2070997 – Kernel 5.14.0-76.el9.x86_64 and 5.14.0-75.el9.x86_64 won't boot

Bug 2070997 - Kernel 5.14.0-76.el9.x86_64 and 5.14.0-75.el9.x86_64 won't boot

Summary: Kernel 5.14.0-76.el9.x86_64 and 5.14.0-75.el9.x86_64 won't boot

Keywords:
Status:	CLOSED DUPLICATE of bug 2070940
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	core-kernel-bot
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-01 14:23 UTC by Adam Miller
Modified:	2023-08-08 03:35 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-01 19:19:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-117647	0	None	None	None	2022-04-01 14:25:02 UTC

Description Adam Miller 2022-04-01 14:23:07 UTC

Description of problem:

Can't boot, get following menu to screen when attempting to:

error: ../../grub-core/kern/efi/sb.c:150:bad shim signature.
error: ..../grub-core/loader/i386/efi/linux.c:208:you need to load the kernel first.
Press any key to continue..

Version-Release number of selected component (if applicable):
5.14.0-76.el9.x86_64 and 5.14.0-75.el9.x86_64 

How reproducible:
Always


Steps to Reproduce:
1. dnf update
2. reboot
3.

Actual results:
https://photos.app.goo.gl/zSYfBTwxgCiwBf9GA


Expected results:
A booting system

Additional info:
The last working kernel is kernel-5.14.0-71.el9.x86_64

Comment 1 Brian Stinson 2022-04-01 17:20:29 UTC

@rharwood It looks like kernel -71 -72 -73 and -74 are signed properly in CentOS Stream, but after that the kernels are signed with the Test cert:

• pesign -l --in=vmlinuz                                      
---------------------------------------------
certificate address is 0x7f1b2bff3808
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Wed Mar 30, 2022
There were certs or crls included.
---------------------------------------------


Did this update to pesign cause any changes here? https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=17784


Kernel -74 (signed properly): https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=17731
Kernel -75 (signed with the test cert): https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=17791

Comment 2 Robbie Harwood 2022-04-01 19:19:54 UTC


*** This bug has been marked as a duplicate of bug 2070940 ***

Note You need to log in before you can comment on or make changes to this bug.