Problem
In June 2024, updates for Fedora atomic desktops and Fedora IoT were distributed which might fail to boot on systems with Secure Boot enabled, if those systems were originally installed with an older version than Fedora Linux 40.
You might see the following error:
error: ../../grub-core/kern/efi/sb.c:182:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:258:you need to load the kernel first.
Press any key to continue...
Cause
This was caused by 39.20240617.0 and 40.20240617.0 updates for atomic desktops and the 40.20240617.0 update for IoT.
Shim and GRUB were signed with an old key on systems installed prior to Fedora 40, but the latest kernel 6.9 is no longer signed with a matching key.
You can read a longer explanation of what happened here:
https://fedoramagazine.org/manual-action-needed-to-resolve-boot-failure-for-fedora-atomic-desktops-and-fedora-iot/
Related Issues
Silverblue report: Boot fails with "vmlinuz has invalid signature" or "bad shim signature, you need to load the kernel first" · Issue #543 · fedora-silverblue/issue-tracker · GitHub
Workarounds
Please follow the steps described in this article: