Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Important: shim security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:1959

Important update information:
The new shim revokes ALL PREVIOUS VERSIONS of GRUB2. Therefore GRUB2 MUST be updated to the latest version: grub2-2.02-0.87.el7_9.14 (RHSA-2024:128440-02) BEFORE OR SIMULTANEOUSLY with this shim in order for Secure Boot to continue to work. Failure to update GRUB2 will result in an UNBOOTABLE system.

Patches have been applied; sanity testing has been done on shim-15.8-1.el7

Hi,

We have an official signed shim build available for you to test: https://people.redhat.com/mlewando/shim-15.8-2.el8/

You can install directly from the repo or download and unpack the rpm, and the shim binary will be found in ./boot/efi/EFI/redhat

Please let us know if it is working as expected. thank you.

The release blocker/exception task has completed successfully and your blocker/exception request has been set as Approved Blocker. Please plan/complete this work accordingly.

Hi,

we have an official (unsigned) shim build that should resolve your issue: https://people.redhat.com/mlewando/shim-unsigned-x64-15.8-2.el8/ and we'd be grateful if you could test it. A new signed shim will be released soon.

You can simply download the rpm, and the shim binary can be found in ./usr/share/shim/15.8-2.el8/x64/

thank you!

Hello Marta.

Secure boot was already disabled on those servers.

Anyway if no critical CVE or bug emerges in the meantime, we'll stuck with the older production builds for the time being, waiting for a new signed public shim rpm.

Regards.

Your approach makes sense, and you took the right files. Sorry for not mentioning that the path in the rpm is different.

I'm glad it works! I would like to, however, echo Robbie's comment in the fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=2113005#c16 until we release a new signed shim.

Hi Marta.

Well, this attached rpm contains an out of standard path build in /usr/share/shim so it's not directly usable in the OS.

So I downloaded a RHEL8.6 64bit install boot ISO and wrote it on pendrive with rufus instead of mediawriter so to be able to choose ISO write method instead of dd.

This way pendrive is more easily writeable and after reading Fedora bug threads I picked up from the patched rpm package 2 files to copy to the pendrive:

shimx64.efi > \EFI\BOOT\BOOTX64.EFI

mmx64.efi > \EFI\BOOT\mmx64.efi

Please check if I did choose the correct files and procedure.

Anyway after this update the 8.6 image is now able to boot in UEFI mode without secure boot.

Hi,

I have attached a RHEL-8.6 scratch build of shim-unsigned-x64 with the patch https://github.com/rhboot/shim/pull/505/commits/72cd577ef0cea5d0e7fef4e98c2bbacf3b6a7210 from the fedora bug. Please give it a try and let us know if it works. It is not signed, so it can only be tested with Secure Boot disabled.