--- Comment #22 from Gary Ching-Pang Lin email@example.com --- (In reply to Tiago Marques from comment #21)
(In reply to Gary Ching-Pang Lin from comment #18)
(In reply to Tiago Marques from comment #17)
(In reply to Gary Ching-Pang Lin from comment #16)
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12) > Hi, > > I've been hit by this for some months now. Every Grub2 update, I get the > same message as OP. > Not sure which grub package is to blame and I'm using EFI and secure boot. > > I've managed to (twice) solve the issue by booting a live USB, chrooting and > then running 'shim-install'. > > Not sure where the bug is or if this helps. I'm available to test other > things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message".
What's the version of shim in the system? Could you try
- downgrade shim with the following rpm
reboot the system to clear MokSBState
upgrade shim to 15.4 again and reboot the system to see if the issue
Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:
Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found
It seems the request for MokSBState wasn't handled, and MokManager.efi wasn't in Live USB so that shim cannot handle the request.
I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.
Tried this to no avail.
Also tried changing the SB state through the Shim management options but it fails with error "Failed to changed SB state".
Running shim through UEFI programs still works and "shim-install" then fixes the boot issue.
$ mokutil --list-enrolled MokListRT is empty
Could this be related?
The empty MokListRT sounds similar to bsc#1185528. It seems that shim failed to mirror the keys for some reason.