View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0014050 | CentOS-7 | shim-x64 | public | 2017-10-24 06:32 | 2018-10-09 22:25 |
Reporter | kuoshen | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Summary | 0014050: Failed to Enter Shim UEFI key management screen while rebooting on CentOS7 if upgrade to 7-4.1708 | ||||
Description | #rpm --query centos-release centos-release-7-1.1503.el7.centos.2.8.x86_64 #yum update #rpm --query centos-release centos-release-7-4.1708.el7.centos.2.8.x86_64 We found failed to enter Shim UEFI key management while rebooting on CentOS7 if upgrade product version to 7.4.1708. Users are forced to either disable secureboot or not use any 3rd party drivers. relative package version: Kernel version => 3.10.0-693.5.2.el7.x86_64, mokutil ==> mokutil 12-1.el7.centos, shim ==> shim-x64-12-1.el7.centos | ||||
Steps To Reproduce | Step 1 create key openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \ -batch -config configuration_file.config -outform DER \ -out public_key.der \ -keyout private_key.priv Step 2 enroll key mokutil --import my_signing_key_pub.der Step 3 reboot Step 4 cannot see Shim UEFI key management screen and jump into OS directly | ||||
Additional Information | We found the possible root cause is mokutil upgrade via yum. We rollback the whole system to 7-1.1503 and only update mokutil to 12-1.el7.centos. This issue happened. [WorkAround] With Product Version 7-4.1708, rollback mokutil to older version 1) Download the older version mokutil and shim for ver 0.9-2.el7 to local 2) remove the new version 12-1.el7 via yum command yum remove mokutil.x86_64 shim-x64.x86_64 3) Install older version via rpm command rpm -ivh mokutil-0.9-2.el7.x86_64.rpm shim-0.9-2.el7.x86_64.rpm 4) Reboot 5) Enroll new key | ||||
Tags | QA-7.5 | ||||
abrt_hash | |||||
URL | |||||
Related (?) -> https://bugzilla.redhat.com/show_bug.cgi?id=1477735 | |
The workaround seems a little more complex than it could be. Here's a better way # yum --disablerepo=base,updates --enablerepo=C7.3.1611-base,C7.3.1611-updates shell > remove mokutil shim-x64 > install mokutil shim > run --> Running transaction check ---> Package mokutil.x86_64 0:0.9-2.el7 will be installed ---> Package mokutil.x86_64 0:12-1.el7.centos will be erased ---> Package shim.x86_64 0:0.9-2.el7 will be installed ---> Package shim-x64.x86_64 0:12-1.el7.centos will be erased --> Finished Dependency Resolution ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: mokutil x86_64 0.9-2.el7 C7.3.1611-base 37 k shim x86_64 0.9-2.el7 C7.3.1611-base 638 k Removing: mokutil x86_64 12-1.el7.centos @base 82 k shim-x64 x86_64 12-1.el7.centos @base 6.2 M |
|
I have tested the issue on a Toshiba Z30 running RHEL 7.4. First I deleted a key (mokutil --delete <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able go through the deletion process. Second, I added the same key (mokutil --import <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able to add the key. At this point, either: (1) the CentOS version of shim/mokutil has the problem. Or (2) this is hardware-specific. Or both. mokutil-12-1.el7.x86_64 shim-x64-12-1.el7.x86_64 shim-unsigned-0.9-1.el7.x86_64 |
|
This issue only happen on CentOS. I did try RHEL7.4 before. It works normally. | |
Thanks for the info. So, this IS a CentOS issue. @kbsingh, @JohnnyHughes, any idea how to fix this? |
|
@kbsingh@karan.org The changelog says: * Thu Aug 31 2017 Karanbir Singh <kbsingh@centos.org> - 12-1.el7.centos - interim build Will there be a "final" build? Or should this wait for the next point release? |
|
Reminder sent to: JohnnyHughes, kbsingh@karan.org Response appreciated. |
|
Reminder sent to: kbsingh@karan.org Is the plan now to fix this in the upcoming EL7.5? |
|
Hi Is the plan to fix this in the near future? At the moment Im running with Trevorhs solution. Running fully updated CentOS 7.5 |
|
Got this problem in centos-7.4.1708 and trevorh's solution worked beautifully! To anyone that wants to try their solution, these flags may be useful (to put in with the other yum flags): --setopt=obsoletes=0 ^ Necessary in order to install old packages -y ^ yum did not want to find an old version of mokutil, so I just ran "install shim" with the -y flag before entering shell and it installed the right mokutil version as a dependency. After reinstalling these packages, the UEFI key management appeared on reboot. Hope this helps someone~ |
|
I've just started a completely new/separated process to build/sign all the kernel+shim+grub2+fwupdate rpm pkgs, so also having a look at opened bug reports It seems the switch to /boot/efi/EFI/centos introduced some issues. The following changes worked for me : cp /boot/efi/EFI/centos/mmx64.efi /boot/efi/EFI/centos/MokManager.efi cp /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/BOOT/fallback.efi After that, I was able to "mokutil --import <key>.der ; systemctl reboot" and then entered MokManager to let me enroll that new key. This was tested on a freshly installed CentOS 7.5.1804 x86_64. Can some other people confirm that it then works fine ? After some feedback we'll introduce all fixes into newer pkg and we'll ask for some testers/feedback (but long way to go as it has also to go through Microsoft signing) |
|
cp /boot/efi/EFI/centos/mmx64.efi /boot/efi/EFI/centos/MokManager.efi cp /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/BOOT/fallback.efi works on mine also. CentOS Linux release 7.5.1804 (Core) with kernel 3.10.0-862.9.1.el7.x86_64 |
|
Hi guys, It was a long way but we got updated shim that is now signed by Microsoft and so we'd need feedback. That new shim has normally a fix for the mokmanager issue, so we'd like to get confirmation that it solves issues on your side Here are the pkgs : https://people.centos.org/arrfab/shim/results/shim-signed-20180824151850/ Please note that while shim itself is signed by Microsoft, the rpm pkg isn't yet signed, as it will be *after* validation/QA and so it will be pushed to updates the normal way. We'd like to collect as many answers as possible before pushing those pkgs to mirror.centos.org Also worth noting that the new shim embeds also the new cert to be able to boot the new kernels we'll build soon (as we had to re-key , due to changes at the build system level) |
|
Those updated shim packages were signed/pushed to CR repository. After some time they'll be also pushed to Updates repo. The more feedback we'll get, the faster those packages will be promoted to Updates See also https://blog.centos.org/2018/08/secureboot-rolling-out-new-shim-pkgs-for-centos-7-5-1804-in-cr-repository-asking-for-testers-feedback/ |
|
new shim/shim-unsigned pkgs (version 12-2.el7) were signed/pushed to updates, so closing this bug request |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2017-10-24 06:32 | kuoshen | New Issue | |
2017-10-31 19:53 | toracat | Status | new => acknowledged |
2017-11-01 00:15 | toracat | Note Added: 0030501 | |
2017-11-01 00:48 | TrevorH | Note Added: 0030502 | |
2017-11-02 22:30 | toracat | Note Added: 0030514 | |
2017-11-02 22:32 | toracat | Note Edited: 0030514 | |
2017-11-02 22:32 | toracat | Note Edited: 0030502 | |
2017-11-02 22:34 | toracat | Note Edited: 0030514 | |
2017-11-03 03:07 | kuoshen | Note Added: 0030516 | |
2017-11-03 04:20 | toracat | Note Added: 0030518 | |
2017-11-03 04:21 | toracat | Status | acknowledged => assigned |
2017-11-08 19:18 | toracat | Note Added: 0030543 | |
2017-12-14 15:07 | toracat | Note Added: 0030748 | |
2018-01-26 07:43 | toracat | Relationship added | child of 0008360 |
2018-01-26 07:44 | toracat | Tag Attached: QA-7.5 | |
2018-03-01 17:49 | toracat | Note Added: 0031342 | |
2018-05-24 10:34 | saint | Note Added: 0031906 | |
2018-06-05 15:26 | TheBurnerGuy | Note Added: 0032014 | |
2018-07-18 13:27 | arrfab | Note Added: 0032302 | |
2018-07-22 15:51 | redbow_kimee | Note Added: 0032333 | |
2018-08-25 06:17 | arrfab | Status | assigned => feedback |
2018-08-25 06:17 | arrfab | Note Added: 0032591 | |
2018-08-30 06:18 | arrfab | Note Added: 0032625 | |
2018-09-18 14:25 | arrfab | Status | feedback => resolved |
2018-09-18 14:25 | arrfab | Resolution | open => fixed |
2018-09-18 14:25 | arrfab | Note Added: 0032752 | |
2020-08-24 23:33 | toracat | Category | shim => shim-x64 |