1. Please describe the problem: Fedora CoreOS CI started failing when testing secure boot. Looking at the console logs we see: ``` /kern/efi/sb.c:150:bad shim signature. ^Merror: ../../grub-core/kern/efi/sb.c:150:bad shim signature. ^Merror: ../../grub-core/loader/i386/efi/linux.c:208:you need to load the kernel ^Mfirst. ^Merror: ../../grub-core/loader/i386/efi/linux.c:208:you need to load the kernel ``` More context in https://github.com/coreos/fedora-coreos-tracker/issues/937 2. What is the Version-Release number of the kernel: kernel-5.14.0-0.rc7.54.fc36 3. Did it work previously in Fedora? If so, what kernel version did the issue *first* appear? Old kernels are available for download at https://koji.fedoraproject.org/koji/packageinfo?packageID=8 : This behavior was introduced in the transition: kernel 5.14.0-0.rc6.20210820gitd992fe5318d8.50.fc36 -> 5.14.0-0.rc7.54.fc36 4. Can you reproduce this issue? If so, please provide the steps to reproduce the issue below: Yes. It is easily reproduced in Fedora CoreOS CI running kola tests. If not easily reproduced elsewhere I can try to come up with a reproducer independent of Fedora CoreOS CI. 5. Does this problem occur with the latest Rawhide kernel? To install the Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by ``sudo dnf update --enablerepo=rawhide kernel``: Yes. 6. Are you running any modules that not shipped with directly Fedora's kernel?: No 7. Please attach the kernel logs. You can get the complete kernel log for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the issue occurred on a previous boot, use the journalctl ``-b`` flag. Boot gets stopped early because the signature checking doesn't work.
This is likely related to the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1994849 Please forgive me if this is intended behavior and something needs to be done on our end or if I'm somehow doing something wrong.