Fedora Account System
Red Hat Associate
Red Hat Customer
If secure boot is enabled and an attempt is made to boot from an unsigned kernel, grub2 just hangs and does not display a bad shim signature error message. Reproducible: Always Steps to Reproduce: 1. Enable secure boot. 2. Create a custom kernel but do not sign it. 3. Boot from this kernel. Actual Results: Boot hangs without an error message. Expected Results: Bad shim signature error message is displayed. Additional Information: Grub2 version 2.12-42 fails, version 2.12-40 works as expected.
Thanks for the report. I can reproduce this one, and on the serial console I see: Booting `unsigned kernel' !!!! X64 Exception Type - 0D(#GP - General Protection) CPU Apic ID - 00000000 !!!! ExceptionData - 0000000000000000 RIP - 00000000792567F4, CS - 0000000000000038, RFLAGS - 0000000000210206 RAX - 000087E000010000, RCX - 000000007BF2BD98, RDX - 000000007BF2BD98 RBX - 0000000000000000, RSP - 000000007BF2BF70, RBP - 000000007BF2BF80 RSI - 00000000000000DD, RDI - 0000000077A7BC40 R8 - 0000000000000000, R9 - 0000000000000020, R10 - 0000000000000000 R11 - 0000000000000000, R12 - 0000000000000000, R13 - 0000000000000000 R14 - 0000000079AA86E8, R15 - 0000000079AA86F0 DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 GS - 0000000000000030, SS - 0000000000000030 CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 000000007BC01000 CR4 - 0000000000000668, CR8 - 0000000000000000 DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 GDTR - 000000007B9E1000 0000000000000047, LDTR - 0000000000000000 IDTR - 000000007B157018 0000000000000FFF, TR - 0000000000000000 FXSAVE_STATE - 000000007BF2BBD0 !!!! Find image based on IP(0x792567F4) (No PDB) (ImageBase=000000007923E000, EntryPoint=000000007923F000) !!!! Unfortunately, when I turn on debugging, I do end up seeing the error messages, and can get back to the GRUB menu.
Grub2 from Fedora 44 Beta (version 2.12-55) fails in the same way.
(In reply to David Sandalf from comment #2) > Grub2 from Fedora 44 Beta (version 2.12-55) fails in the same way. Thanks David for testing also in f44. We recently backported a patch fixing an out-of-memory issue and this may be impacting. I am investigating if this is the root cause or some other recent change.
- f44, with latest grub version 2.12-56.fc45 which including the OOM fix, installing a unsigned kernel, rebooting yields to a blank screen and hang. In case the (grub) debug is enabled, it does print the expected error message. If we downgrade grub to pre-OOM fix, grub2-2.12-53.fc44, expected error message is show, no matter debug is enabled or not. - f43, wit latest grub version 2.12-42, a exception type is observed (also reported by Marta). With the same version but debug enabled, expected error message is observed and no expection is observed. if we downgrade grub to pre-OOM fix, in this case grub-2.12-40, expected error is seen in both scenarios, with no debug and with debug enable. In resume, the OOM fix that we recently backported into f44 and f43 are introducing this regressions. Before a possible revert, we need to understand why we are having this dual behavior based on the debug status (enable/disable). This is WIP.
Hi, the newest grub2 versions should fix this for you: grub2-2.12-43.fc43 grub2-2.12-56.fc44 grub2-2.12-57.fc45 Please try updating to the relevant version for your fedora and let us know if it works. thank you! :)
I updated grub2 for F43 to 2.12-43 and it worked (bad shim signature error message for an unsigned kernel, booted a signed one). I will try F44 in when it is released (scheduled for a few days from now).
Bug is fixed in F44.