Boot might fail with "vmlinuz[…] has invalid signature" in atomic desktops

Ask Fedora Common Issues Archived Common Issues
, , , , , , , ,
1

Problem

In Fedora atomic desktops installations (Silverblue, Kinote, Sway Atomic, Budgie Atomic), which have been setup several releases ago, the system may stop booting and show an error message similar to this:

error: ../../grub-core/loader/i386/efi/linux.c:307:Chd0.gpt2/ostree/fedora-[hash]/vmlinuz-[version] has invalid signature.
error: ../../grub-core/loader/i386/efi/linux.c:205:you need to load the kernel first.
Press any key to continue…

Cause

Fedora atomic desktops currently do not automatically update the bootloader (GRUB, Shim) on the system during updates. Having an old bootloader causes a Secure Boot violation when combined with a recent 6.8 or newer Linux kernel.

All Fedora atomic desktops releases with the 6.8 kernels are impacted (Fedora 39 and newer).

This issue doesn’t affect traditional non-atomic variants, because their bootloaders are regularly updated. This issue also doesn’t affect systems that don’t have Secure Boot enabled.

Related Issues

Workarounds

Choose one of the following:

  • Temporarily, you can boot into an older version of your system from the GRUB boot menu. (If this menu is not shown after starting the computer, hold Shift or press F8 repeatedly to show it). Use arrow keys to select an older version from that menu. You can make this rollback permanent, but it’s not recommended to run outdated software for long.

  • Go into your BIOS settings and disable Secure Boot. This makes your system a bit less secure.

  • Reinstall your atomic system from fresh. As this issue only affects old installations that are upgraded, a fresh installation is not affected. Before reinstallation, make sure to back up your data.

  • Or run the following commands (source) to manually update the bootloader:

    # Enter a root shell on the host (i.e. not in a toolbox)
$ sudo -i

# Make a backup of the content of the EFI partition
$ cd /boot/efi/
$ cp -a EFI EFI.bkp

# Copy updated bootloader versions
$ cp /usr/lib/ostree-boot/efi/EFI/BOOT/{BOOTIA32.EFI,BOOTX64.EFI,fbia32.efi,fbx64.efi} /boot/efi/EFI/BOOT/
$ cp /usr/lib/ostree-boot/efi/EFI/fedora/{BOOTIA32.CSV,BOOTX64.CSV,grubia32.efi,grubx64.efi,mmia32.efi,mmx64.efi,shim.efi,shimia32.efi,shimx64.efi} /boot/efi/EFI/fedora/

# Only needed if it exists already on your system
$ cp /usr/lib/ostree-boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/shimx64-fedora.efi

# Sync changes to the disk
$ sync

# Reboot

    Once reboot is successful, you can remove the backup copies:

    # Enter a root shell on the host (i.e. not in a toolbox)
$ sudo -i

# Remove the backup of the content of the EFI partition
$ cd /boot/efi/
$ rm -ri ./EFI.bkp

# Sync changes to the disk
$ sync
6 Likes
12

You can discuss this topic here.

1 Like
15

This topic was automatically closed 5 minutes after the last reply. New replies are no longer allowed.