shim SBAT data failed after upgraded to latest kernel.

[chchia]

I performed latest kernel update this morning for proxmox host, and went for host restart, now i ended up having this problem during BIOS boot up and the system shutdown immediately after this. i have secure boot enabled and what will happen if i reset secure boot? will it stop my system for booting? any advise?



the latest version of kernel i updated this morning is 6.8.8-2-pve.

 

[chchia]

ok, disabled secure boot in BIOS will still allow proxmox host to boot. no other configuration needed. i will just disable Secure Boot function.

 

[fabian]

could you please post the output of

apt list --installed | grep '-signed'

and

efibootmgr -v

thanks!

 

[rtorres]

Did you recently have a BIOS upgrade? I had to create custom secure boot keys to get it to work:
https://pve.proxmox.com/wiki/Secure_Boot_Setup

I recently (yesterday) reinstalled Proxmox and same thing.. had to disable Secure Boot, follow the guide and reenabled w/o issue.

 

[fabian]

you shouldn't need custom keys set up provided you use our shim+grub+kernel

 

[rtorres]

you shouldn't need custom keys set up provided you use our shim+grub+kernel

For some reason that didn't work for me. On a fresh install I followed this guide:
https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysboot_secure_boot

But when the system rebooted and I got the shim SBAT data failed. I reinstalled Proxmox twice because I thought I missed something but same result when I tried on the 2nd fresh install.

The only way I was able to enable secure boot was following this guide:
https://pve.proxmox.com/wiki/Secure_Boot_Setup

After I ran the last bit 'sbkeysync --pk' I rebooted the PC, Secure Boot locked automatically and booted.

I ran apt update && apt upgrade, downloaded the latest kernel + updates and have had no issues.

This is on an HP Elite Mini 800 G9, HP Sure Start and Secure Boot disabled prior before trying both guides.

 

[fabian]

normally it should be enough to boot the installer with secure boot enabled by the way

maybe the implementation in that particular firmware is broken though, such systems do exist..

 

[rtorres]

normally it should be enough to boot the installer with secure boot enabled by the way

maybe the implementation in that particular firmware is broken though, such systems do exist..

I couldn't boot Proxmox from the USB with Secure Boot enabled or else I'd get the shim error unless it was disabled

This is the BIOS I have on the unit:



Well on this mini PC there's the HP Wolf Security on it.. IDK if that applies to both BIOS and OS but.. it's been a pain with certain OSs

 

[skittlebrau]

I also had this problem today. I'm doing a fresh install of Proxmox 8.2 on an Intel NUC12 Pro and can't boot the installer with Secure Boot enabled.

It's odd because I was able to do the same install on this PC with Secure Boot enabled with Proxmox 8.1 with no problems. In that time I haven't altered the BIOS/UEFI nor updated it.

 

[roguefalcon]

Same issue here with two Proxmox nodes. I ran updates yesterday but didn't reboot until this morning and one of two hosts gave the same complaint. "Verifying shim SBAT data failed". Disabling secure boot brought it back. I'll investigate turning it back on later today/tonight.

For what it's worth, these nodes are in my homelab. Both are Minisforum um790 Pro.

 

[fabian]

I also had this problem today. I'm doing a fresh install of Proxmox 8.2 on an Intel NUC12 Pro and can't boot the installer with Secure Boot enabled.

It's odd because I was able to do the same install on this PC with Secure Boot enabled with Proxmox 8.1 with no problems. In that time I haven't altered the BIOS/UEFI nor updated it.

which model and firmware version is this? just tested with a NUC12WSHi3 and it worked just fine (both the install, and the upgrade afterwards)..

@everyone could you post the checksums of the .efi files on the ESP for a failed case? e.g., `find /path/to/esp -iname '*.efi' -exec md5sum {} \;`

 

[fireon]

I have testet this also on my NUC14RVH-B, in an virtual env, and on Supermicroserver H11SSL-i. Works how it should.

 

[rtorres]

which model and firmware version is this? just tested with a NUC12WSHi3 and it worked just fine (both the install, and the upgrade afterwards)..

@everyone could you post the checksums of the .efi files on the ESP for a failed case? e.g., `find /path/to/esp -iname '*.efi' -exec md5sum {} \;`

Where can I find the path to the ESP?
Whenever I run fwup, I get a error message saying 'No ESP found'.. Like you've previously said, No ESP - Ticking time bomb!

I do want to mention that when I first booted finto the USB to do a fresh install, I saw a message stating 'EFI mode detected' but will still install legacy?

Reason I say legacy is because whenever I run commands like proxmox-boot-tool status, I get:
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
E: /etc/kernel/proxmox-boot-uuids does not exist.

But I have no clue, I'm still new to Proxmox ha! I installed it as ext4, but had the same issue when I installed as ZFS... I'm at a loss, boss!

 

[rtorres]

Another thing I would like to add, I was having the same issues with Ventoy and Secure Boot enabled.

I created a bootable USB using Ventoy (both on Windows and Linux) and was getting exact same shim sbat data failed error.

Digging into the error further, I was able to get the Ventoy USB running with secure boot by replacing a few files in the /EFI/Boot and enrolling the key via MOK Manager.

1. mount VTOYEFI partition of ventoy usb. (If you do it on windows, you need to install ventoy as MBR partition and manually assign letter.)
2. prepare signed shim (v15.8) files, I got these files from a fedora package (https://kojipkgs.fedoraproject.org/packages/shim/15.8/3/x86_64/shim-x64-15.8-3.x86_64.rpm)
3. copy BOOTX64.efi and mmx64.efi from the shim package to /EFI/BOOT in VTOYEFI partition.
4. rename grub.efi in /EFI/BOOT as grubx64.efi.
5. reboot and enroll ventoy key using mok manager.

Upon installation though, I was unable to boot Proxmox even with the fix for Ventoy. But I figured it was because I was only enrolling the key for Ventoy USB boot and not the Proxmox install

I tried to see if I can find the Proxmox USB directory, but I couldn't find the same directory/files.

Fedora and Debian boots up right away with Secure Boot enabled and all

Right now with the current setup, having to disable, enable, enrolling keys, using a 'hacked up' legacy boot on UEFI Secure Boot, and having no ESP, it feels like I have a Proxmox install that's hanging by a thread waiting for something to go wrong.

Once a fix happens, I'll be more than happy to test it out. Not too sure if Proxmox ever does any betas but I'll be more than happy to try it out.

 

[arim]

Report the same issue described above in the red box on a HP ProDesk 600 G3 DM, BIOS P22 Ver. 02.49, Release date: 12/8/2023
after 8.2 update to latest.

 

[fabian]

Report the same issue described above in the red box on a HP ProDesk 600 G3 DM, BIOS P22 Ver. 02.49, Release date: 12/8/2023
after 8.2 update to latest.

could you try booting the 6.5 kernel if you have one installed?

 

[arim]

could you try booting the 6.5 kernel if you have one installed?

I had it patched up from 5.13 up to 6.5 and it run fine on 6.5 kernel, but I messed up cluster config and decided to reinstall it from latest 8.2.1 ISO and patched up to v8.2.2, most funny thing is that it happened on 2 of 4 nodes, with out any advanced configuration present except IP address and community repos.

 

[rtorres]

I reinstalled latest Proxmox ISO last night and instead of enrolling custom keys I did the SHIM + MOK way and it worked great - this method is a lot faster too.

Weirdly enough, I installed Proxmox on my Microsoft Surface Laptop Studio that had Microsoft + 3rd Party CA Secure Boot enabled and it installed without issues no need to add keys or anything...




I used the same USB on my HP Elite Mini but I had to disable Secure Boot again, enrolled SHIM + MOK, and then reenable Secure Boot.

 

[fabian]

Weirdly enough, I installed Proxmox on my Microsoft Surface Laptop Studio that had Microsoft + 3rd Party CA Secure Boot enabled and it installed without issues no need to add keys or anything...

that is not really surprising - our installer and boot packages are signed by Microsoft:

image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

but some systems are locked down further, and only allow Microsoft itself to run code by default, and not third party providers like us.

if you enroll your own key(s), then those should of course be trusted as well (you could also manually enroll our keys to get the same effect without the need to manually sign EFI binaries and kernel images, if the Third Party CA is not one of the pre-defined options on your system).

the question still remains what is going on on those systems that fail after upgrading, presumably either to the new kernel or new shim version.

 

[nedyah700]

This is driving me crazy. HP DL20 Gen10 Plus. Installed Proxmox today on the server fresh out of the box without issue. Decided to install on a different HD, the reinstall is giving me the same exact error as the OP. I have tried clearing keys, BIOS reset, BIOS updates. No luck with anything. Can reinstall with Secure Boot off, but that is about it. Same exact Proxmox ISO as the initial install