Created attachment 1408055 [details] journalctl output from upgrade Description of problem: After upgrade to F28, system was not bootable until shim reinstallation (Secure Boot system, with SB switched to installation mode in order to allow boot when SB requirements weren't fulfilled) Version-Release number of selected component (if applicable): Fedora release 28 (Twenty Eight) dnf-2.7.5-8.fc28.noarch shim-x64-13-1.x86_64 grub2-efi-x64-2.02-26.fc28.x86_64 How reproducible: not sure Steps to Reproduce: 1. have an up-to-date F27 system on computer with Secure Boot active 2. do a system upgrade through Gnome's Software to F28 3. Actual results: System can't boot until system administrator switches SB to installation mode and reinstalls shim (and possibly grub2-efi, I did both at once) Expected results: System resolves Secure Boot stuff without human intervention Additional info:
Proposed as a Blocker for 28-beta by Fedora user djasa using the blocker tracking app because: This bug turns computer not bootable until non-obvious human intervention is performed.
Yeah, I was able to reproduce the same issue. Upgraded system won't boot with Secure Boot enabled.
Created attachment 1408817 [details] Trying to boot after upgrading
pjones says the problem here is that 13-1 is wrong, we should have 13-0.7. 13-1 has been untagged before, but seems to keep getting re-tagged. Pulling in releng folks: what do we have to do to stop 13-1 getting tagged into f28? Why does it keep getting tagged?
I think actually the best thing to do might be to test https://bodhi.fedoraproject.org/updates/FEDORA-2018-9877df9844 quickly and pull that in. per pjones, it's just the 13-0.7 bits with a higher release number. So if we verify that works, and push it stable, it should kill 13-1 for good.
The error message in the screenshot is vile and difficult to parse. I'm not finding this message in //github.com/rhboot/shim code so I'm gonna guess it's the firmware itself displaying it? Can anyone confirm?
Oops.
Yes, that's a message from the firmware.
I'm +1 blocker on this, per Basic criterion "All release-blocking images must boot in their supported configurations.", with footnote "For the x86_64 architecture, UEFI with Secure Boot configured in accordance with Microsoft's Windows certification requirements is considered a 'commonly found' firmware type."
+1 blocker.
That's +3, setting accepted.
shim-signed-13-4 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-9877df9844
shim-signed-13-4 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Verified fixed with Fedora-28-20180320.n.0 compose.