Bug 2138077
| Summary: | [CentOS Stream 9 VM on Fedora 36 host via QEMU/KVM]: efi/sb.c: 183: bad shim signature | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Andrew L. Moore <slewsys> |
| Component: | kernel | Assignee: | Lenny Szubowicz <lszubowi> |
| kernel sub component: | UEFI | QA Contact: | Oliver Gutiérrez <ogutierr> |
| Status: | CLOSED DUPLICATE | Docs Contact: | |
| Severity: | urgent | ||
| Priority: | unspecified | CC: | bstinson, jwboyer |
| Version: | CentOS Stream | ||
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-01 14:38:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
With the latest CentOS Stream 9 x86_64 ISO, installing to a VM (Q35 chipset, UEFI and emulated TPM CRB/2.0) produces the same error: error: ../../grub-core/kernel/efi/sb.c:183:bad shim signature error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the kernel first. Changing the KVM firmware from UEFI x86_64:/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd => UEFI x86_64: /usr/share/edk2/ovmf/OVMF_CODE.fd allows the install to proceed. So perhaps the issue is with the emulated TPM 2.0 hardware? The Fedora host is running on an HP Z820 with TPM 1.2... grub has failed to authenticate the centos stream 9 kernel you are attempting to boot. That is, the kernel is not signed by a key that is trusted by your system. In your case, a virtual machine. But you would get exactly the same error on a bare metal system.
[root@rhel9-vm02 ~]# cat /etc/centos-release
CentOS Stream release 9
[root@rhel9-vm02 ~]# pesign -S -v -i /boot/vmlinuz-5.14.0-174.el9.x86_64
---------------------------------------------
certificate address is 0x7f586f96c9c8
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Fri Oct 07, 2022
There were certs or crls included.
[root@rhel9-vm02 ~]#
I agree that the error message from grub is not very specific. Note that grub is using a facility provided by shim to do the signature validation.
If you enroll the Red Hat Test public key as a trusted key into the Machine Owner Key (MOK) list via mokutil, you will be able to authenticate kernels signed by the Red Hat test key. Note that this is not secure any more since anyone can get the Red Hat test private key and sign kernels with it.
I don't have the Centos Stream9 kernel 5.14.0-165.el9.x86_64 at hand to check its signatures. But I suspect that this was an intentional change.
I will leave this BZ open until I verify this.
-Lenny.
*** This bug has been marked as a duplicate of bug 2138019 *** |
Description of problem: Upgrade of CentOS Stream 9 VM to kernel versions greater than 5.14.0-165.el9.x86_64 fail to boot due to "bad shim signature". Version-Release number of selected component (if applicable): CentOS Stream 9 kernel versions 5.14.0-171.el9 and 5.14.0.176.el9 How reproducible: Upgrade CentOS Stream 9 VM from kernel version 5.14.0-165.el9.x86_64 then reboot. Steps to Reproduce: 1. Install CentOS Stream 9 UEFI virtual machine on current Fedora 36 host with virtual machine manager 2. Upgrade CentOS Stream 9 VM 3. Reboot Actual results: error: ../../grub-core/kernel/efi/sb.c:183:bad shim signature error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the kernel first. Expected results: Boot Additional info: After manually booting a previous kernel (5.14.0-165.el9 in my case), the problematic kernel(s) can be removed, e.g., with: $ sudo dnf remove -y kernel{,-core,-modules}-kernel-5.14.0-176.el9 The issue of a bad shim signature was previously reported for a version of rawhide (Bug 1996867), but no resolution is indicated. If this issue can be resolved by the user (i.e., me), hopefully that can be explained here?