Am 08.10.22 um 16:24 schrieb Leon Fauster:

Hey folks, I wonder if anyone also suffers from the following:

I updated the BIOS/Firmware of a DELL notebook from 1.8 to 1.9. and after this the latest C9S

kernel-5.14.0-171.el9.x86_64

can't be booted anymore (secure boot on) but the two older ones do boot:

kernel-5.14.0-165.el9.x86_64 kernel-5.14.0-168.el9.x86_64

The grub error message when trying to boot kernel-5.14.0-171.el9.x86_64 looks like:

error: ../../grub-core/kern/efi/sb.c:183:bad shim signature. error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the kernel first.

I wonder how this happens. The firmware is classified as bug-fix update.

Not sure if DBX list was update. fwupdmgr shows "Current version: 83" If so, it does not make sense that older kernels can be used to boot the system. So, a big question mark how to solve this issue? Any hints ...?

# sha256sum /boot/efi/EFI/BOOT/BOOTX64.EFI 3ae459e79408b5287ce70c5b86ddcc92c243c7442d6769a330390598b7a351b1 /boot/efi/EFI/BOOT/BOOTX64.EFI

It seems that the kernel-5.14.0 of the release 17X-series do not get signed with the CentOS key anymore!

https://bugzilla.redhat.com/show_bug.cgi?id=2138019

TLDR:

/boot/vmlinuz-5.14.0-16*

versus

/boot/vmlinuz-5.14.0-17*

shows

The signer's common name is CentOS Secure Boot Signing 201

versus

The signer's common name is Red Hat Test Certificate

Is this issue already receiving the right attention?

-- Thanks Leon