Secure boot configuration

Hello,

I have the following issue: I installed Fedora Silverblue (40) on an USB drive to play around with it a bit. After installation I updated everything from the software app. This included the “secure boot configurations for fedora”. Now secure boot fails whenever the USB drive (with the fedora installation) is not plugged in. The error message reads:

Verifiying shim SBAT data failed: Security Policy Violation
Something has gone serioulsy wrong: SBAT self-check failed: Security Policy Violation

I guess shim needs/expects something on that USB drive to function.

My system is running a Windows 11 installation (which I need for some proprietary software) in dual boot with GRUB and an older Ubuntu installation. I want to replace Ubuntu with Fedora Workstation down the road.
I was thinking about just installing Fedora Workstation on the main drive and hoped that might resolve the issue. Or wiping the whole drive and installing Windows again. However I’m not sure if one of those would fix something on the secure boot level. Also thought about manually installing/configuring shim but don’t know how exactly to go about this and if I feel comfortable with it. What would you suggest?

Any advice is very welcome! Many thanks in advance :slight_smile:

A common issue with Silverblue is that the shim and grub2 aren’t updated when they need to be.

See https://discussion.fedoraproject.org/t/after-a-system-update-bad-shim-signature-silverblue-f40/120347/4

You may need to disable secure boot temporary to be able to access your Fedora system.

The thing is, I CAN access my Fedora system (on the USB drive) with secure boot and everything works perfect when the USB drive is plugged in.
But when the USB drive is not plugged in secure boot fails immediatly. My problem is, that I don’t want to have to have this USB drive plugged in to be able to boot up any other OS. In fact I don’t really need this Fedora system (on the USB drive) at all. But I would like to install Fedora workstation on the main drive though. My goal for now is however to get any OS booting with secure boot without the USB drive being plugged in.

So I figured out how to work around this for now. The issue seems so be tied only to the Fedora Bootloader. When I use the Windows Bootloader instead I can still boot with secure boot. I guess I will work with that for now and delete the Ubuntu and Fedora Bootloaders. Then I will try to replace Ubuntu with a fresh Fedora Workstation install and hope everything works out.

Added ubuntu-transition