Update Originated BAD shim error

I performed an update of Fedora 39 with:
sudo rpm-ostree update --uninstall rpmfusion-free-release --uninstall rpmfusion-nonfr
ee-release --install rpmfusion-free-release --install rpmfusion-nonfree-release
systemctl reboot

And after this, when booting on fedora 39.2 it returned :

error: …/…/grub-core/kern/efi/sb.c:182:bad shim signature

On previous versions this never happend. I can boot it if i use the Fedora 39.1.5. But that is not a solution. I would not like to disable Secure boot too. Any help?

If the solution is correct, this is a duplicate

Added grub, rpm-ostree, silverblue

I believe Silverblue 39.1.5 is the initial version that is deployed when you install from the install media.

In order to use the workaround linked above, you should deploy a more recent version first before the problem was introduced.

sudo rpm-ostree deploy 39.20240616.0

Thats what i did in previous steps. The 1.5 was working but when switching to .2 it suddendly had this issues. And this never happend before when configuring the PCs. But suggested above seems to have solved my problem. Still cant understand what changed from 1 mo ago, where everything regarding the setups was working fine and now… puff.

Regardless, thanks for the help :slight_smile:

There’s going to be a Fedora Magazine post with some details about this shortly, but I’ll copy some relevant bits here:

On Fedora Atomic Desktops and Fedora IoT systems, the components that are part of the boot chain (Shim, GRUB) are not (yet) automatically updated alongside the rest of the system. Thus, if you have installed a Fedora Atomic Desktop or a Fedora IoT system before Fedora 40, it uses an old versions of the Shim and bootloader binaries to boot your system.

When Secure Boot is enabled, the EFI firmware loads Shim first. Shim is signed by the Microsoft Third Party Certificate Authority so that it can be verified on most hardware out of the box. The Shim binary includes the Fedora certificates used to verify binaries signed by Fedora. Then Shim loads GRUB, which in turn loads the Linux kernel. Both are signed by Fedora.

Until recently, the kernel binaries where signed two times, with an older key and a newer one. With the 6.9 kernel update, the kernel is no longer signed with the old key. If GRUB or Shim is old enough and does not know about the new key, the signature verification fails.

2 Likes

I will probably take several years until a new certificate will be required for signing Fedora kernels. Interesting, though, will be when the Microsoft signing certificates needs to be updated, and what would happen then?

can i also sove this issue by changing the deplay version to a commit previous to this?

If this is part of that issue, please use the other thread as we have more than 4 I think

Github issue with the solution