Bug 1997886 - new kernel-5.14.0-0.rc7.54.fc36 breaks secure boot
Summary: new kernel-5.14.0-0.rc7.54.fc36 breaks secure boot
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-26 01:30 UTC by Dusty Mabe
Modified: 2021-08-26 13:23 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-26 01:54:30 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Dusty Mabe 2021-08-26 01:30:19 UTC 
1. Please describe the problem:

Fedora CoreOS CI started failing when testing secure boot. Looking at the console logs we see:

```
/kern/efi/sb.c:150:bad shim signature.                                                                                                                                                                                                       
^Merror: ../../grub-core/kern/efi/sb.c:150:bad shim signature.                                                                                                                                                                               
^Merror: ../../grub-core/loader/i386/efi/linux.c:208:you need to load the kernel                                                                                                                                                             
^Mfirst.                                                                                                                                                                                                                                     
^Merror: ../../grub-core/loader/i386/efi/linux.c:208:you need to load the kernel
```

More context in https://github.com/coreos/fedora-coreos-tracker/issues/937

2. What is the Version-Release number of the kernel:

kernel-5.14.0-0.rc7.54.fc36


3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :

This behavior was introduced in the transition:

kernel 5.14.0-0.rc6.20210820gitd992fe5318d8.50.fc36 -> 5.14.0-0.rc7.54.fc36


4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

Yes. It is easily reproduced in Fedora CoreOS CI running kola tests. If not easily reproduced elsewhere I can try to come up with a reproducer independent of Fedora CoreOS CI. 


5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:

Yes. 


6. Are you running any modules that not shipped with directly Fedora's kernel?:

No

7. Please attach the kernel logs. You can get the complete kernel log
   for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the
   issue occurred on a previous boot, use the journalctl ``-b`` flag.

Boot gets stopped early because the signature checking doesn't work.
Comment 1 Dusty Mabe 2021-08-26 01:31:10 UTC 
This is likely related to the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1994849

Please forgive me if this is intended behavior and something needs to be done on our end or if I'm somehow doing something wrong.
Note You need to log in before you can comment on or make changes to this bug.