Following the recent updates for Atomic Desktops and IoT systems, specifically versions 39.20240617.0 and 40.20240617.0, systems with Secure Boot enabled are experiencing boot failures if they were installed prior to Fedora Linux 40. Users might encounter the following error message:
error: ../../grub-core/kern/efi/sb.c:182:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:258:you need to load the kernel first.Press any key to continue...
Troubleshooting Steps
To address this issue, users need to first boot into the previous version of their systems, as it should still be operational. Reboot the system and select the previous boot entry from the menu displayed during boot. The entry should resemble:
Fedora Linux 39.20240610.0 (Silverblue) (ostree:1)
Once logged in, locate the terminal application on your desktop. For Fedora IoT, log in via SSH or the console, ensuring you are not operating within a toolbox for the commands detailed below.
For Fedora Atomic Desktops based on Fedora 39 that haven’t been updated to Fedora 40 yet, execute the following commands to update to the latest functional Fedora 39 version:
$ sudo rpm-ostree cleanup --pending
$ sudo rpm-ostree deploy 39.20240616.0
For Fedora IoT, update to the latest functional version with this command:
$ sudo rpm-ostree cleanup --pending
$ sudo rpm-ostree deploy 40.20240614.0
After updating, reboot the system. Once logged in on the latest functional version, proceed with the following commands:
$ sudo -i
$ cp -rp /usr/lib/ostree-boot/efi/EFI /boot/efi
$ sync
Once completed, reboot the system. You should now be able to update as usual using the graphical interface or the command line:
$ sudo rpm-ostree update
Cause of the Issue
The boot components on Fedora Atomic Desktops and Fedora IoT systems (Shim, GRUB) are not automatically updated along with the rest of the system. If a Fedora Atomic Desktop or Fedora IoT system was installed before Fedora 40, it utilizes outdated versions of the Shim and bootloader binaries for system booting.
Secure Boot loads Shim first, signed by the Microsoft Third Party Certificate Authority, enabling verification on most hardware by default. Shim includes Fedora’s certificates used to verify binaries signed by Fedora. Shim then loads GRUB, which subsequently loads the Linux kernel – both signed by Fedora.
Prior to the 6.9 kernel update, the kernel binaries were dual-signed with an older key and a newer one. The newer kernel update removed the old key’s signature. If GRUB or Shim lacks awareness of the new key due to being outdated, the signature verification fails.
For more information, refer to the initial report in the Fedora Silverblue issue tracker.
Preventive Measures
The issue of bootloader updates not being performed has long been known and efforts have been made to address it. The implementation of bootupd for Fedora Atomic Desktops and Fedora IoT aims to rectify this. Bootupd is a specialized application solely responsible for bootloader updates. Originally planned for Fedora Linux 38, its activation was postponed due to issues with bootupd itself and required alterations in Anaconda.
Plans are underway to activate bootupd in Fedora Linux 41, ideally by default, to resolve this ongoing issue. For details, refer to the ‘Enable bootupd for Fedora Atomic Desktops and Fedora IoT Fedora Change’ page.
It’s worth noting that this root cause also impacts Fedora CoreOS; however, measures have been enacted to enforce a bootloader update before the 6.9 kernel update. See the tracking issue for Fedora CoreOS for further information.
