Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Boot fails with "vmlinuz has invalid signature" or "bad shim signature, you need to load the kernel first" #54

Closed
miabbott opened this issue Jun 20, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@miabbott
Copy link
Member

This is just a copy of a similar issue that is affecting other ostree-based systems, specifically the Atomic Desktops. See fedora-silverblue/issue-tracker#543 for full details.

The idea is that once the adoption of bootupd happens (#6), we will be able to avoid these kinds of problems in the future.


Suggested Workaround

(from fedora-silverblue/issue-tracker#543 (comment))

Warning: These instructions should be safe to follow, but still, do at your own risk, make backups

# Enter a root shell on the host (i.e. not in a toolbox)
$ sudo -i

# Make a backup of the content of the EFI partition
$ cd /boot/efi/
$ cp -a EFI EFI.bkp

# Copy updated bootloader versions
$ cp /usr/lib/ostree-boot/efi/EFI/BOOT/{BOOTIA32.EFI,BOOTX64.EFI,fbia32.efi,fbx64.efi} /boot/efi/EFI/BOOT/
$ cp /usr/lib/ostree-boot/efi/EFI/fedora/{BOOTIA32.CSV,BOOTX64.CSV,grubia32.efi,grubx64.efi,mmia32.efi,mmx64.efi,shim.efi,shimia32.efi,shimx64.efi} /boot/efi/EFI/fedora/

# Only needed if it exists already on your system
$ cp /usr/lib/ostree-boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/fedora/shimx64-fedora.efi

# Sync changes to the disk
$ sync

# Reboot

Once reboot is successful, you can remove the backup copies:

# Enter a root shell on the host (i.e. not in a toolbox)
$ sudo -i

# Make a backup of the content of the EFI partition
$ cd /boot/efi/
$ rm -ri ./EFI.bkp

# Sync changes to the disk
$ sync

Edit: Updated to add 32bits EFI binaries as well.

For aarch64, update the filenames as needed.

@miabbott miabbott added the bug Something isn't working label Jun 20, 2024
@miabbott
Copy link
Member Author

miabbott commented Jul 1, 2024

The introduction of the 6.9 kernel in Fedora seems to be the trigger for this issue (along with having an older shim/bootloader).

This happened as part of 40.20240617.0 (62c8ff246886838c8b5df7ca5ff060fccee8705fa7114f3ec47dad0103ac3ba9) on the fedora/stable/x86_64/iot ref.

Affected users should follow the workaround instructions noted above.

@nullr0ute
Copy link
Member

We now have a new shim with appropriate signed bits and all the various work arounds for upgrade paths.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants