Am 08.10.22 um 16:24 schrieb Leon Fauster:
Hey folks, I wonder if anyone also suffers from the following:
I updated the BIOS/Firmware of a DELL notebook from 1.8 to 1.9. and
after this the latest C9S
kernel-5.14.0-171.el9.x86_64
can't be booted anymore (secure boot on) but the two older ones do boot:
kernel-5.14.0-165.el9.x86_64
kernel-5.14.0-168.el9.x86_64
The grub error message when trying to boot kernel-5.14.0-171.el9.x86_64
looks like:
error: ../../grub-core/kern/efi/sb.c:183:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:259:you need to load the
kernel first.
I wonder how this happens. The firmware is classified as bug-fix update.
Not sure if DBX list was update. fwupdmgr shows "Current version: 83"
If so, it does not make sense that older kernels can be used to boot the
system. So, a big question mark how to solve this issue? Any hints ...?
# sha256sum /boot/efi/EFI/BOOT/BOOTX64.EFI
3ae459e79408b5287ce70c5b86ddcc92c243c7442d6769a330390598b7a351b1
/boot/efi/EFI/BOOT/BOOTX64.EFI
It seems that the kernel-5.14.0 of the release 17X-series
do not get signed with the CentOS key anymore!
https://bugzilla.redhat.com/show_bug.cgi?id=2138019
TLDR:
/boot/vmlinuz-5.14.0-16*
versus
/boot/vmlinuz-5.14.0-17*
shows
The signer's common name is CentOS Secure Boot Signing 201
versus
The signer's common name is Red Hat Test Certificate
Is this issue already receiving the right attention?
--
Thanks
Leon
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
