2017-12-15 06:10 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0014050CentOS-7shimpublic2017-12-14 15:07
Reporterkuoshen 
PrioritynormalSeveritymajorReproducibilityalways
StatusassignedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0014050: Failed to Enter Shim UEFI key management screen while rebooting on CentOS7 if upgrade to 7-4.1708
Description#rpm --query centos-release
centos-release-7-1.1503.el7.centos.2.8.x86_64

#yum update

#rpm --query centos-release
centos-release-7-4.1708.el7.centos.2.8.x86_64


We found failed to enter Shim UEFI key management while rebooting on CentOS7 if upgrade product version to 7.4.1708. Users are forced to either disable secureboot or not use any 3rd party drivers.

relative package version:
Kernel version => 3.10.0-693.5.2.el7.x86_64,
mokutil ==> mokutil 12-1.el7.centos,
shim ==> shim-x64-12-1.el7.centos
Steps To ReproduceStep 1 create key
openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \
-batch -config configuration_file.config -outform DER \
-out public_key.der \
-keyout private_key.priv

Step 2 enroll key
mokutil --import my_signing_key_pub.der

Step 3 reboot

Step 4 cannot see Shim UEFI key management screen and jump into OS directly
Additional InformationWe found the possible root cause is mokutil upgrade via yum. We rollback the whole system to 7-1.1503 and only update mokutil to 12-1.el7.centos. This issue happened.

[WorkAround]
With Product Version 7-4.1708, rollback mokutil to older version
1) Download the older version mokutil and shim for ver 0.9-2.el7 to local
2) remove the new version 12-1.el7 via yum command
yum remove mokutil.x86_64 shim-x64.x86_64
3) Install older version via rpm command
rpm -ivh mokutil-0.9-2.el7.x86_64.rpm shim-0.9-2.el7.x86_64.rpm
4) Reboot
5) Enroll new key
TagsNo tags attached.
abrt_hash
URL
Attached Files

-Relationships
+Relationships

-Notes

~0030501

toracat (manager)

Related (?) -> https://bugzilla.redhat.com/show_bug.cgi?id=1477735

~0030502

TrevorH (developer)

Last edited: 2017-11-02 22:32

View 2 revisions

The workaround seems a little more complex than it could be. Here's a better way

# yum --disablerepo=base,updates --enablerepo=C7.3.1611-base,C7.3.1611-updates shell
> remove mokutil shim-x64
> install mokutil shim
> run
--> Running transaction check
---> Package mokutil.x86_64 0:0.9-2.el7 will be installed
---> Package mokutil.x86_64 0:12-1.el7.centos will be erased
---> Package shim.x86_64 0:0.9-2.el7 will be installed
---> Package shim-x64.x86_64 0:12-1.el7.centos will be erased
--> Finished Dependency Resolution

================================================================================
 Package Arch Version Repository Size
================================================================================
Installing:
 mokutil x86_64 0.9-2.el7 C7.3.1611-base 37 k
 shim x86_64 0.9-2.el7 C7.3.1611-base 638 k
Removing:
 mokutil x86_64 12-1.el7.centos @base 82 k
 shim-x64 x86_64 12-1.el7.centos @base 6.2 M

~0030514

toracat (manager)

Last edited: 2017-11-02 22:34

View 3 revisions

I have tested the issue on a Toshiba Z30 running RHEL 7.4.

First I deleted a key (mokutil --delete <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able go through the deletion process.

Second, I added the same key (mokutil --import <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able to add the key.

At this point, either:

(1) the CentOS version of shim/mokutil has the problem.

Or

(2) this is hardware-specific.

Or both.

mokutil-12-1.el7.x86_64
shim-x64-12-1.el7.x86_64
shim-unsigned-0.9-1.el7.x86_64

~0030516

kuoshen (reporter)

This issue only happen on CentOS. I did try RHEL7.4 before. It works normally.

~0030518

toracat (manager)

Thanks for the info. So, this IS a CentOS issue.

@kbsingh, @JohnnyHughes, any idea how to fix this?

~0030543

toracat (manager)

@kbsingh@karan.org

The changelog says:

* Thu Aug 31 2017 Karanbir Singh <kbsingh@centos.org> - 12-1.el7.centos
- interim build

Will there be a "final" build? Or should this wait for the next point release?

~0030748

toracat (manager)

Reminder sent to: JohnnyHughes, kbsingh@karan.org

Response appreciated.
+Notes

-Issue History
Date Modified Username Field Change
2017-10-24 06:32 kuoshen New Issue
2017-10-31 19:53 toracat Status new => acknowledged
2017-11-01 00:15 toracat Note Added: 0030501
2017-11-01 00:48 TrevorH Note Added: 0030502
2017-11-02 22:30 toracat Note Added: 0030514
2017-11-02 22:32 toracat Note Edited: 0030514 View Revisions
2017-11-02 22:32 toracat Note Edited: 0030502 View Revisions
2017-11-02 22:34 toracat Note Edited: 0030514 View Revisions
2017-11-03 03:07 kuoshen Note Added: 0030516
2017-11-03 04:20 toracat Note Added: 0030518
2017-11-03 04:21 toracat Status acknowledged => assigned
2017-11-08 19:18 toracat Note Added: 0030543
2017-12-14 15:07 toracat Note Added: 0030748
+Issue History