Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionAndrew L. Moore
2022-10-27 06:19:52 UTC
Description of problem:
Upgrade of CentOS Stream 9 VM to kernel versions greater than 5.14.0-165.el9.x86_64 fail to boot due to "bad shim signature".
Version-Release number of selected component (if applicable):
CentOS Stream 9 kernel versions 5.14.0-171.el9 and 5.14.0.176.el9
How reproducible:
Upgrade CentOS Stream 9 VM from kernel version 5.14.0-165.el9.x86_64 then reboot.
Steps to Reproduce:
1. Install CentOS Stream 9 UEFI virtual machine on current Fedora 36 host with virtual machine manager
2. Upgrade CentOS Stream 9 VM
3. Reboot
Actual results:
error: ../../grub-core/kernel/efi/sb.c:183:bad shim signature
error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the kernel first.
Expected results:
Boot
Additional info:
After manually booting a previous kernel (5.14.0-165.el9 in my case), the problematic kernel(s) can be removed, e.g., with:
$ sudo dnf remove -y kernel{,-core,-modules}-kernel-5.14.0-176.el9
The issue of a bad shim signature was previously reported for a version of rawhide (Bug 1996867), but no resolution is indicated. If this issue can be resolved by the user (i.e., me), hopefully that can be explained here?
With the latest CentOS Stream 9 x86_64 ISO, installing to a VM (Q35 chipset, UEFI and emulated TPM CRB/2.0) produces the same error:
error: ../../grub-core/kernel/efi/sb.c:183:bad shim signature
error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the kernel first.
Changing the KVM firmware from UEFI x86_64:/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd => UEFI x86_64: /usr/share/edk2/ovmf/OVMF_CODE.fd allows the install to proceed. So perhaps the issue is with the emulated TPM 2.0 hardware? The Fedora host is running on an HP Z820 with TPM 1.2...
grub has failed to authenticate the centos stream 9 kernel you are attempting to boot. That is, the kernel is not signed by a key that is trusted by your system. In your case, a virtual machine. But you would get exactly the same error on a bare metal system.
[root@rhel9-vm02 ~]# cat /etc/centos-release
CentOS Stream release 9
[root@rhel9-vm02 ~]# pesign -S -v -i /boot/vmlinuz-5.14.0-174.el9.x86_64
---------------------------------------------
certificate address is 0x7f586f96c9c8
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Fri Oct 07, 2022
There were certs or crls included.
[root@rhel9-vm02 ~]#
I agree that the error message from grub is not very specific. Note that grub is using a facility provided by shim to do the signature validation.
If you enroll the Red Hat Test public key as a trusted key into the Machine Owner Key (MOK) list via mokutil, you will be able to authenticate kernels signed by the Red Hat test key. Note that this is not secure any more since anyone can get the Red Hat test private key and sign kernels with it.
I don't have the Centos Stream9 kernel 5.14.0-165.el9.x86_64 at hand to check its signatures. But I suspect that this was an intentional change.
I will leave this BZ open until I verify this.
-Lenny.
Description of problem: Upgrade of CentOS Stream 9 VM to kernel versions greater than 5.14.0-165.el9.x86_64 fail to boot due to "bad shim signature". Version-Release number of selected component (if applicable): CentOS Stream 9 kernel versions 5.14.0-171.el9 and 5.14.0.176.el9 How reproducible: Upgrade CentOS Stream 9 VM from kernel version 5.14.0-165.el9.x86_64 then reboot. Steps to Reproduce: 1. Install CentOS Stream 9 UEFI virtual machine on current Fedora 36 host with virtual machine manager 2. Upgrade CentOS Stream 9 VM 3. Reboot Actual results: error: ../../grub-core/kernel/efi/sb.c:183:bad shim signature error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the kernel first. Expected results: Boot Additional info: After manually booting a previous kernel (5.14.0-165.el9 in my case), the problematic kernel(s) can be removed, e.g., with: $ sudo dnf remove -y kernel{,-core,-modules}-kernel-5.14.0-176.el9 The issue of a bad shim signature was previously reported for a version of rawhide (Bug 1996867), but no resolution is indicated. If this issue can be resolved by the user (i.e., me), hopefully that can be explained here?