2215704 – GRUB is not compatible with DBX v371.

Bug 2215704 - GRUB is not compatible with DBX v371.

Summary: GRUB is not compatible with DBX v371.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	grub2
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Bootloader engineering team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://discussion.fedoraproject.org/...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-17 16:12 UTC by Egor Gavrilov
Modified:	2024-10-01 12:00 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2023-06-18 06:52:15 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Egor Gavrilov 2023-06-17 16:12:46 UTC

I have a error after update DBX database with fwupd. I get an error.

More info I send to Fedora Discussion: https://discussion.fedoraproject.org/t/grub-is-output-error-of-tpm-c-module-after-371-dbx-update/84407

Reproducible: Always

Steps to Reproduce:
1. Update a DBX database from GNOME Software (fwupd).
2. Restart system.
Actual Results:  
I get this error.

Expected Results:  
Booting without errors.

Comment 1 Egor Gavrilov 2023-06-18 06:52:15 UTC

As it turned out, my UEFI NVRAM was full of a huge number of boot entries. I cleared these entries via efibootmgr and the issue was resolved.

Comment 2 Frank Ansari 2024-02-24 10:04:58 UTC

I had the same issue today when fwupd updated my dbx from 217 to 317.

In my boot list are only 4 entries so this is not the issue in my case.

I use Fedora 39 Silverblue.

Also I have copied usr/lib/ostree-boot/efi/EFI/fedora/grubx64.efi to /boot/efi/EFI/fedora to make sure I have the latest efi binary.

In my case after the update the boot menu was empty and my PC did not boot.

I could then disable the TPM chip in my BIOS or apply this 02_tpm script given in the mentioned article. In this case I was able to boot my PC again with enabled TPM chip. There are again a bunch of tpm.c error messages while booting but the system but as it seems after booting the PC the TPM chip is still usable.

Comment 3 Egor Gavrilov 2024-02-24 10:23:32 UTC

>I had the same issue today when fwupd updated my dbx from 217 to 317.

You cleaned boot entries in NVRAM from efibootmgr? I wrote about this in bug closing message.

Comment 4 Frank Ansari 2024-02-24 10:30:05 UTC

No because there are only 4 entries there. Why should I delete them?

Comment 5 Frank Ansari 2024-02-24 10:56:03 UTC

Now I have deleted all four boot entries with efibootmgr and recreated just one.

The issue is the same. I cannot start my PC with enabled TPM chip when I don't have this 02_tpm script.

Comment 6 Frank Ansari 2024-02-24 12:48:34 UTC

I have also done a "moktutil --reset". With this I was able to delete all of the 85 entries except for one Fedora key which is already expired.

[key 1]
SHA1 Fingerprint: 7e:68:65:1d:52:68:5f:7b:f5:8e:a0:1d:78:4d:2f:90:d3:f4:0f:0a
Certificate:    
  Data:        
  Version: 3 (0x2)        
  Serial Number: 2574709492 (0x9976f2f4)        
  Signature Algorithm: sha256WithRSAEncryption        
  Issuer: CN=Fedora Secure Boot CA        
  Validity            
    Not Before: Dec  7 16:25:54 2012 GMT
    Not After : Dec  5 16:25:54 2022 GMT
  Subject: CN=Fedora Secure Boot CA

Comment 7 Frank Ansari 2024-02-24 12:50:07 UTC

But also after the "mokutil --reset" the behaviour is the smae.

Comment 8 Egor Gavrilov 2024-02-24 13:11:20 UTC

Frank, I'm replied about this at Fedora Discussion theme.

Comment 9 Egor Gavrilov 2024-02-24 13:12:56 UTC

>CN=Fedora Secure Boot CA

This is normal behavior. This is not MOK key. This is Shim embedded key which stored in Shim EFI binary file.

Note You need to log in before you can comment on or make changes to this bug.