Took it out of the box and put it together yesterday. Made a bootable USB on my desktop using the correct Bazzite ISO (Framework+AMD), written with Fedora Media Writer. Followed the installation instructions very strictly.
Tested media+installed, test passed, got through the installation wizard, all good, hit reboot.
I get a GRUB version 2.06 screen that gives me two different Bazzite boot options (“Fedora Linux 40.20240613.0 (Bazzite) (ostree:0)”) and “UEFI Firmware Settings”.
Selecting the first Bazzite option puts this on the screen:
error: …/…/grub-core/kern/efi/sb.c:182:bad shin signature.
error: …/…/grub-core/loader/i386/efi/linux.c:258:you need to load the kernel first.
Disabling secure boot after it had already started happening didn’t do anything;
redoing the installation, rebooting, having it happen again, and re-disabling secure reboot also didn’t fix it;
redoing the installation again and immediately disabling secure boot upon the first reboot did, though. Bazzite booted properly and I got to the desktop.
I the turned the computer off and back on to make sure I could get in normally. There are now four different Bazzite options on the GRUB screen that pops up on boot, but if it sits for a few seconds it selects the first one and I end up at the desktop again.
This Is normal for the fedora atomic based distros, there is long time bug that grub screen shows the bootable images double. There is a command to get rid of the double options.
I usually disable secure boot forst thing before installing linux, but of it now boots then you are fine
Yeah that’s just a remnant of your other installs, only the first one is truly there and working. You might want to clean that up.
For anyone who doesn’t know, shim is a program used to verify the authenticity of secure boot keys. By default secure boot is quite an antilinux feature, microsoft having their key and no other key preinstalled in each machine. For secure boot to work properly on bazzite I’m pretty sure you need to enroll their secure boot key. Basically it just says allows things signed by bazzite devs to work. If you installed bazzite with your secure boot on, bazzite installed support for secure boot so expected to have their key installed when you rebooted, but you likely havent installed their key as it is a manual process.
Disabling secure boot before the install should fix your issue, also disabling secure boot before the first boot could too. If you need to re-enable secure boot as part of your threat model, I recommend you follow the key adding procedure its not that hard, normally you should be able to “enroll” it from the bios of your laptop under Security options > Secure Boot or (I would prefer) directly from your laptop by following these steps posted in reddit:
This is how I did it on my device:
install bazzite with secure boot disabled
with secure boot still disabled, run `ujust enroll-secure-boot-key` in terminal
if prompted for a password, use `ublue-os`
reboot, and you'll see a blue screen with `enroll MOK`
select `enroll MOK`, and use the same `ublue-os` password
you're now setup, reboot back into bios and re-enable secure boot
note, after bios updates, you may need to re-enroll bazzite for secure boot
That are the same instructions as posted in the universal blue (fedora version on which bazzite builds upon) official bazzite guide, CTRL+F for secure boot and you find:
#### **Method B**) After Installation Method
**ATTENTION**: Disable Secure Boot before doing this, and then re-enable it after enrolling the key.
If you have already installed Bazzite then **enter this command in a host terminal**:
ujust enroll-secure-boot-key
If prompted to enroll the required key, then **enter the password in the host terminal**:
ublue-os
You can now turn Secure Boot back on in the BIOS.