Unable to boot after an update: Kernel signature issues with Secure Boot on recent versions of Fedora

[xynydev]

Note

Universal Blue has implemented a fix for this issue in their base images. If you are building custom images based on Universal Blue, you should be able to ignore this warning.

It's come to our attention that a kernel issue has been propagating for users that are using Secure Boot. This issue likely started happening after Fedora updated the kernel version from 6.8 to 6.9. Users not on Universal Blue might have experienced the issue even earlier, though. In short, a new Fedora update causes the boot to fail for users with Secure Boot enabled.

Universal Blue is aware of the issue and has fixed it in their images by re-signing the kernel in all images. You can read the announcement from Universal Blue on Discord. Re-enrolling secure boot keys is required.

For vanilla Fedora users, disabling Secure Boot is a viable workaround to make the system boot. A fix that has been reported to work was posted over on the Fedora Silverblue issue tracker by Timothée Ravier. See Boot fails with "vmlinuz has invalid signature" or "bad shim signature, you need to load the kernel first" (issue #543).
This fix isn't well tested, so be sure to back up your files (as always). If you are able to boot, you may also pin your current version using ostree admin pin.

Users not using Secure Boot should be fine.

Users who are maintaining custom images for multiple users should inform users about this issue. Pinning builds to a version tagged with the date 20240617 or before might also help to prevent issues until the issue is fully fixed by Fedora.

This is an evolving issue and our upstreams are actively working to fix it. We're sorry for any inconvenience this may have caused our users.