RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2138077 - [CentOS Stream 9 VM on Fedora 36 host via QEMU/KVM]: efi/sb.c: 183: bad shim signature
Summary: [CentOS Stream 9 VM on Fedora 36 host via QEMU/KVM]: efi/sb.c: 183: bad shim ...
Keywords:
Status: CLOSED DUPLICATE of bug 2138019
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: kernel
Version: CentOS Stream
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Lenny Szubowicz
QA Contact: Oliver Gutiérrez
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-27 06:19 UTC by Andrew L. Moore
Modified: 2022-11-01 14:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-01 14:38:59 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-137706 0 None None None 2022-10-27 06:44:23 UTC

Description Andrew L. Moore 2022-10-27 06:19:52 UTC 
Description of problem:
Upgrade of CentOS Stream 9 VM to kernel versions greater than 5.14.0-165.el9.x86_64 fail to boot due to "bad shim signature".

Version-Release number of selected component (if applicable):
CentOS Stream 9 kernel versions 5.14.0-171.el9 and 5.14.0.176.el9

How reproducible:
Upgrade CentOS Stream 9 VM from kernel version 5.14.0-165.el9.x86_64 then reboot.

Steps to Reproduce:
1. Install CentOS Stream 9 UEFI virtual machine on current Fedora 36 host with virtual machine manager
2. Upgrade CentOS Stream 9 VM 
3. Reboot

Actual results:
error: ../../grub-core/kernel/efi/sb.c:183:bad shim signature
error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the kernel first.

Expected results:
Boot

Additional info:
After manually booting a previous kernel (5.14.0-165.el9 in my case), the problematic kernel(s) can be removed, e.g., with:
$ sudo dnf remove -y kernel{,-core,-modules}-kernel-5.14.0-176.el9

The issue of a bad shim signature was previously reported for a version of rawhide (Bug 1996867), but no resolution is indicated.  If this issue can be resolved by the user (i.e., me), hopefully that can be explained here?
Comment 1 Andrew L. Moore 2022-10-27 07:05:45 UTC 
With the latest CentOS Stream 9 x86_64 ISO, installing to a VM (Q35 chipset, UEFI  and emulated TPM CRB/2.0) produces the same error:

error: ../../grub-core/kernel/efi/sb.c:183:bad shim signature
error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the kernel first.


Changing the KVM firmware from UEFI x86_64:/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd => UEFI x86_64: /usr/share/edk2/ovmf/OVMF_CODE.fd allows the install to proceed.  So perhaps the issue is with the emulated TPM 2.0 hardware?  The Fedora host is running on an HP Z820 with TPM 1.2...
Comment 2 Lenny Szubowicz 2022-11-01 14:19:24 UTC 
grub has failed to authenticate the centos stream 9 kernel you are attempting to boot. That is, the kernel is not signed by a key that is trusted by your system. In your case, a virtual machine. But you would get exactly the same error on a bare metal system.

[root@rhel9-vm02 ~]# cat /etc/centos-release 
CentOS Stream release 9
[root@rhel9-vm02 ~]# pesign -S -v -i /boot/vmlinuz-5.14.0-174.el9.x86_64 
---------------------------------------------
certificate address is 0x7f586f96c9c8
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Fri Oct 07, 2022
There were certs or crls included.
[root@rhel9-vm02 ~]# 

I agree that the error message from grub is not very specific. Note that grub is using a facility provided by shim to do the signature validation.

If you enroll the Red Hat Test public key as a trusted key into the Machine Owner Key (MOK) list via mokutil, you will be able to authenticate kernels signed by the Red Hat test key. Note that this is not secure any more since anyone can get the Red Hat test private key and sign kernels with it.

I don't have the Centos Stream9 kernel 5.14.0-165.el9.x86_64 at hand to check its signatures. But I suspect that this was an intentional change.

I will leave this BZ open until I verify this.

                      -Lenny.
Comment 3 Brian Stinson 2022-11-01 14:38:59 UTC 

*** This bug has been marked as a duplicate of bug 2138019 ***
Note You need to log in before you can comment on or make changes to this bug.