Secure Boot Violation after updating BIOS to the latest version

[0rzech]

Describe the bug
Secure Boot Violation after updating BIOS to the latest version.

To Reproduce
Please describe the steps needed to reproduce the bug:

1. Update BIOS to the latest version.
2. Boot the computer.
3. Motherboard complains that the signature is invalid.

Expected behavior
Fedora signature should be valid.

Screenshots
Secure Boot Violation

OS version:

● fedora:fedora/39/x86_64/silverblue
                  Version: 39.20231215.1 (2023-12-15T18:09:18Z)
               BaseCommit: 69c25b9951d821ba85a3fdca4ecf2afeb4317b28ce94d70034a23e31bbd97b3a
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C

Additional context
The firmware is ROG CROSSHAIR VIII HERO(WI-FI) BIOS 4702 (with AGESA ComboV2PI 1.2.0.B). AFAIK, the new BIOS resets fTPM state on update. I was stuck on dbx 77 but now fwupdmgr says it's up to date.

The system booted fine before updating and resetting BIOS. Now secure boot has to be disabled in order to boot the system and Gnome reports that the Kernel Lockdown is disabled in addition to UEFI Secure Boot.

[travier]

You likely need to update the bootloader manually. See #355

[0rzech]

Tkanks, @travier ! Is there somewhere a conclusive list of steps on how to do it?

[travier]

Unfortunately there isn't. You can try #120 (comment) (with an updated package), but it's at your own risk. Make sure to mount/remount /boot & /boot/efi as read-write before.

Hopefully we get #120 in soon and you will be able to use that to update the bootloader.

[0rzech]

Thanks, @travier !

You can try #120 (comment) (with an updated package), but it's at your own risk.

Do you mean latest shim from Fedora repository?

Make sure to mount/remount /boot & /boot/efi as read-write before.

As in "unmount both partitions and mount them rw"?

Does rpm -i validate package signatures, or is there another way to do it during package reinstallation?

Maybe I could just extract the necessary files from shim rpm and copy them to the partition, is that possible?

[0rzech]

Do you mean latest shim from Fedora repository?

Ok, I have updated shim and updated grub2.

As in "unmount both partitions and mount them rw"?

@travier I didn't have to do that, because they are rw all the time - perhaps it's because I have separate /boot partition. Is rw on it wrong?

Does rpm -i validate package signatures, or is there another way to do it during package reinstallation?

To answer myself: it doesn't. I did rpm -K <package_file> and rpm -Kv <package_file> to verify package signatures.

Maybe I could just extract the necessary files from shim rpm and copy them to the partition, is that possible?

Copying shim files from /usr/lib/ostree-boot/efi/EFI/BOOT/ to /boot/efi/EFI/BOOT/ didn't help, so probably neither would copying files extracted from the rpm package.

[travier]

We've landed bootupd in Fedora 41. This should solve this issue.