Bug 1555391 - System not bootable after F27 → F28 upgrade until shim reinstall (Secure Boot system)
Summary: System not bootable after F27 → F28 upgrade until shim reinstall (Secure Boot...
Alias: None
Product: Fedora
Classification: Fedora
Component: shim-signed
Version: 28
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F28BetaBlocker
TreeView+ depends on / blocked
Reported: 2018-03-14 15:21 UTC by David Jaša
Modified: 2018-03-21 10:23 UTC (History)
11 users (show)

Fixed In Version: shim-signed-13-4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-03-20 04:41:39 UTC
Type: Bug

Attachments (Terms of Use)
journalctl output from upgrade (1.14 MB, text/plain)
2018-03-14 15:21 UTC, David Jaša
no flags Details
Trying to boot after upgrading (3.55 MB, image/jpeg)
2018-03-16 14:33 UTC, František Zatloukal
no flags Details

Description David Jaša 2018-03-14 15:21:59 UTC
Created attachment 1408055 [details]
journalctl output from upgrade

Description of problem:
After upgrade to F28, system was not bootable until shim reinstallation (Secure Boot system, with SB switched to installation mode in order to allow boot when SB requirements weren't fulfilled)

Version-Release number of selected component (if applicable):
Fedora release 28 (Twenty Eight)

How reproducible:
not sure

Steps to Reproduce:
1. have an up-to-date F27 system on computer with Secure Boot active
2. do a system upgrade through Gnome's Software to F28

Actual results:
System can't boot until system administrator switches SB to installation mode and reinstalls shim (and possibly grub2-efi, I did both at once)

Expected results:
System resolves Secure Boot stuff without human intervention

Additional info:

Comment 1 Fedora Blocker Bugs Application 2018-03-14 15:26:44 UTC
Proposed as a Blocker for 28-beta by Fedora user djasa using the blocker tracking app because:

 This bug turns computer not bootable until non-obvious human intervention is performed.

Comment 2 František Zatloukal 2018-03-16 14:31:57 UTC
Yeah, I was able to reproduce the same issue. Upgraded system won't boot with Secure Boot enabled.

Comment 3 František Zatloukal 2018-03-16 14:33:01 UTC
Created attachment 1408817 [details]
Trying to boot after upgrading

Comment 4 Adam Williamson 2018-03-16 17:54:38 UTC
pjones says the problem here is that 13-1 is wrong, we should have 13-0.7. 13-1 has been untagged before, but seems to keep getting re-tagged.

Pulling in releng folks: what do we have to do to stop 13-1 getting tagged into f28? Why does it keep getting tagged?

Comment 5 Adam Williamson 2018-03-16 17:57:53 UTC
I think actually the best thing to do might be to test https://bodhi.fedoraproject.org/updates/FEDORA-2018-9877df9844 quickly and pull that in. per pjones, it's just the 13-0.7 bits with a higher release number. So if we verify that works, and push it stable, it should kill 13-1 for good.

Comment 6 Chris Murphy 2018-03-16 18:00:17 UTC
The error message in the screenshot is vile and difficult to parse. I'm not finding this message in //github.com/rhboot/shim code so I'm gonna guess it's the firmware itself displaying it? Can anyone confirm?

Comment 7 Chris Murphy 2018-03-16 18:01:34 UTC

Comment 8 Samuel Sieb 2018-03-16 18:58:21 UTC
Yes, that's a message from the firmware.

Comment 9 Adam Williamson 2018-03-16 22:54:47 UTC
I'm +1 blocker on this, per Basic criterion "All release-blocking images must boot in their supported configurations.", with footnote "For the x86_64 architecture, UEFI with Secure Boot configured in accordance with Microsoft's Windows certification requirements is considered a 'commonly found' firmware type."

Comment 10 Patrick Uiterwijk 2018-03-16 22:59:25 UTC
+1 blocker.

Comment 11 Kevin Fenzi 2018-03-16 23:47:38 UTC
+1 blocker.

Comment 12 Adam Williamson 2018-03-16 23:52:58 UTC
That's +3, setting accepted.

Comment 13 Fedora Update System 2018-03-16 23:53:29 UTC
shim-signed-13-4 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-9877df9844

Comment 14 Fedora Update System 2018-03-20 04:41:39 UTC
shim-signed-13-4 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Kamil Páral 2018-03-21 10:23:57 UTC
Verified fixed with Fedora-28-20180320.n.0 compose.

Note You need to log in before you can comment on or make changes to this bug.