A system with UEFI Secure Boot enabled fails to boot due to a verification failure error (0x1A). The error message indicates a security violation, which often results from corruption or modification of boot-critical files such as grubx64.efi.

Upon investigation using RPM verification, the /boot/efi/EFI/redhat/grubx64.efi file is found to be corrupted. To resolve the issue, we need to verify and reinstall the relevant package (grub2-efi-x64).

---

Diagnostic Steps

1. Verify System Integrity Using RPM Verification

Execute the following command to verify all installed packages and store the output in a file:

rpm -Va &> /tmp/rpmva.out

This command checks all installed RPM packages for any modifications, mismatches, or missing files. The output is redirected to /tmp/rpmva.out.

2. Identify Affected Packages

To filter the output and list only the relevant affected packages, execute:

egrep -v " c | d | g |opt" /tmp/rpmva.out | awk '{print $NF}' | sort | uniq | xargs rpm -qf 2>/dev/null | sort | uniq &> /tmp/pkgs.txt

• egrep -v " c | d | g |opt": Filters out non-relevant lines (configuration files, directories, and optional files).
• awk '{print $NF}': Extracts the filenames of affected files.
• sort | uniq: Removes duplicate entries.
• xargs rpm -qf: Finds the RPM package that owns each file.
• sort | uniq &> /tmp/pkgs.txt: Saves the affected package list in /tmp/pkgs.txt.

3. Identify Corrupted Files

By examining /tmp/rpmva.out, we can identify corruption in grubx64.efi:

S.5....T.    /boot/efi/EFI/redhat/grubx64.efi

• S: Indicates a change in file size.
• 5: Indicates a checksum mismatch.
• T: Indicates a modification in the modification time.

These signs confirm that grubx64.efi is corrupted and needs to be reinstalled.

---

Resolution Steps

1. Reinstall the Affected Package

Reinstall the grub2-efi-x64 package using yum:

yum reinstall grub2-efi-x64-2.02-150.el8.x86_64

This command ensures that the corrupted file is replaced with the correct version from the package repository.

2. Verify the Installed Package

After reinstalling, verify the package to confirm that the issue is resolved:

rpm -V grub2-efi-x64-2.02-150.el8.x86_64

If the output is empty, it indicates that the files are now intact and no corruption is detected.

3. Check the EFI Boot Directory

List the contents of the EFI directory to ensure the necessary files are in place:

ls -l /boot/efi/EFI/redhat/

Expected output should contain:

-rwx------. 1 root root XXXXXXXX grubx64.efi

If grubx64.efi exists and has valid permissions, the file is properly installed.

---

Final Step: Reboot and Verify Boot Success

Reboot the system to verify that Secure Boot functions correctly:

reboot

Monitor the boot process and ensure that no verification failure messages appear. If Secure Boot is successful, the issue is resolved.

---

Additional Troubleshooting (If Issue Persists)

If the problem continues after reinstalling grub2-efi-x64, consider the following:

• Check for firmware updates and apply them if necessary.
• Run dmesg | grep -i secureboot to check Secure Boot logs.
• Disable Secure Boot temporarily to isolate the issue.
• Regenerate GRUB configuration using: grub2-mkconfig -o /boot/grub2/grub.cfg
• If needed, reinstall the full bootloader: dnf reinstall shim-x64 grub2-efi-x64 grub2-common

---

Conclusion

By following the above steps, we can identify and resolve the Secure Boot failure caused by a corrupted grubx64.efi file. Ensuring proper package integrity and verifying bootloader files will help restore system functionality.

If the issue persists, consider escalating to vendor support with logs from /tmp/rpmva.out and /tmp/pkgs.txt.