search

secureblue / secureblue

Fedora Atomic images for GNOME, KDE Plasma, Bluefin, Sway, Cinnamon, Wayfire, River, and Hyprland with some hardening applied
https://github.com/secureblue/secureblue/wiki
Apache License 2.0
229 stars 15 forks source link

[BUG] SecureBlue Boot issue On the Latest Update #291

Closed czhang03 closed 2 weeks ago

czhang03 commented 2 weeks ago

Describe the bug Similar to https://github.com/fedora-silverblue/issue-tracker/issues/543 and https://discussion.fedoraproject.org/t/after-a-system-update-bad-shim-signature-silverblue-f40/120347 where the boot shows "bad shim signature" and "you need to load the kernel first"

This bug was originally mitigated by https://github.com/secureblue/secureblue/commit/cf10674a3a15570cbf1940492019048a4cfc2447 and then the mitigation is reverted in https://github.com/secureblue/secureblue/commit/cb00ab019ee2bcf867acde8f37b4409efd9acef9

To Reproduce update to the latest version of secureblue, which updates kernel to 6.9.4, I believe. Probably also need to enable secureboot. I am using the following kargs (added new line for readability):

cheng@cheng-fedora-laptop ~ [1]> rpm-ostree kargs
rd.luks.uuid=[reducted] rhgb quiet root=UUID=[reducted] rootflags=subvol=root rw 
ostree=/ostree/boot.1/fedora/[reducted]/0 init_on_alloc=1 init_on_free=1 slab_nomerge page_alloc.shuffle=1 
randomize_kstack_offset=on vsyscall=none lockdown=confidentiality random.trust_cpu=off 
random.trust_bootloader=off iommu=force intel_iommu=on amd_iommu=force_isolation iommu.passthrough=0 
iommu.strict=1 pti=on module.sig_enforce=1 mitigations=auto,nosmt amdgpu.sg_display=0 debugfs=off 
efi=disable_early_pci_dma

Expected behavior OS should be able to boot

Actual behavior OS cannot load the kernel

Your current image The affected image is not the latest image (40.20240618.0), not my current image. 

Deployments:
  ostree-image-signed:docker://ghcr.io/secureblue/silverblue-main-hardened:latest
                   Digest: sha256:a7d0a2dcda6cfeeee04cf2e8394d87cb11a3040ec5fe803721f8c76ec2e8355e
                  Version: 40.20240618.0 (2024-06-19T01:56:09Z)
                     Diff: 26 upgraded, 1 added
          LayeredPackages: fish ibus-table-mathwriter

● ostree-image-signed:docker://ghcr.io/secureblue/silverblue-main-hardened:latest
                   Digest: sha256:eb9f439b1bc629221ab8995c1e8430c61ffcf5c8824baaa46dec74a13db8d428
                  Version: 40.20240616.0 (2024-06-16T19:02:55Z)
          LayeredPackages: fish ibus-table-mathwriter

If you're using a secureblue Bluefin image No.

For all images According to https://github.com/ublue-os/main/issues/551, likely no, but I will try to reproduce tomorrow, if I have time

qoijjj commented 2 weeks ago

This is already fixed by ublue. If you're still seeing it, then you skipped the postinstall instructions when you initially installed:

https://github.com/secureblue/secureblue/blob/live/POSTINSTALL-README.md#enroll-secureboot-key

Please enroll the secureboot key and try again.