Latest grub2 package updates break Secure Boot

Today I did an offline upgrade, and after the upgrade Secure Boot is no longer working. I do not have any proprietary kernel modules installed, and my Fedora KDE Plasma live USB still boots fine with Secure Boot enabled. On top of that, the same packages updated on my laptop (a ThinkPad X1 Yoga Gen 6), and they broke secure boot as well. I tried to rollback to before the update, but for some reason dnf wouldn’t allow it due to package conflicts. For now the only fix is to disable Secure Boot in the UEFI, but that is not ideal. Especially, for my laptop which is mobile.

Here is a dnf history info output for the offline upgrade transaction:

Transaction ID : 124
Begin time     : 2026-03-25 16:29:59
Begin rpmdb    : c83f185a13622da37946bc9d1ae6c42b7c5c8e77ee2377e8f47922b4eccfe1f2
End time       : 2026-03-25 16:30:09
End rpmdb      : d4b51374b3428859f6144d59c625fbb7e5a465bb38cba7729c3078268f51b3c7
User           : 0 Super User <root>
Status         : Ok
Releasever     : 43
Description    : dnf upgrade --offline --refresh
Comment        : 
Packages altered:
  Action   Package                                         Reason          Repository
  Upgrade  audit-0:4.1.4-1.fc43.x86_64                     Group           updates
  Upgrade  audit-libs-0:4.1.4-1.fc43.x86_64                Dependency      updates
  Upgrade  audit-rules-0:4.1.4-1.fc43.x86_64               Dependency      updates
  Upgrade  python3-audit-0:4.1.4-1.fc43.x86_64             Dependency      updates
  Upgrade  audit-libs-0:4.1.4-1.fc43.i686                  Dependency      updates
  Upgrade  fastfetch-0:2.60.0-1.fc43.x86_64                External User   updates
  Upgrade  grub2-common-1:2.12-42.fc43.noarch              Dependency      updates
  Upgrade  grub2-tools-minimal-1:2.12-42.fc43.x86_64       Dependency      updates
  Upgrade  grub2-tools-extra-1:2.12-42.fc43.x86_64         Group           updates
  Upgrade  grub2-tools-efi-1:2.12-42.fc43.x86_64           Group           updates
  Upgrade  grub2-tools-1:2.12-42.fc43.x86_64               Group           updates
  Upgrade  grub2-pc-modules-1:2.12-42.fc43.noarch          Dependency      updates
  Upgrade  grub2-pc-1:2.12-42.fc43.x86_64                  Group           updates
  Upgrade  grub2-efi-x64-modules-1:2.12-42.fc43.noarch     User            updates
  Upgrade  grub2-efi-x64-cdboot-1:2.12-42.fc43.x86_64      Group           updates
  Upgrade  grub2-efi-x64-1:2.12-42.fc43.x86_64             Group           updates
  Upgrade  grub2-efi-ia32-modules-1:2.12-42.fc43.noarch    User            updates
  Upgrade  grub2-efi-ia32-cdboot-1:2.12-42.fc43.x86_64     Group           updates
  Upgrade  grub2-efi-ia32-1:2.12-42.fc43.x86_64            Group           updates
  Upgrade  libqtforkawesome-qt61-0:0.3.2-1.16.x86_64       Dependency      home_mkittler
  Upgrade  libqtquickforkawesome-qt61-0:0.3.2-1.16.x86_64  Dependency      home_mkittler
  Upgrade  libqtutilities-qt66-0:6.20.0-1.12.x86_64        Dependency      home_mkittler
  Upgrade  libsyncthingconnector-qt634-0:2.0.9-2.15.x86_64 External User   home_mkittler
  Upgrade  libsyncthingconnector34-0:2.0.9-1.16.x86_64     External User   home_mkittler
  Upgrade  libsyncthingmodel-qt634-0:2.0.9-2.15.x86_64     User            home_mkittler
  Upgrade  libsyncthingwidgets-qt634-0:2.0.9-2.15.x86_64   User            home_mkittler
  Upgrade  mesa-dri-drivers-0:25.3.6-3.fc43.x86_64         Group           updates
  Upgrade  mesa-filesystem-0:25.3.6-3.fc43.x86_64          Dependency      updates
  Upgrade  mesa-libgbm-0:25.3.6-3.fc43.x86_64              Dependency      updates
  Upgrade  mesa-libGL-0:25.3.6-3.fc43.x86_64               Dependency      updates
  Upgrade  mesa-libEGL-0:25.3.6-3.fc43.x86_64              Dependency      updates
  Upgrade  mesa-dri-drivers-0:25.3.6-3.fc43.i686           Group           updates
  Upgrade  mesa-libgbm-0:25.3.6-3.fc43.i686                Dependency      updates
  Upgrade  mesa-libGL-0:25.3.6-3.fc43.i686                 Dependency      updates
  Upgrade  mesa-libEGL-0:25.3.6-3.fc43.i686                Dependency      updates
  Upgrade  mesa-filesystem-0:25.3.6-3.fc43.i686            Dependency      updates
  Upgrade  mesa-vulkan-drivers-0:25.3.6-3.fc43.x86_64      Group           updates
  Upgrade  mesa-vulkan-drivers-0:25.3.6-3.fc43.i686        Group           updates
  Upgrade  openssh-0:10.0p1-8.fc43.x86_64                  Dependency      updates
  Upgrade  openssh-server-0:10.0p1-8.fc43.x86_64           Group           updates
  Upgrade  openssh-clients-0:10.0p1-8.fc43.x86_64          Group           updates
  Upgrade  openssh-askpass-0:10.0p1-8.fc43.x86_64          Weak Dependency updates
  Upgrade  python3-wcwidth-0:0.6.0-1.fc43.noarch           Dependency      updates
  Upgrade  qtforkawesomeiconengine-qt6-0:0.3.2-1.16.x86_64 Dependency      home_mkittler
  Upgrade  syncthingctl-qt6-0:2.0.9-2.15.x86_64            User            home_mkittler
  Upgrade  syncthingplasmoid-qt6-0:2.0.9-2.15.x86_64       User            home_mkittler
  Replaced audit-0:4.1.3-1.fc43.x86_64                     Group           @System
  Replaced audit-libs-0:4.1.3-1.fc43.x86_64                Dependency      @System
  Replaced audit-libs-0:4.1.3-1.fc43.i686                  Dependency      @System
  Replaced audit-rules-0:4.1.3-1.fc43.x86_64               Dependency      @System
  Replaced fastfetch-0:2.59.0-1.fc43.x86_64                External User   @System
  Replaced grub2-common-1:2.12-40.fc43.noarch              Dependency      @System
  Replaced grub2-efi-ia32-1:2.12-40.fc43.x86_64            Group           @System
  Replaced grub2-efi-ia32-cdboot-1:2.12-40.fc43.x86_64     Group           @System
  Replaced grub2-efi-ia32-modules-1:2.12-40.fc43.noarch    User            @System
  Replaced grub2-efi-x64-1:2.12-40.fc43.x86_64             Group           @System
  Replaced grub2-efi-x64-cdboot-1:2.12-40.fc43.x86_64      Group           @System
  Replaced grub2-efi-x64-modules-1:2.12-40.fc43.noarch     User            @System
  Replaced grub2-pc-1:2.12-40.fc43.x86_64                  Group           @System
  Replaced grub2-pc-modules-1:2.12-40.fc43.noarch          Dependency      @System
  Replaced grub2-tools-1:2.12-40.fc43.x86_64               Group           @System
  Replaced grub2-tools-efi-1:2.12-40.fc43.x86_64           Group           @System
  Replaced grub2-tools-extra-1:2.12-40.fc43.x86_64         Group           @System
  Replaced grub2-tools-minimal-1:2.12-40.fc43.x86_64       Dependency      @System
  Replaced libqtforkawesome-qt61-0:0.3.2-1.15.x86_64       Dependency      @System
  Replaced libqtquickforkawesome-qt61-0:0.3.2-1.15.x86_64  Dependency      @System
  Replaced libqtutilities-qt66-0:6.20.0-1.11.x86_64        Dependency      @System
  Replaced libsyncthingconnector-qt634-0:2.0.9-2.14.x86_64 External User   @System
  Replaced libsyncthingconnector34-0:2.0.9-1.15.x86_64     External User   @System
  Replaced libsyncthingmodel-qt634-0:2.0.9-2.14.x86_64     User            @System
  Replaced libsyncthingwidgets-qt634-0:2.0.9-2.14.x86_64   User            @System
  Replaced mesa-dri-drivers-0:25.3.6-2.fc43.x86_64         Group           @System
  Replaced mesa-dri-drivers-0:25.3.6-2.fc43.i686           Group           @System
  Replaced mesa-filesystem-0:25.3.6-2.fc43.x86_64          Dependency      @System
  Replaced mesa-filesystem-0:25.3.6-2.fc43.i686            Dependency      @System
  Replaced mesa-libEGL-0:25.3.6-2.fc43.x86_64              Dependency      @System
  Replaced mesa-libEGL-0:25.3.6-2.fc43.i686                Dependency      @System
  Replaced mesa-libGL-0:25.3.6-2.fc43.x86_64               Dependency      @System
  Replaced mesa-libGL-0:25.3.6-2.fc43.i686                 Dependency      @System
  Replaced mesa-libgbm-0:25.3.6-2.fc43.x86_64              Dependency      @System
  Replaced mesa-libgbm-0:25.3.6-2.fc43.i686                Dependency      @System
  Replaced mesa-vulkan-drivers-0:25.3.6-2.fc43.x86_64      Group           @System
  Replaced mesa-vulkan-drivers-0:25.3.6-2.fc43.i686        Group           @System
  Replaced openssh-0:10.0p1-7.fc43.x86_64                  Dependency      @System
  Replaced openssh-askpass-0:10.0p1-7.fc43.x86_64          Weak Dependency @System
  Replaced openssh-clients-0:10.0p1-7.fc43.x86_64          Group           @System
  Replaced openssh-server-0:10.0p1-7.fc43.x86_64           Group           @System
  Replaced python3-audit-0:4.1.3-1.fc43.x86_64             Dependency      @System
  Replaced python3-wcwidth-0:0.2.13-16.fc43.noarch         Dependency      @System
  Replaced qtforkawesomeiconengine-qt6-0:0.3.2-1.15.x86_64 Dependency      @System
  Replaced syncthingctl-qt6-0:2.0.9-2.14.x86_64            User            @System
  Replaced syncthingplasmoid-qt6-0:2.0.9-2.14.x86_64       User            @System

Like I said, Secure Boot was functioning perfectly, then immediately after this offline upgrade transaction it stopped functioning giving me a black screen on boot.

P.S., Was this site updated recently? I had a previous user account with the same username I am posting under now, but that account appears to be completely gone. When I tried to log in it wouldn’t allow me. Then, when I visited in a different browser where I was logged into google it suddenly said I have been logged in with Oauth2, and it tied this brand new account (with the same username I was using before) to my Gmail address. I also had 2FA before, and now I cannot find a setting to enable it.

For me the latest grub2 packages break the boot, i.e. I get a black screen and no grub menu, but they don’t break Secure Boot.

If I try to load the boot loader from the UEFI menu repeatedly, I do eventually see a grub menu at some point. And if I append the boot command line with “nomodeset”, I can continue to boot (otherwise the screen will go black and stay that way). I did not have to disable Secure Boot.

I rolled back to the old grub2 packages and everything works again. The new packaes seem broken and to me it looks like this issue: 2450672 – Black screen after installing a number of updates including dpkg + grub

The grub2 menu shows up just fine for me with all the entries showing properly by disabling Secure Boot. On both of my Fedora 43 KDE Plasma Desktop Edition systems the only thing broken by the most recent packages is Secure Boot.

I think for this you best make a ticket in infrastructure.

Your FAS account is still the same however here in Discourse you are now benhaube1.
Do you remember when you logged in last more or less?

Thanks! I will make a ticket for this issue. I actually got a Secure Boot dbx update from fwupdmgr this morning as well as kernel 6.19.9. I was hoping it would fix Secure Boot, but I am still getting the same behavior with it enabled.

To be honest, I cannot remember the last time I logged into discussion.fedoraproject.org. It has been a while. I have been using Fedora for like 10 years at this point, and I rarely have a need to log in and ask questions. Everything tends to just work. Issues like these are very rare for me since I ditched my Nvidia GPU.

I do think I made that ‘benhaube1’ account. I vaguely remember it, but I couldn’t tell you why. I think maybe I forgot the password for THIS ‘benhaube’ account and the password reset wasn’t working. That’s the only reason I can come up with in my head. Thanks for reminding me about that account. I had forgotten about it and it isn’t in my Bitwarden vault. I will try to see if I can get into that account.

What about the TOTP settings? In this ‘benhaube’ account I cannot seem to find them, but I clearly have a token set up for this account in my authenticator app.

Edit:

I got into the ‘benhaube1’ account by using the password reset, and I found the 2FA settings (they are in the accounts.fedoraproject.org settings). I think going forward I will just use this ‘benhaube’ account since I can access it. I would delete the ‘benhaube1’ account, but I can’t find a way to do so.

Thank you. I could disable Secure Boot temporally, boot to fedora, downgrade grub2, and re-enable Secure Boot back. Let’s hope not too many users get affected with it.

Yeah, I downgraded the grub2 packages on my laptop to enable Secure Boot since it is a mobile device and I want the added security. I just left Secure Boot off on my desktop PC, and I will wait for a fix.

Its hard to say that is the case because its about the time the first set of certificates expire. Which I find that a fatal flaw with that system. I personally prefer the signed programs with the kernel method even though this locks out software not signed by the kernel its running.

Ok, so the problem is not Secure Boot by itself but using a grub theme and Secure Boot. After the latest comments in the Bugzilla report [1], I disabled my grub theme and then reinstalled the latest grub2 packages (2.12-42.fc43). And without the grub theme, everything works fine and I don’t have to disable Secure Boot.

[1] 2450672 – Black screen after installing a number of updates including dpkg + grub

Ahh, good catch! I did not even think about disabling my Grub theme. I still hope they fix the issue because I really like my grub themes. I can’t remember who made them of the top of my head, but there is a creator who has a collection called “Distro Grub Themes” or something like that. His collection also contains themes for various hardware manufacturers. I have his ASUS theme on my desktop PC that has an ASUS motherboard, and his ThinkPad theme on my ThinkPad X1. That totally explains my issue.