Bug 2030940
| Summary: | Booting with grub2-2.06-9.fc35 and UEFI Secure Boot enabled resulted in Error: Verification Failed: (0x1A) Security Violation | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
| Component: | grub2 | Assignee: | Javier Martinez Canillas <fmartine> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 35 | CC: | accts, fmartine, ken, lkundrak, pgnet.dev, pjones, pmendezh, rharwood, sanjay.ankur, thomas |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | grub2-2.06-11.fc36 grub2-2.06-10.fc35 grub2-2.06-9.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-12-12 01:10:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matt Fagnani
2021-12-10 02:46:55 UTC
I've been running a version of Fedora 35 and after todays upgrade I started getting the error Verification failed: (0x1A) Security Violation. Removed secure boot allowed the system to boot. I can confirm this bug too. Just upgraded and ran into it.
Increasing severity since this is going to break systems for lots of users. From the dnf transaction log:
Upgrade grub2-common-1:2.06-9.fc35.noarch @updates-testing
Upgraded grub2-common-1:2.06-8.fc35.noarch @@System
Upgrade grub2-efi-ia32-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-efi-ia32-1:2.06-8.fc35.x86_64 @@System
Upgrade grub2-efi-ia32-cdboot-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-efi-ia32-cdboot-1:2.06-8.fc35.x86_64 @@System
Upgrade grub2-efi-x64-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-efi-x64-1:2.06-8.fc35.x86_64 @@System
Upgrade grub2-efi-x64-cdboot-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-efi-x64-cdboot-1:2.06-8.fc35.x86_64 @@System
Upgrade grub2-pc-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-pc-1:2.06-8.fc35.x86_64 @@System
Upgrade grub2-pc-modules-1:2.06-9.fc35.noarch @updates-testing
Upgraded grub2-pc-modules-1:2.06-8.fc35.noarch @@System
Upgrade grub2-tools-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-tools-1:2.06-8.fc35.x86_64 @@System
Upgrade grub2-tools-efi-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-tools-efi-1:2.06-8.fc35.x86_64 @@System
Upgrade grub2-tools-extra-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-tools-extra-1:2.06-8.fc35.x86_64 @@System
Upgrade grub2-tools-minimal-1:2.06-9.fc35.x86_64 @updates-testing
Upgraded grub2-tools-minimal-1:2.06-8.fc35.x86_64 @@System
FEDORA-2021-8dbf0a81c0 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-8dbf0a81c0 FEDORA-2021-73d63662b0 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-73d63662b0 FEDORA-2021-8dbf0a81c0 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-8dbf0a81c0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-8dbf0a81c0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-73d63662b0 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-73d63662b0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-73d63662b0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-8dbf0a81c0 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. Hi, I found this report and thought I might add that here, as it seems a closely related problem. Since the update I cannot boot into a single btrfs snapshot anymore. This is not fixable, not through a reinstall of all shim-* and/or grub2-* packages, not with recreating grub.cfg. All the snapshots are dead essentially with the same error "Unknown TPM error..." Only the active version can be booted, if you want to boot the active version after selecting a snapshot in grub, and getting the above unknown TPM error, also the active version cannot be booted anymore, resulting in the same error. After that only a system reset makes the active version bootable again. All snapshots stay dead anyways. Snapshot handling seems completely broken as also newly created snapshots cannot be booted into. The system has to be reinstalled as it seems. I read about similar issues already in the past on Fedora, they all had to do with updated packages of grub or shim. Are there any ideas regarding that? Because if the complete snapshot system is messed up everytime something happens with grub or shim I will have to switch away from Fedora for my production workstations. Thanks The exact error is error: ../../grub-core/commands/efi/tpm.c:148:Unknown TPM error The exact error is error: ../../grub-core/loader/i386/efi/linux.c:208:you need to load the kernel first So for some reason it seems to not find the kernel anymore This also happens with the working active version as said if you want to boot a snapshot before and you would have to completely reset the system. It worked with 2.06-8 (In reply to Tom Gugel from comment #8) > Hi, I found this report and thought I might add that here, as it seems a > closely related problem. > Since the update I cannot boot into a single btrfs snapshot anymore. > > This is not fixable, not through a reinstall of all shim-* and/or grub2-* > packages, not with recreating grub.cfg. > > All the snapshots are dead essentially with the same error "Unknown TPM > error..." > Only the active version can be booted, if you want to boot the active > version after selecting a snapshot in grub, and getting the above unknown > TPM error, also the active version cannot be booted anymore, resulting in > the same error. > > After that only a system reset makes the active version bootable again. All > snapshots stay dead anyways. > > Snapshot handling seems completely broken as also newly created snapshots > cannot be booted into. The system has to be reinstalled as it seems. > > I read about similar issues already in the past on Fedora, they all had to > do with updated packages of grub or shim. > > Are there any ideas regarding that? Because if the complete snapshot system > is messed up everytime something happens with grub or shim I will have to > switch away from Fedora for my production workstations. > > Thanks The grub2-2.06-10.fc35 update fixed the boot failure with Error: Verification Failed: (0x1A) Security Violation for me and others https://bodhi.fedoraproject.org/updates/FEDORA-2021-8dbf0a81c0 The problem occurred due to an issue with the update of the Fedora Secure Boot builders according to https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/BGL4W2RLKKSLTGD4GRXIIV4Q6RLHLN24/ Your problem looks like it might be different from this one as it involves btrfs snapshots. I don't use any btrfs partitions. My / and /boot are ext4. If your problem still happens with grub2-2.06-10.fc35, I'd suggest that you report your problem as a new bug against grub2. Thanks for you reply. This is the thing, it has nothing to do with the grub2 version per se, it has something to do with what happens a new version of grub2 installed, as it already happened in the past. That is, if you reinstall the whole system it works without any flaws, also with 2.06-10, as it did with 2.06-8. Until you install/update the fedora grub-* packages to the next version. It is unfixable broken then. There must be something happening on Fedora when doing this, maybe it has also to do with the specific MB/CPU combination (AMD Firmware TPM, TR3960X) and what is done on Fedora specifically. As this renders the whole concept of snapshots unusable and a system reinstall because of a package upgrade is unbearable I hope it is found out what causes this. It not only affects me. I will file a new bug. Thanks This is now described in https://bugzilla.redhat.com/show_bug.cgi?id=2031640 FEDORA-2021-73d63662b0 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |