Bug 2215704

Summary: GRUB is not compatible with DBX v371.
Product: [Fedora] Fedora Reporter: Egor Gavrilov <gavrilovegor519-2>
Component: grub2Assignee: Bootloader engineering team <bootloader-eng-team>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 38CC: fmartine, lkundrak, mail, mlewando, nfrayer, pgnet.dev, pjones, raravind, rharwood
Target Milestone: ---Keywords: Desktop, Regression, Upgrades
Target Release: ---   
Hardware: x86_64   
OS: Linux   
URL: https://discussion.fedoraproject.org/t/grub-is-output-error-of-tpm-c-module-after-371-dbx-update/84407
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-18 06:52:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Egor Gavrilov 2023-06-17 16:12:46 UTC 
I have a error after update DBX database with fwupd. I get an error.

More info I send to Fedora Discussion: https://discussion.fedoraproject.org/t/grub-is-output-error-of-tpm-c-module-after-371-dbx-update/84407

Reproducible: Always

Steps to Reproduce:
1. Update a DBX database from GNOME Software (fwupd).
2. Restart system.
Actual Results:  
I get this error.

Expected Results:  
Booting without errors.
Comment 1 Egor Gavrilov 2023-06-18 06:52:15 UTC 
As it turned out, my UEFI NVRAM was full of a huge number of boot entries. I cleared these entries via efibootmgr and the issue was resolved.
Comment 2 Frank Ansari 2024-02-24 10:04:58 UTC 
I had the same issue today when fwupd updated my dbx from 217 to 317.

In my boot list are only 4 entries so this is not the issue in my case.

I use Fedora 39 Silverblue.

Also I have copied usr/lib/ostree-boot/efi/EFI/fedora/grubx64.efi to /boot/efi/EFI/fedora to make sure I have the latest efi binary.

In my case after the update the boot menu was empty and my PC did not boot.

I could then disable the TPM chip in my BIOS or apply this 02_tpm script given in the mentioned article. In this case I was able to boot my PC again with enabled TPM chip. There are again a bunch of tpm.c error messages while booting but the system but as it seems after booting the PC the TPM chip is still usable.
Comment 3 Egor Gavrilov 2024-02-24 10:23:32 UTC 
>I had the same issue today when fwupd updated my dbx from 217 to 317.

You cleaned boot entries in NVRAM from efibootmgr? I wrote about this in bug closing message.
Comment 4 Frank Ansari 2024-02-24 10:30:05 UTC 
No because there are only 4 entries there. Why should I delete them?
Comment 5 Frank Ansari 2024-02-24 10:56:03 UTC 
Now I have deleted all four boot entries with efibootmgr and recreated just one.

The issue is the same. I cannot start my PC with enabled TPM chip when I don't have this 02_tpm script.
Comment 6 Frank Ansari 2024-02-24 12:48:34 UTC 
I have also done a "moktutil --reset". With this I was able to delete all of the 85 entries except for one Fedora key which is already expired.

[key 1]
SHA1 Fingerprint: 7e:68:65:1d:52:68:5f:7b:f5:8e:a0:1d:78:4d:2f:90:d3:f4:0f:0a
Certificate:    
  Data:        
  Version: 3 (0x2)        
  Serial Number: 2574709492 (0x9976f2f4)        
  Signature Algorithm: sha256WithRSAEncryption        
  Issuer: CN=Fedora Secure Boot CA        
  Validity            
    Not Before: Dec  7 16:25:54 2012 GMT
    Not After : Dec  5 16:25:54 2022 GMT
  Subject: CN=Fedora Secure Boot CA
Comment 7 Frank Ansari 2024-02-24 12:50:07 UTC 
But also after the "mokutil --reset" the behaviour is the smae.
Comment 8 Egor Gavrilov 2024-02-24 13:11:20 UTC 
Frank, I'm replied about this at Fedora Discussion theme.
Comment 9 Egor Gavrilov 2024-02-24 13:12:56 UTC 
>CN=Fedora Secure Boot CA

This is normal behavior. This is not MOK key. This is Shim embedded key which stored in Shim EFI binary file.