MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
fedora
Search

Fix for Fedora Atomic Desktop and Fedora IoT boot failure

Wednesday July 10, 2024. 07:20 PM , from LWN.net
Fedora Atomic Desktop
and Fedora IoT systems installed
before Fedora 40 may fail to boot after an update if secure boot
is enabled. Fedora Magazine has a
post by Timothée Ravier about the problem, how users can work
around it, and what the project is doing to avoid the similar problems
in the future:

On Fedora Atomic Desktops and Fedora IoT systems, the components
that are part of the boot chain (Shim, GRUB) are not (yet)
automatically updated alongside the rest of the system. Thus, if you
have installed a Fedora Atomic Desktop or a Fedora IoT system before
Fedora 40, it uses an old versions of the Shim and bootloader binaries
to boot your system.

When Secure Boot is enabled, the EFI firmware loads Shim
first. Shim is signed by the Microsoft Third Party Certificate
Authority so that it can be verified on most hardware out of the
box. The Shim binary includes the Fedora certificates used to verify
binaries signed by Fedora. Then Shim loads GRUB, which in turn loads
the Linux kernel. Both are signed by Fedora.

Until recently, the kernel binaries where signed two times, with an
older key and a newer one. With the 6.9 kernel update, the kernel is
no longer signed with the old key. If GRUB or Shim is old enough and
does not know about the new key, the signature verification fails.
https://lwn.net/Articles/981561/

Related News

News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Current Date
Dec, Sun 22 - 09:07 CET