Bug 2361002

Summary: Upgrade (and new installations) to F42 force-disables Secure Boot compatibility in mokutil on Secure Boot enabled systems - claiming that "the system doesn't support Secure Boot" (anymore)
Product: [Fedora] Fedora Reporter: CodeBreaker <faucet.sultry745>
Component: mokutilAssignee: Peter Jones <pjones>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 42CC: nfrayer, pjones
Target Milestone: ---Keywords: Security, Upgrades
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-04-21 12:14:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description CodeBreaker 2025-04-18 16:03:20 UTC 
Version-Release number of selected component: mokutil.x86_64 2:0.7.1-5.fc42 <unknown>

Description of problem:

If you install Fedora 42 or upgrade from a previous version of Fedora (e.g. 41) to 42, mokutil disables the entire Secure Boot compatibility and claims that the system doesn't support Secure Boot anymore. This happens even if the affected system supports Secure Boot completely and worked before in F41 as expected.

Reproducible: Always

Steps to Reproduce:
Steps to Reproduce:

1. Install Fedora 42 (any version / spin) directly OR install Fedora 41 on a system with Secure Boot enabled.

If you install F41 first to upgrade to F42:
2a. On F41: open terminal and check Secure Boot state with "mokutil --sb-state"
3a. mokutil says that Secure Boot is enabled.
4a. Upgrade to F42 and repeat step 2a.
5a. mokutil claims that the system doesn't support Secure Boot now and disabled it entirely (also visible in the hardware security section inside of gnome-control-center).

If you install F42 directly:
2b. Open terminal and check Secure Boot state with "mokutil --sb-state"
3b. mokutil claims that the system doesn't support Secure Boot and disabled it entirely.
Actual Results:
mokutil prevents the usage of Secure Boot on Secure Boot enabled systems. This also prevents the import of own certificates for kernel modules (e.g. NVIDIA drivers).

Expected Results:
mokutil recognizes the Secure Boot state correctly and keeps it enabled like on F41 before (or directly in F42 on new installations).
Comment 1 CodeBreaker 2025-04-21 12:14:29 UTC 
I found the solution: My mokutil / MokList was broken and I had to reset it with 'mokutil --reset'. Now it works again as expected. Closing issue with that.