1227415 – "Verifiying shim SBAT data failed" Error On First Reboot After Leap 15.6 Install

Bug 1227415 - "Verifiying shim SBAT data failed" Error On First Reboot After Leap 15.6 Install

Summary: "Verifiying shim SBAT data failed" Error On First Reboot After Leap 15.6 Install

Status:	RESOLVED DUPLICATE of bug 1209985

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Bootloader (show other bugs)
Version:	Current
Hardware:	x86-64 openSUSE Tumbleweed

Priority:	P5 - None Severity: Major (vote)
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-07-04 19:31 UTC by Bill Wayson
Modified:	2024-07-05 00:29 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bill Wayson 2024-07-04 19:31:18 UTC

This desktop multiboots four OSes (Tumbleweed and Leaps 15.4, 15.5, and 15.6) with secure boot enabled. Tumbleweed manages booting using grub2. The systemd-boot package is not installed and marked as Protected - Do Not Modify. The only shared partitions are swap and two personal data partitions mounted under my user's home directory in each installation. This setup has worked well through several versions of Leap, which I have always installed new (not upgrade).

I am reporting this against Tumbleweed since that is the OS managing booting.

Upon the first (and several subsequent) reboot after installing Leap 15.6, I received the message, "Verifiying shim SBAT data failed: Security Policy Violation Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation", and the PC powered off after a few seconds.

I got around this using the installation USB drive and choosing the Boot from Hard Disk boot menu item. This method allowed me to boot into any and all of the four OSes -- it worked as I expected.

This may, or may not, be related to the SBAT issue. Thinking that the Tumbleweed UEFI certificate for shim might have gotten corrupted, I tried to reinstall it by booting into Tumbleweed's MokManager.efi (I have an entry to do that in my grub.cfg). But running it failed with a message pointing to a line in a C-code file (sb.c) and "bad shim signature." After rebooting with the USB stick, I replaced the MokManager.efi with the file from the Leap 15.6 installation. This version did run, and I reinstalled Tumbleweed's shim-opensuse.der. This did not fix the SBAT boot issue.

What did fix the SBAT boot issue was renaming the shim.efi (Tumbleweed's) that is located at /boot/efi/EFI/opensuse/, then copying the Leap 15.6 file shim-sles.efi (from /usr/share/efi/x86-64/) into that location and renaming it shim.efi. After that, this PC has booted and run for a few days exactly as I expect. I've started to configure Leap 15.6 but have held off updating Tumbleweed, in case there may be something there that would help troubleshooting this.

Comment 1 hui 2024-07-05 00:29:04 UTC

.

*** This bug has been marked as a duplicate of bug 1209985 ***