Boot fails with shim security policy violation

Exellent. Then it is a question of the proper version of grubx64.efi and/or shimx64.efi.

should i just copy-paste them form latest fedora ISO to my /boot/efi/fedora dir?

seems like dnf reinstall does not install them, any idea where to get the proper ones from?

You can check the version

ls -l /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/fedora/shim.efi /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/grubx64.efi

should show

-rwx------. 1 root root  949424 Mar 19  2024 /boot/efi/EFI/BOOT/BOOTX64.EFI
-rwx------. 1 root root 4066624 Nov 21 01:00 /boot/efi/EFI/fedora/grubx64.efi
-rwx------. 1 root root  949424 Mar 19  2024 /boot/efi/EFI/fedora/shim.efi
-rwx------. 1 root root  949424 Mar 19  2024 /boot/efi/EFI/fedora/shimx64.efi

and
sha256sum /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/fedora/shim.efi /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/grubx64.efi

should show

4773d74d87c2371a25883b59a3b6d98d157de46933676706d215015b1130f2d1  /boot/efi/EFI/BOOT/BOOTX64.EFI
4773d74d87c2371a25883b59a3b6d98d157de46933676706d215015b1130f2d1  /boot/efi/EFI/fedora/shim.efi
4773d74d87c2371a25883b59a3b6d98d157de46933676706d215015b1130f2d1  /boot/efi/EFI/fedora/shimx64.efi
c5e9e34d80cbe8c2294758e3d2afdb869ec99ecad3105d99f2504989a18591ab  /boot/efi/EFI/fedora/grubx64.efi

for Fedora version 41

The rpm version should be

rpm -qf /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/fedora/shim.efi /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/grubx64.efi

shim-x64-15.8-3.x86_64
shim-x64-15.8-3.x86_64
shim-x64-15.8-3.x86_64
grub2-efi-x64-2.12-15.fc41.x86_64

Mine are same

acc@fedora:~$ sudo ls -l /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/fedora/shim.efi /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/grubx64.efi
-rwx------ 1 root root  949424 Mar 19  2024 /boot/efi/EFI/BOOT/BOOTX64.EFI
-rwx------ 1 root root 4066624 Nov 21 02:00 /boot/efi/EFI/fedora/grubx64.efi
-rwx------ 1 root root  949424 Mar 19  2024 /boot/efi/EFI/fedora/shim.efi
-rwx------ 1 root root  949424 Mar 19  2024 /boot/efi/EFI/fedora/shimx64.efi
acc@fedora:~$ sudo sha256sum /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/fedora/shim.efi /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/grubx64.efi
4773d74d87c2371a25883b59a3b6d98d157de46933676706d215015b1130f2d1  /boot/efi/EFI/BOOT/BOOTX64.EFI
4773d74d87c2371a25883b59a3b6d98d157de46933676706d215015b1130f2d1  /boot/efi/EFI/fedora/shim.efi
4773d74d87c2371a25883b59a3b6d98d157de46933676706d215015b1130f2d1  /boot/efi/EFI/fedora/shimx64.efi
c5e9e34d80cbe8c2294758e3d2afdb869ec99ecad3105d99f2504989a18591ab  /boot/efi/EFI/fedora/grubx64.efi
acc@fedora:~$ sudo rpm -qf /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/fedora/shim.efi /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/grubx64.efi
shim-x64-15.8-3.x86_64
shim-x64-15.8-3.x86_64
shim-x64-15.8-3.x86_64
grub2-efi-x64-2.12-15.fc41.x86_64

Then I have no idea of why it doesn’t work, unless the ESP file system is not mounted where it should be.

More likely it is mounted as should be, otherwise i won’t be able to boot with disabled secure boot.

Where the ESP is mounted or not doesn’t in any way affect whether the system can boot or not. An old shim in the ESP can boot fine with secure boot disable and fail the SBAT test when secure boot is enabled. If the ESP is not mounted, you can run all the software updates and it won’t update the files in the ESP.

I see, could you please guide me on investigating it?

lsblk -o NAME,PARTUUID,UUID,FSTYPE,MOUNTPOINT

NAME        PARTUUID                             UUID                                 FSTYPE MOUNTPOINT
loop0                                                                                        /var/lib/snapd/snap/core/17200
loop1                                                                                        /var/lib/snapd/snap/core22/1722
loop2                                                                                        /var/lib/snapd/snap/ghostscript-printer-app/850
zram0                                                                                        [SWAP]
nvme0n1                                                                                      
├─nvme0n1p1 4c4142d9-4e81-476a-93b5-dbdad8bb5f5a 3056-3376                            vfat   /boot/efi
├─nvme0n1p2 9fce4793-957e-41b2-99ec-c2c541f34d80 2ceb9488-262e-490b-91d9-f9bc93e6275c ext4   /home
├─nvme0n1p3 1396d646-58d0-4618-8592-93a1a2857577 56a83e29-1e98-44f6-a33e-8988906ef2a1 ext4   /
└─nvme0n1p4 e27acb57-ac9a-42b2-b800-108ae60c3f62 96621d97-5b40-497f-b0ce-d09430076c0c swap   [SWAP]

efibootmgr

BootCurrent: 0001
Timeout: 1 seconds
BootOrder: 0001,0003,0002
Boot0001* Fedora        HD(1,GPT,4c4142d9-4e81-476a-93b5-dbdad8bb5f5a,0x800,0x400000)/\EFI\FEDORA\SHIMX64.EFI
Boot0002* memtest       HD(1,GPT,4c4142d9-4e81-476a-93b5-dbdad8bb5f5a,0x800,0x400000)/\EFI\MEMTST\MEMTEST64.EFI
Boot0003* Fedora2       HD(1,GPT,4c4142d9-4e81-476a-93b5-dbdad8bb5f5a,0x800,0x400000)/\EFI\FEDORA2\SHIMX64.EFI

Match 4c4142d9-4e81-476a-93b5-dbdad8bb5f5a from the efibootmgr listing to the PARTUUID from the lsblk listing and note the corresponding MOUNTPOINT.

Mine grub entry in mathes windows boot partition instead of fedora one.

and uses grubx64.efi instead of shimx64.efi from your example.

root@fedora:~# lsblk -o NAME,PARTUUID,UUID,FSTYPE,MOUNTPOINT
NAME                                          PARTUUID                             UUID                                 FSTYPE      MOUNTPOINT
zram0                                                                                                                               [SWAP]
nvme0n1                                                                                                                             
├─nvme0n1p1                                   f1eef844-60b8-4d65-9564-57d6b5e62977 0673-EE01                            vfat        
├─nvme0n1p2                                   d30cb7b6-feaf-4183-be45-4052093a420a                                                  
├─nvme0n1p3                                   d7177353-4339-4120-b20d-e2cdbb8ec349 7654765254761559                     ntfs        
├─nvme0n1p4                                   bf6ded41-c28b-4a55-8ae3-03cdd49a5e54 C8BC7532BC751BDE                     ntfs        
├─nvme0n1p5                                   b5433bae-b4b6-4a80-9c82-298797f2ac45 0150-63B8                            vfat        /boot/efi
└─nvme0n1p6                                   8150813d-6cb1-479a-ac41-0160dd61efa3 7d687dbc-9497-42c2-8484-ee1159a8d839 ext4        /boot
nvme1n1                                                                                                                             
├─nvme1n1p1                                   b5a8390d-52eb-421b-9468-d5500899624e b652af38-4d3f-488d-92b3-073f3217cc03 crypto_LUKS 
│ └─luks-b652af38-4d3f-488d-92b3-073f3217cc03                                      55f27c48-0369-481e-9d89-97354e0ff882 btrfs       /home
└─nvme1n1p2                                   955f8cef-bf78-4124-a2f7-ed24dab4c28a 0fafb902-db94-4a8e-ad50-6477df93786a crypto_LUKS 
  └─luks-0fafb902-db94-4a8e-ad50-6477df93786a                                      d5b9754a-293f-4b88-bdb2-10a3f4671f9d btrfs       /
nvme2n1                                                                                                                             
├─nvme2n1p1                                   6b8192c9-bb73-45b5-b109-efd76dd92ef4 1e339a60-5cac-43d4-b7c8-4ab770aacefa crypto_LUKS 
│ └─luks-1e339a60-5cac-43d4-b7c8-4ab770aacefa                                      55f27c48-0369-481e-9d89-97354e0ff882 btrfs       
└─nvme2n1p2                                   ad4313df-4048-44b9-95a7-f5cb7ebb4029 5529c265-28d3-46f0-b389-4f6403d26169 crypto_LUKS 
  └─luks-5529c265-28d3-46f0-b389-4f6403d26169                                      d5b9754a-293f-4b88-bdb2-10a3f4671f9d btrfs       
root@fedora:~# efibootmgr
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,0001,001A,001B,001C,001D,001E,001F,0020,0021,0022,0023,0024,0025
Boot0001* Windows Boot Manager	HD(1,GPT,f1eef844-60b8-4d65-9564-57d6b5e62977,0x800,0x32000)/\EFI\Microsoft\Boot\bootmgfw.efi57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000000000100000010000000040000007fff0400
Boot0002* GRUB	HD(1,GPT,f1eef844-60b8-4d65-9564-57d6b5e62977,0x800,0x32000)/\EFI\fedora\grubx64.efi
Boot0010  Setup	FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0011  Boot Menu	FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0012  Diagnostic Splash Screen	FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0013  Lenovo Diagnostics	FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0014  Asset Information	FvFile(da465b87-a26f-4c12-b78a-0361428fa026)
Boot0015  Regulatory Information	FvFile(478c92a0-2622-42b7-a65d-5894169e4d24)
Boot0016  ThinkShield secure wipe	FvFile(3593a0d5-bd52-43a0-808e-cbff5ece2477)
Boot0017  Startup Interrupt Menu	FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot0018  Rescue and Recovery	FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot0019  MEBx Hot Key	FvFile(ac6fd56a-3d41-4efd-a1b9-870293811a28)
Boot001A* USB CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot001B* USB FDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot001C* NVMe0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
Boot001D* NVMe1	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a401)
Boot001E* NVMe2	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a402)
Boot001F* ATA HDD0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f601)
Boot0020* USB HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot0021* PXE BOOT	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
Boot0022* LENOVO CLOUD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri(https://download.lenovo.com/pccbbs/cdeploy/efi/boot.efi)
Boot0023* ON-PREMISE	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri()
Boot0024  Other CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35400)
Boot0025  Other HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f600)
Boot0026* IDER BOOT CDROM	PciRoot(0x0)/Pci(0x14,0x0)/USB(15,1)
Boot0027* IDER BOOT Floppy	PciRoot(0x0)/Pci(0x14,0x0)/USB(15,0)
Boot0028* ATA HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
Boot0029* ATAPI CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)

Should i create another entry?

yep, that worked out, thanks a lot for your help!

efibootmgr -c -d /dev/nvme0n1 -p 5 -L GRUB -l '\EFI\fedora\shimx64.efi'