Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1491459

Summary: shim.efi missing from EFI partition, causes upgraded systems not to boot
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: shim-signedAssignee: Peter Jones <pjones>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 27CC: mjg59, pjones, robatino, vidar.akselsen
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: shim-signed-13-0.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-16 05:55:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396702    

Description Adam Williamson 2017-09-13 21:56:00 UTC 
The shim-x64 package currently in F27 stable - shim-x64-13-0.4 - contains no 'shim.efi' file or link. This isn't a problem for new installs, as anaconda now creates EFI boot manager entries pointing to 'shimx64.efi'. However, it *is* a big problem for existing UEFI installs that are upgraded to Fedora 27, as their EFI boot manager entries still point to 'shim.efi', which is no longer present, so they'll fail to boot properly.

The fallback path may perhpas save some cases, but not all - e.g. if Windows is also installed, many firmwares won't fall through to the fallback path, they'll just boot Windows instead, so the user has no easy way to get into Fedora at all any more.

13-0.5 fixes this, but it's stuck in updates-testing and we're in Beta freeze, so I'm filing this bug so we can grant it FE or blocker status and push the update stable. Nominating as a Beta blocker as a violation of "For each one of the release-blocking package sets, it must be possible to successfully complete a direct upgrade from fully updated installations of the last two stable Fedora releases with that package set installed" in the case of a UEFI install, as the upgraded system may well fail to boot due to this bug.
Comment 1 Fedora Update System 2017-09-13 21:57:27 UTC 
shim-signed-13-0.5 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-249267e56b
Comment 2 Dennis Gilmore 2017-09-14 17:26:07 UTC 
+1 Beta Blocker
Comment 3 Adam Williamson 2017-09-15 02:18:15 UTC 
Discussed at 2017-09-14 Beta Go/No-Go meeting, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-meeting-2/2017-09-14/f27-beta-go-no-go-meeting.2017-09-14-17.00.html . Accepted as a blocker as a violation of Beta criterion "For each one of the release-blocking package sets, it must be possible to successfully complete a direct upgrade from fully updated installations of the last two stable Fedora releases with that package set installed...The upgraded system must meet all release criteria." in the case of UEFI installs, as the upgraded system may well fail to boot.
Comment 4 Fedora Update System 2017-09-16 05:55:41 UTC 
shim-signed-13-0.5 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Vidar Akselsen 2017-11-16 18:51:35 UTC 
I was also dropped into shim key management on two distinct systems after doing a "dnf upgrade" followed by "dnf autoremove" and a reboot on 15th of Nov. Both systems where upgraded from F26 to final F27. I believe both systems where using UEFI boot and gpt. The first system AMD Athlon 5350 based PC and the other a Lenovo t440p laptop (Intel) with secureboot disabled.