Fix boot partition on Silverblue?

barn · February 28, 2023, 3:14am

I was having trouble with a fwupd update, so I manually moved files in boot partition.

While the firmware update worked successfully, now Secure Boot fails. After disabling SecureBoot the laptop is working fine. But I want to re-enable Secure Boot.

What is the easiest way to fix or rebuild the EFI boot partition on Silverblue so that I can reenable SecureBoot? Any pointers appreciated.

I saw this doc, however, it isn’t compatible with Silverblue since the root partition does not directly expose any binaries (they are in ostree), let alone DNF.

silksow · March 1, 2023, 6:34pm

I could also use some guidance on this topic. I installed Silverblue with Secure Boot enabled, but it shows as disabled in the privacy settings.

maxamillion · March 4, 2023, 5:15am

This sounds like a potential fwupd issue to me, I’d file an issue ticket upstream and go from there.

barn · March 4, 2023, 4:54pm

Originally, I believe it was a fwupd issue.

But then I took actions to attempt a workaround based off of a forum post which described the same issue.

It included: backing up and deleting the BOOT and Fedora EFI shim, performing fwupd update on the USB hub (which now ran successfully), and then restoring the EFI files.

However, after a reboot, it looks like SecureBoot could detect the changes were performed. I believe SecureBoot is working as expected due to my changes performed in the EFI.

Preferably, I am looking for a way to reset the state of SecureBoot. Or reformat the boot and boot/efi partitions, possibly via Anaconda. But I have not found a straight forward way to do that without a clean install.

mateusrodcosta · March 5, 2023, 1:40pm

Bootupd is what is intended to solve this in the future in Fedora Silverblue but it was pushed to F39

The best workaround though seems to be this: Use bootupd and remove ostree-grub2 (was: All deployments are shown twice in grub) · Issue #120 · fedora-silverblue/issue-tracker · GitHub

barn · March 6, 2023, 1:41am

Thank you! This appears to be the same issue I encountered!

I’ll try this solution this week and report back.

barn · March 6, 2023, 2:50am

Success!

sudo rpm-ostree usroverlay
wget https://kojipkgs.fedoraproject.org//packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm
sudo rpm -i --reinstall shim-x64-15.6-2.x86_64.rpm

Hopefully I can make time and add this to the Silverblue Docs on the troubleshooting page.

mateusrodcosta · March 6, 2023, 12:35pm

I would guess that the reason this didn’t work is because the fwupd dbx update marked the shim you had been using as insecure and started blocking it.

When you made a backup of your current shim, it was of the insecure version, as rpm-ostree was unable to update it to the new version.

Now, you should have both the updated dbx as well as the updated shim, so that is why it works.

Topic		Replies	Views
Can't update 'Secure Boot dbx Configuration Update' Ask Fedora gnome-software , fwupd , rpm-ostree , boot , silverblue , shim , secureboot	16	3813	March 10, 2025
Secure boot not installed when installing fresh fedora 35 silverblue Ask Fedora f35 , secure-boot , silverblue	11	2785	November 25, 2021
Install Fedora workstion 30 clobbered Silverblue Project Discussion silverblue-team	4	627	October 9, 2019
Secure boot configuration Ask Fedora secure-boot , silverblue , workstation , ubuntu-transition	4	915	July 11, 2024
How to turn on secure boot on Silverblue? Ask Fedora silverblue	6	4200	January 13, 2023

Fix boot partition on Silverblue?

Related topics