Attempting to boot kernel 4.18.0-477.10.1.el8_8 with secure boot enabled is resulting in a missing or invalid signature error. Is anyone else seeing this?
Is the error for any particular module, or for the kernel in general?
Another AlmaLinux 8.8 machine has no trouble booting that kernel. I can select the previous kernel 4.18.0-425.19.2.el8_7.x86_64 and boot that fine.
One difference, on the good machine:
# mokutil --list-enrolled | grep Subject: Subject: serialNumber=5561017/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization, C=US, ST=Florida, O=AlmaLinux OS Foundation, CN=AlmaLinux OS Foundation Subject: C=US, ST=Florida, L=Fort Myers, O=AlmaLinux OS Foundation/serialNumber=5561017, CN=AlmaLinux OS Foundation/businessCategory=Private Organization/jurisdictionST=Delaware/jurisdictionC=US
on the bad machine:
# mokutil --list-enrolled | grep Subject: Subject: jurisdictionC=US/jurisdictionST=Delaware/postalCode=FL 33913/street=15068 Blue Bay Circle/businessCategory=Private Organization/serialNumber=83-0923043, C=US, ST=Florida, L=Fort Myers, O=Cloud Linux Software, Inc, CN=Cloud Linux Software, Inc
But I don’t recall adding any keys to the “good” machine - in fact I had to install mokutil to get the listing. But I may have installed an almalinux key on the “bad” machine.
So, whatever you do, do NOT run
mokutil --set-verbosity true. It will spew LOTS of output and likely break booting.
For now I’ve disabled secure boot. I also ran
mokutil --reset and perhaps that has cleared the old key? Not sure.
Now mokutil output matches that of the “good” machine - so perhaps those are just the keys needed for the new kernel? The mokutil output from another machine running the 8.7 kernel shows the what I was seeing on the “bad” machine with the 8.7 kernel so that seems to match.