Fix for Fedora Atomic Desktop and Fedora IoT boot failure

Fedora Atomic Desktopand Fedora IoT systems installedbefore Fedora40 may fail to boot after an update if secure bootis enabled. Fedora Magazine has apost by Timothee Ravier about the problem, how users can workaround it, and what the project is doing to avoid the similar problemsin the future:

On Fedora Atomic Desktops and Fedora IoT systems, the componentsthat are part of the boot chain (Shim, GRUB) are not (yet)automatically updated alongside the rest of the system. Thus, if youhave installed a Fedora Atomic Desktop or a Fedora IoT system beforeFedora 40, it uses an old versions of the Shim and bootloader binariesto boot your system.

When Secure Boot is enabled, the EFI firmware loads Shimfirst. Shim is signed by the Microsoft Third Party CertificateAuthority so that it can be verified on most hardware out of thebox. The Shim binary includes the Fedora certificates used to verifybinaries signed by Fedora. Then Shim loads GRUB, which in turn loadsthe Linux kernel. Both are signed by Fedora.

Until recently, the kernel binaries where signed two times, with anolder key and a newer one. With the 6.9 kernel update, the kernel isno longer signed with the old key. If GRUB or Shim is old enough anddoes not know about the new key, the signature verification fails.