Recently, I updated secureboot dbx with fwupdmgr.
It has many options so I checked the all of them how they works.
Security, one of the options, the result makes me annoy because of many of ‘’.
Then I coped with disabling swap partition, turning on secure boot, and so on.
My laptop has 3 OSes. I turn it on, select an OS, display shows me a message ’ ~~~ bad shim signature, ~~~~kernel load first ~~ press any key to continue’.
I can only boot my laptop hitting F10 key at the startup, and BIOS boot menu appears.
This process is successful.
If I sign shimx64.efi as MOK, but I’m not sure that It works well because just a kernel and an initramfs are loaded, not chainloader or relating an efi file(It means EFI File ≠ kernel)
You do not need to sign the kernel, It is already signed.
The shim, which authenticates to the bios secure boot , contains a signature and a recent update of the signature key from microsoft in bios (and invalidation of the older key) is the cause of this. The user cannot sign anything to match the keys provided from microsoft (in bios and in the newest shim files)
You will need to first disable secure boot, then get everything updated, then and only then will you be able to enable secure boot again.
I think that doing sudo dnf reinstall grub2-efi* should update the shim packages but it may be necessary to first remove them (everything under /boot/efi/EFI/fedora/) then do sudo dnf reinstall grub2-efi* grub2-common so everything gets installed new. The second command will reinstall and rebuild everything under /boot/efi/EFI/fedora.
Sometimes a reinstall only verifies files exist instead of always writing them new.
’.