Tried reinstalling it with secureboot disabled, now when im chosing fedora in boot menu I’m just getting back to boot menu(no matter secure boot is enabled or disabled)
This key seems to have been generated on the live media and not on the running system.
Secure boot with fedora driver modules can only be used if the key is generated and imported into bios from the installed and running OS. The key pairs will exist in /etc/pki/akmods/certs and /etc/pki/akmods/private. I have never tried that with the chroot environment, but I know that the hostname for the live media will not match the hostname for the installed OS.
My suggestion
disable secure boot
remove that particular key from bios with mokutil. (use `man mokutil to guide doing this).
boot to the main os, then set the hostname using hostnamectl.
generate a new key pair with kmodgenca -f, import it and verify with the instructions in the file /usr/share/doc/akmods/README.secureboot (the key is identified with the hostname so step 3 seems necessary)
recreate any drivers with akmods --force --rebuildto ensure they are signed with the new key
reboot to verify everything now works.
During a final reboot you could now enable secure boot and it should work
(An aside: the “Something has gone seriously wrong” message that’s associated with people having a bad time as a result of this update? That’s a message from shim, not any Microsoft code. Shim pays attention to SBAT updates in order to avoid violating the security assumptions made by other bootloaders on the system, so even though it was Microsoft that pushed the SBAT update, it’s the Linux bootloader that refuses to run old versions of grub as a result. This is absolutely working as intended)
The important part is that the shim compares the “sbat” strings in grub2 and check that against its known list of good versions, so it is important that you keep the shim and grub2 up-to-date.
as @leigh123linux recommended tried reinstall shim packages with secure boot disabled
following @computersavvy suggestions removed keys that were created from livecd with chroot env, generated and enrolled new one and recreated drivers(currently there are none)
acc@fedora:~$ sudo mokutil --test-key /etc/pki/akmods/certs/public_key.der
/etc/pki/akmods/certs/public_key.der is already enrolled
acc@fedora:~$ sudo akmods --force --rebuild
No akmod packages found, nothing to do. [ OK ]
acc@fedora:~$ mokutil --list-enrolled
7e68651d52 Fedora Secure Boot CA
deed1cdde9 akmods local signing CA
BIOS is updated to latest version, not sure what to discuss with the vendor, as windows keeps booting successfully, so more likely it’s not the board issue. btw it was official IBM service
I’ve just updated all packages(including shim* and grub2*).
The Fedora grub has been at or above the supported SBAT level for over 2 years.
That would imply the OP has a very old shim, or one from debian/ubuntu that did not update.
debian/ubuntu 100% never was installed or even booted from livecd, old version of shim also don’t think so as I reguraly did updates, but initially yes my installation was updated one by one since fedora 36 through years.
With secure boot enabled now I’m just seeing black screen instead of grub
Fixed by booting from live CD again and reinstalling grub2* and shim*, also did install Nvidia drivers and now with secure boot getting SBAT error again.