Secure Boot: Shim: Verification failed: (0x1A) Security Violation

truster · July 25, 2024, 8:00pm

Today my Fedora Silverblue won’t boot on my Dell Precision 4580, it says

Verification Failed: (0x1A) Security Violation

I can successfully boot Fedora Workstation from a USB drive.

How can I verify that my boot configuration or files have not been tampered with?

truster · July 25, 2024, 8:01pm

workstation entfernt

boredsquirrel · July 25, 2024, 9:17pm

Strange, I had the same issue a few days ago with Ventoy.

Can you boot into the older deployment?

GRUB should be shown either with shift or with F8.

I suppose you already did that?

boredsquirrel · July 25, 2024, 9:18pm

Added secure-boot, shim

truster · July 26, 2024, 6:46am

Hi @boredsquirrel , and thanks for your reply.

Unfortunately, your linked discussion sounds different to me, as it is about a signed kernel with a newer certificate than the one provided in the f39 boot loader environment, so simply selecting an older kernel would allow you to boot your system and reinstall a newer boot environment.

But that doesn’t seem to be my problem, as it won’t even load the GRUB boot loader, so I can’t select a different kernel. But the workaround shows me a possible solution - I booted fedora workstation from a USB stick, mounted my encrypted disk, compared the contents of /usr/lib/ostree-boot/efi with /boot/efi and found different EFI binaries, so I cpied them over.

Now it is booting again.

aaah and it seems the command

cp -rp /usr/lib/ostree-boot/efi/EFI /boot/efi

described on the fedoras magazine article is not correct, this leads to an extra EFI subfolder on my system, ending up in /boot/efi/EFI/EFI/*

But one question remains. Why don’t they update the UEFI binaries? …

boredsquirrel · July 26, 2024, 1:11pm

Added bootupd, grub

boredsquirrel · July 26, 2024, 1:11pm

Interesting, another issue that will be fixed soon. Afaik bootupd is now in Fedora 41, and may be backported to F40.

Gitlab Issue

Bootupd handles updating grub so this shouldnt happen anymore.

kparal · July 26, 2024, 2:14pm

@siosm Hi, do you think this is yet another manifestation of this issue, and we should add the Verification Failed: (0x1A) Security Violation error message to the description here?

Or is it a different problem, not to be mixed up with it?

Dave:

aaah and it seems the command
cp -rp /usr/lib/ostree-boot/efi/EFI /boot/efi
described on the fedoras magazine article is not correct, this leads to an extra EFI subfolder on my system, ending up in /boot/efi/EFI/EFI/*

@siosm Can you please verify whether the command is correct or not? Thanks!

siosm · July 26, 2024, 4:56pm

The command worked when I had tested it for the bootloader update. I don’t know what’s happening with this issue.

truster · July 26, 2024, 5:48pm

Hi @siosm & @kparal

Blame on me

Apologies, that was my mistake - all is well here.
i issued

cp -rp /usr/lib/ostree-boot/efi /boot/efi

instead of

cp -rp /usr/lib/ostree-boot/efi/EFI /boot/efi

just checked my bash history to be sure.

Topic		Replies	Views
Boot fails with "bad shim signature" in atomic desktops and IoT Common Issues secure-boot , boot , kernel , kinoite , silverblue , f40 , atomic-desktops	1	518	July 11, 2024
Talk: Boot fails with “bad shim signature” in atomic desktops and IoT Ask Fedora silverblue-team , secure-boot , uefi , grub , kinoite , atomic-desktops , sway-atomic	10	814	July 17, 2024
Secure boot configuration Ask Fedora secure-boot , silverblue , workstation , ubuntu-transition	4	931	July 11, 2024
Bad shim signature Ask Fedora f37 , grub	1	6632	November 23, 2022
Bad Shim Signature - Can't update boot files Ask Fedora secure-boot , boot , kinoite , silverblue	3	550	July 14, 2024

Secure Boot: Shim: Verification failed: (0x1A) Security Violation

Related topics