broken for me too.
I have pinned the previous one which works.

I have the same boot error and disabling secure boot worked around the issue.

Updating the bootloader per the first link @hamrheadcorvette posted effectively resolved the issue!

2 Likes

New kernel update will fix the issue

But when?

https://bodhi.fedoraproject.org/updates/?packages=kernel

still issue did not resolved after update to 6.9.5

if i turn on secure boot it again showing the same error what is the issue here???
after updating to 6.9 set of kernel the issue started.

Is your shim up-to-date?

Run mokutil --list-enrolled and you should get 2bb010e24d fedoraca

$ mokutil --list-enrolled
7e68651d52 Fedora Secure Boot CA

Same:

$ mokutil --list-enrolled
7e68651d52 Fedora Secure Boot CA

I installed the 6/22 update and it didn’t resolve the issue.

This is the old expired certificate. A new shim was released about 3 months ago containing a new certificate.

Did you take a look at message 4

A freshly installed kinoite does use the new version of shim.

1 Like

image
cant do it and problem is still there

Leaving EFI.bkp shouldn’t be a problem.

When running rm -ri you will be asked to confirm for each file and each directory to be deleted.

If you halt a program with crtrl-Z, don’t forget to resume it again with the fg command.

1 Like