[CentOS-devel] kernel-5.14.0-171.el9.x86_64 / Not bootable (EFI) after Firmware update

Thu Oct 27 23:42:02 UTC 2022
Leon Fauster <leonfauster at googlemail.com>

Am 08.10.22 um 16:24 schrieb Leon Fauster:
> Hey folks, I wonder if anyone also suffers from the following:
> 
> I updated the BIOS/Firmware of a DELL notebook from 1.8 to 1.9. and 
> after this the latest C9S
> 
> kernel-5.14.0-171.el9.x86_64
> 
> can't be booted anymore (secure boot on) but the two older ones do boot:
> 
> kernel-5.14.0-165.el9.x86_64
> kernel-5.14.0-168.el9.x86_64
> 
> The grub error message when trying to boot kernel-5.14.0-171.el9.x86_64
> looks like:
> 
> error: ../../grub-core/kern/efi/sb.c:183:bad shim signature.
> error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the 
> kernel first.
> 
> I wonder how this happens. The firmware is classified as bug-fix update.
> 
> Not sure if DBX list was update. fwupdmgr shows "Current version: 83"
> If so, it does not make sense that older kernels can be used to boot the 
> system. So, a big question mark how to solve this issue? Any hints ...?
> 
> 
> # sha256sum /boot/efi/EFI/BOOT/BOOTX64.EFI
> 3ae459e79408b5287ce70c5b86ddcc92c243c7442d6769a330390598b7a351b1 
> /boot/efi/EFI/BOOT/BOOTX64.EFI
> 


It seems that the kernel-5.14.0 of the release 17X-series
do not get signed with the CentOS key anymore!

https://bugzilla.redhat.com/show_bug.cgi?id=2138019

TLDR:

/boot/vmlinuz-5.14.0-16*

versus

/boot/vmlinuz-5.14.0-17*

shows

The signer's common name is CentOS Secure Boot Signing 201

versus

The signer's common name is Red Hat Test Certificate


Is this issue already receiving the right attention?

--
Thanks
Leon