Did you just install kernel-cachyos and got hit by bad shim signature when booting? Me too. This is how I fixed it.
First, make sure you have Secure Boot with mokutil --sb-state.
Note, there's a second way of doing this by using sbctl, but I didn't want to wipe my Secure Boot keys.
Full instructions at https://github.com/CachyOS/copr-linux-cachyos
- Check your CPU support
/lib64/ld-linux-x86-64.so.2 --help | grep "(supported, searched)", my CPU supports v2, v3 and v4. - Enable a suitable repo:
sudo dnf copr enable bieszczaders/kernel-cachyos. - Install suitable kernel:
sudo dnf install kernel-cachyos kernel-cachyos-devel-matched. - Let the kernel load modules:
sudo setsebool -P domain_kernel_load_modules on. - Done!
If you reboot now you'll get the "bad shim signature" error and have to pick an official Fedora kernel to boot. Don't worry, you didn't break anything.
We can self-sign the kernel by adding our key as a MOK (Machine Owner Key).
Based on general kernel signing procedures for Fedora and RHEL.
sudo dnf install pesign openssl kernel-devel mokutil keyutils
sudo echo "$USER" >> /etc/pesign/users
sudo /usr/libexec/pesign/pesign-authorize
openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
-outform DER -out "cert.der" -nodes -days 36500 \
-subj "/CN=CachyOS Secure Boot/"
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
sudo certutil -A -i cert.der -n "CachyOS Secure Boot" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
sudo pk12util -i key.p12 -d /etc/pki/pesign
sudo mokutil --import "cert.der"
cd /boot
sudo pesign --certificate 'CachyOS Secure Boot' \
--in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \
--sign \
--out vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed
sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.x86_64And reboot and choose enroll the key. The MOK password is only used once so I suggest using "12345678". Replace "CachyOS Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with whatever applies in your case.
Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled! Let's make sure that it continues to work across updates!
- Create and open
sudo nano /etc/kernel/postinst.d/00-signing - Enter the following content:
#!/bin/sh
set -e
KERNEL_IMAGE="$2"
MOK_KEY_NICKNAME="CachyOS Secure Boot"
if [ "$#" -ne "2" ] ; then
echo "Wrong count of command line arguments. This is not meant to be called directly." >&2
exit 1
fi
if [ ! -x "$(command -v pesign)" ] ; then
echo "pesign not executable. Bailing." >&2
exit 1
fi
if [ ! -w "$KERNEL_IMAGE" ] ; then
echo "Kernel image $KERNEL_IMAGE is not writable." >&2
exit 1
fi
echo "Signing $KERNEL_IMAGE..."
sudo pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out "$KERNEL_IMAGE.signed"
sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"- Correct the permissions with:
sudo chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing
Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as the default kernel. One solution is to uninstall the official kernel, and another is to reset the default kernel to CachyOS after each update:
- Create and open
sudo nano /etc/kernel/postinst.d/99-default - Enter the following content:
#!/bin/sh
set -e
grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos | sort -V | tail -1)- Correct the permissions with:
sudo chown root:root /etc/kernel/postinst.d/99-default ; sudo chmod u+rx /etc/kernel/postinst.d/99-default