shim SBAT data failed after upgraded to latest kernel.

nedyah700 said:
This is driving me crazy. HP DL20 Gen10 Plus. Installed Proxmox today on the server fresh out of the box without issue. Decided to install on a different HD, the reinstall is giving me the same exact error as the OP. I have tried clearing keys, BIOS reset, BIOS updates. No luck with anything. Can reinstall with Secure Boot off, but that is about it. Same exact Proxmox ISO as the initial install
Click to expand...
could you boot an EFI+secure boot enabled livecd and post the output of "efibootmgr -v"?
 
I have a Beelink mini-PC which with Proxmox 8.1 was using secure boot just fine. Trying to do a fresh install of 8.2, and I get the same message as the OP.

Update: I found a workaround. In my Beelink BIOS I had to go into the secure boot settings and manually enroll all the EFI keys contained in the boot image. I had to do that for both the bootable installer (USB stick) and the post-install Proxmox VE image.
 
Last edited:
TrustyHippo said:
I have a Beelink mini-PC which with Proxmox 8.1 was using secure boot just fine. Trying to do a fresh install of 8.2, and I get the same message as the OP.

Update: I found a workaround. In my Beelink BIOS I had to go into the secure boot settings and manually enroll all the EFI keys contained in the boot image. I had to do that for both the bootable installer (USB stick) and the post-install Proxmox VE image.
Click to expand...
Did you do this with the USB in the unit? I wonder if that is what we have to do..

I do have the option to enroll custom keys but that's still an additional step we have to do in order to get secure boot support.
 
In my case the problem was that the shim used by the Proxmox Installer (8.2-1) was on the SBAT revocation list (you can check it with mokutil --list-sbat-revocations). Once I cleared this list (mokutil --set-sbat-policy delete) I could boot the Proxmox Installer with Secure Boot enabled.

I had the following revocations set: https://github.com/rhboot/shim/blob...0850d43d937a2b/SbatLevel_Variable.txt#L95-L98 which fix the CVEs listed above in that file.

I'm not sure which software added the shim to the revocation list, perhaps it was set when I booted the Ubuntu 24.04 live CD to perform a few ZFS operations. I can't think of anything else, Secure Boot was working fine before.
 
agerstmayr said:
In my case the problem was that the shim used by the Proxmox Installer (8.2-1) was on the SBAT revocation list (you can check it with mokutil --list-sbat-revocations). Once I cleared this list (mokutil --set-sbat-policy delete) I could boot the Proxmox Installer with Secure Boot enabled.

I had the following revocations set: https://github.com/rhboot/shim/blob...0850d43d937a2b/SbatLevel_Variable.txt#L95-L98 which fix the CVEs listed above in that file.

I'm not sure which software added the shim to the revocation list, perhaps it was set when I booted the Ubuntu 24.04 live CD to perform a few ZFS operations. I can't think of anything else, Secure Boot was working fine before.
Click to expand...
the new 15.8 shim used by PVE once you've upgraded to the current version revokes the old 15.7 shim, but the 8.2 ISO still contains that version. we'll respin the ISO with an updated shim binary to avoid the issue.
 
  • Like
Reactions: MeisterPetz and rtorres
fabian said:
the new 15.8 shim used by PVE once you've upgraded to the current version revokes the old 15.7 shim, but the 8.2 ISO still contains that version. we'll respin the ISO with an updated shim binary to avoid the issue.
Click to expand...
Awesome!!! Thank you Fabian! Looking forward to reinstalled Proxmox for the 100th time, gives me a reason to AGAIN!!!! :p
 
agerstmayr said:
In my case the problem was that the shim used by the Proxmox Installer (8.2-1) was on the SBAT revocation list (you can check it with mokutil --list-sbat-revocations). Once I cleared this list (mokutil --set-sbat-policy delete) I could boot the Proxmox Installer with Secure Boot enabled.

I had the following revocations set: https://github.com/rhboot/shim/blob...0850d43d937a2b/SbatLevel_Variable.txt#L95-L98 which fix the CVEs listed above in that file.

I'm not sure which software added the shim to the revocation list, perhaps it was set when I booted the Ubuntu 24.04 live CD to perform a few ZFS operations. I can't think of anything else, Secure Boot was working fine before.
Click to expand...
Where did you run mokutil? I tried running it from proxmox itself and it didn't help. I'm facing this same issue.
 
rtorres said:
I was able to run within Proxmox's CLI. I don't think we can run it once/as we get the error message. So it still means disable secure boot, install Proxmox, then do the 'fixes', and then enable secure boot:
View attachment 72129
Click to expand...
Yeah, or wait for the ISO without the revoked shim... not a great look when I'm trying to evaluate it to replace VMware
o_O
 
Last edited:
fabian said:
the new 15.8 shim used by PVE once you've upgraded to the current version revokes the old 15.7 shim, but the 8.2 ISO still contains that version. we'll respin the ISO with an updated shim binary to avoid the issue.
Click to expand...
Good to hear :) When will this be done?
 
fabian said:
the new 15.8 shim used by PVE once you've upgraded to the current version revokes the old 15.7 shim, but the 8.2 ISO still contains that version. we'll respin the ISO with an updated shim binary to avoid the issue.
Click to expand...
Thanks for the explanation! When exactly is the revocation list updated? I installed all available updates (apt dist-upgrade), but my revocation list only contains two entries (with older date):
Code: 
root@pve:~# mokutil --list-sbat-revocations
sbat,1,2022052400
grub,2
where before it contained four entries:
Code: 
sbat,1,2024010900
shim,4
grub,3
grub.debian,4


sweetrollslimespider said:
Where did you run mokutil? I tried running it from proxmox itself and it didn't help. I'm facing this same issue.
Click to expand...
On the Proxmox host.

When you run mokutil --set-sbat-policy delete and start Proxmox again, is the list cleared? You can also check these instructions: https://en.opensuse.org/openSUSE:UEFI#Step_by_step_for_re-setting_SBAT
 
agerstmayr said:
Thanks for the explanation! When exactly is the revocation list updated? I installed all available updates (apt dist-upgrade), but my revocation list only contains two entries (with older date):
Code: 
root@pve:~# mokutil --list-sbat-revocations
sbat,1,2022052400
grub,2
where before it contained four entries:
Code: 
sbat,1,2024010900
shim,4
grub,3
grub.debian,4



On the Proxmox host.

When you run mokutil --set-sbat-policy delete and start Proxmox again, is the list cleared? You can also check these instructions: https://en.opensuse.org/openSUSE:UEFI#Step_by_step_for_re-setting_SBAT
Click to expand...
Yeah, I missed that I need to disable secure boot before doing so, so that command didn't actually do anything. I'll have to try again when I have some more time to lab it.
 
  • Like
Reactions: rtorres
rtorres said:
It’ll be done when it’s done. This is why developers don’t tell us we are expecting an update/revamp.
Click to expand...
A little different when you have an issue preventing your installer from booting on literally any system that has had a kernel update in the recent past... Really something they should have done before the shim was revoked.
 
Ran into the same problem today for my hp prodesk 600 G4...secure boot disabled and it boots again.

I'm quite new to proxmox. What is the best route to get secure boot working again?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back