Secure Boot fails with "bad shim signature" error when booting Bazzite
questionbughardware-compat
Hardware:
Motherboard: MSI [model if known]
GPU: NVIDIA
UEFI mode: Enabled / CSM: Disabled
What I've tried (extensively):
Installed Bazzite multiple times (3+)
Tried Nobara (works but doesn't support Secure Boot)
Tried Fedora (installer freezes at timezone)
Used various USB creators: Rufus (DD mode), BalenaEtcher, Ventoy (Grub2 mode works, Normal mode fails)
Reset Secure Boot keys in BIOS ("Delete all Secure Boot variables" + "Enroll Factory Defaults")
Disabled XMP, Fast Boot, Game Mode in BIOS
Ran ujust enroll-secure-boot-key (password: universalblue) multiple times
Manually copied mmx64.efi from /EFI/fedora to /EFI/bazzite
Used mokutil --reset, --import, --list-enrolled, etc.
Previously installed rEFInd from Windows (likely corrupted the EFI partition)
Wiped disk with GParted, clean Windows 11 reinstall, then Bazzite — same issue
Current state (from within Bazzite with Secure Boot OFF):
sudo mokutil --list-enrolled shows 26 keys (remnants of Fedora, rEFInd, MyMOK, Nobara, Bazzite attempts)
sudo mokutil --list-new → empty
sudo mokutil --list-delete → empty (even after --reset)
sudo mokutil --sb-state → SecureBoot disabled (as expected)
ujust enroll-secure-boot-key → says it schedules MOK for next reboot, but MokManager never appears when Secure Boot is enabled
Suspected problem:
Firmware (UEFI) is not properly handling MOK variables. It seems to ignore or fail to write MOK enrollment/ deletion requests. Possibly a bug in MSI BIOS implementation of MokManager.
What I need:
Help getting MokManager to appear consistently so I can enroll the Bazzite key (universalblue) and boot with Secure Boot ON.
Alternatively, any known workaround for MSI boards with stubborn UEFI behavior.
Logs/attachments:
[Include screenshots of the error, mokutil --list-enrolled, efibootmgr -v, and any relevant journalctl output]
Motherboard: MSI [model if known]
GPU: NVIDIA
UEFI mode: Enabled / CSM: Disabled
What I've tried (extensively):
Installed Bazzite multiple times (3+)
Tried Nobara (works but doesn't support Secure Boot)
Tried Fedora (installer freezes at timezone)
Used various USB creators: Rufus (DD mode), BalenaEtcher, Ventoy (Grub2 mode works, Normal mode fails)
Reset Secure Boot keys in BIOS ("Delete all Secure Boot variables" + "Enroll Factory Defaults")
Disabled XMP, Fast Boot, Game Mode in BIOS
Ran ujust enroll-secure-boot-key (password: universalblue) multiple times
Manually copied mmx64.efi from /EFI/fedora to /EFI/bazzite
Used mokutil --reset, --import, --list-enrolled, etc.
Previously installed rEFInd from Windows (likely corrupted the EFI partition)
Wiped disk with GParted, clean Windows 11 reinstall, then Bazzite — same issue
Current state (from within Bazzite with Secure Boot OFF):
sudo mokutil --list-enrolled shows 26 keys (remnants of Fedora, rEFInd, MyMOK, Nobara, Bazzite attempts)
sudo mokutil --list-new → empty
sudo mokutil --list-delete → empty (even after --reset)
sudo mokutil --sb-state → SecureBoot disabled (as expected)
ujust enroll-secure-boot-key → says it schedules MOK for next reboot, but MokManager never appears when Secure Boot is enabled
Suspected problem:
Firmware (UEFI) is not properly handling MOK variables. It seems to ignore or fail to write MOK enrollment/ deletion requests. Possibly a bug in MSI BIOS implementation of MokManager.
What I need:
Help getting MokManager to appear consistently so I can enroll the Bazzite key (universalblue) and boot with Secure Boot ON.
Alternatively, any known workaround for MSI boards with stubborn UEFI behavior.
Logs/attachments:
[Include screenshots of the error, mokutil --list-enrolled, efibootmgr -v, and any relevant journalctl output]
Solution
Basically there is messed and stuck secure boot key that need to be nuked and doing bios update nuked it
