Bug 1555391
Summary: | System not bootable after F27 → F28 upgrade until shim reinstall (Secure Boot system) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Jaša <djasa> | ||||||
Component: | shim-signed | Assignee: | Peter Jones <pjones> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 28 | CC: | awilliam, bugzilla, dennis, djasa, fzatlouk, kevin, kparal, mjg59, pjones, robatino, samuel-rhbugs | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | AcceptedBlocker | ||||||||
Fixed In Version: | shim-signed-13-4 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-03-20 04:41:39 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1469204 | ||||||||
Attachments: |
|
Proposed as a Blocker for 28-beta by Fedora user djasa using the blocker tracking app because: This bug turns computer not bootable until non-obvious human intervention is performed. Yeah, I was able to reproduce the same issue. Upgraded system won't boot with Secure Boot enabled. Created attachment 1408817 [details]
Trying to boot after upgrading
pjones says the problem here is that 13-1 is wrong, we should have 13-0.7. 13-1 has been untagged before, but seems to keep getting re-tagged. Pulling in releng folks: what do we have to do to stop 13-1 getting tagged into f28? Why does it keep getting tagged? I think actually the best thing to do might be to test https://bodhi.fedoraproject.org/updates/FEDORA-2018-9877df9844 quickly and pull that in. per pjones, it's just the 13-0.7 bits with a higher release number. So if we verify that works, and push it stable, it should kill 13-1 for good. The error message in the screenshot is vile and difficult to parse. I'm not finding this message in //github.com/rhboot/shim code so I'm gonna guess it's the firmware itself displaying it? Can anyone confirm? Oops. Yes, that's a message from the firmware. I'm +1 blocker on this, per Basic criterion "All release-blocking images must boot in their supported configurations.", with footnote "For the x86_64 architecture, UEFI with Secure Boot configured in accordance with Microsoft's Windows certification requirements is considered a 'commonly found' firmware type." +1 blocker. +1 blocker. That's +3, setting accepted. shim-signed-13-4 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-9877df9844 shim-signed-13-4 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Verified fixed with Fedora-28-20180320.n.0 compose. |
Created attachment 1408055 [details] journalctl output from upgrade Description of problem: After upgrade to F28, system was not bootable until shim reinstallation (Secure Boot system, with SB switched to installation mode in order to allow boot when SB requirements weren't fulfilled) Version-Release number of selected component (if applicable): Fedora release 28 (Twenty Eight) dnf-2.7.5-8.fc28.noarch shim-x64-13-1.x86_64 grub2-efi-x64-2.02-26.fc28.x86_64 How reproducible: not sure Steps to Reproduce: 1. have an up-to-date F27 system on computer with Secure Boot active 2. do a system upgrade through Gnome's Software to F28 3. Actual results: System can't boot until system administrator switches SB to installation mode and reinstalls shim (and possibly grub2-efi, I did both at once) Expected results: System resolves Secure Boot stuff without human intervention Additional info: