View Issue Details

IDProjectCategoryView StatusLast Update
0014050CentOS-7shimpublic2018-09-18 14:25
Reporterkuoshen 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version 
Summary0014050: Failed to Enter Shim UEFI key management screen while rebooting on CentOS7 if upgrade to 7-4.1708
Description#rpm --query centos-release
centos-release-7-1.1503.el7.centos.2.8.x86_64

#yum update

#rpm --query centos-release
centos-release-7-4.1708.el7.centos.2.8.x86_64


We found failed to enter Shim UEFI key management while rebooting on CentOS7 if upgrade product version to 7.4.1708. Users are forced to either disable secureboot or not use any 3rd party drivers.

relative package version:
Kernel version => 3.10.0-693.5.2.el7.x86_64,
mokutil ==> mokutil 12-1.el7.centos,
shim ==> shim-x64-12-1.el7.centos
Steps To ReproduceStep 1 create key
openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \
-batch -config configuration_file.config -outform DER \
-out public_key.der \
-keyout private_key.priv

Step 2 enroll key
mokutil --import my_signing_key_pub.der

Step 3 reboot

Step 4 cannot see Shim UEFI key management screen and jump into OS directly
Additional InformationWe found the possible root cause is mokutil upgrade via yum. We rollback the whole system to 7-1.1503 and only update mokutil to 12-1.el7.centos. This issue happened.

[WorkAround]
With Product Version 7-4.1708, rollback mokutil to older version
1) Download the older version mokutil and shim for ver 0.9-2.el7 to local
2) remove the new version 12-1.el7 via yum command
yum remove mokutil.x86_64 shim-x64.x86_64
3) Install older version via rpm command
rpm -ivh mokutil-0.9-2.el7.x86_64.rpm shim-0.9-2.el7.x86_64.rpm
4) Reboot
5) Enroll new key
TagsQA-7.5
abrt_hash
URL

Relationships

child of 0008360 assignedtigalch Tracking bug for 7.next-release 

Activities

toracat

toracat

2017-11-01 00:15

manager   ~0030501

Related (?) -> https://bugzilla.redhat.com/show_bug.cgi?id=1477735
TrevorH

TrevorH

2017-11-01 00:48

manager   ~0030502

Last edited: 2017-11-02 22:32

View 2 revisions

The workaround seems a little more complex than it could be. Here's a better way

# yum --disablerepo=base,updates --enablerepo=C7.3.1611-base,C7.3.1611-updates shell
> remove mokutil shim-x64
> install mokutil shim
> run
--> Running transaction check
---> Package mokutil.x86_64 0:0.9-2.el7 will be installed
---> Package mokutil.x86_64 0:12-1.el7.centos will be erased
---> Package shim.x86_64 0:0.9-2.el7 will be installed
---> Package shim-x64.x86_64 0:12-1.el7.centos will be erased
--> Finished Dependency Resolution

================================================================================
 Package Arch Version Repository Size
================================================================================
Installing:
 mokutil x86_64 0.9-2.el7 C7.3.1611-base 37 k
 shim x86_64 0.9-2.el7 C7.3.1611-base 638 k
Removing:
 mokutil x86_64 12-1.el7.centos @base 82 k
 shim-x64 x86_64 12-1.el7.centos @base 6.2 M

toracat

toracat

2017-11-02 22:30

manager   ~0030514

Last edited: 2017-11-02 22:34

View 3 revisions

I have tested the issue on a Toshiba Z30 running RHEL 7.4.

First I deleted a key (mokutil --delete <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able go through the deletion process.

Second, I added the same key (mokutil --import <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able to add the key.

At this point, either:

(1) the CentOS version of shim/mokutil has the problem.

Or

(2) this is hardware-specific.

Or both.

mokutil-12-1.el7.x86_64
shim-x64-12-1.el7.x86_64
shim-unsigned-0.9-1.el7.x86_64

kuoshen

kuoshen

2017-11-03 03:07

reporter   ~0030516

This issue only happen on CentOS. I did try RHEL7.4 before. It works normally.
toracat

toracat

2017-11-03 04:20

manager   ~0030518

Thanks for the info. So, this IS a CentOS issue.

@kbsingh, @JohnnyHughes, any idea how to fix this?
toracat

toracat

2017-11-08 19:18

manager   ~0030543

@kbsingh@karan.org

The changelog says:

* Thu Aug 31 2017 Karanbir Singh <kbsingh@centos.org> - 12-1.el7.centos
- interim build

Will there be a "final" build? Or should this wait for the next point release?
toracat

toracat

2017-12-14 15:07

manager   ~0030748

Reminder sent to: JohnnyHughes, kbsingh@karan.org

Response appreciated.
toracat

toracat

2018-03-01 17:49

manager   ~0031342

Reminder sent to: kbsingh@karan.org

Is the plan now to fix this in the upcoming EL7.5?
saint

saint

2018-05-24 10:34

reporter   ~0031906

Hi

Is the plan to fix this in the near future?
At the moment Im running with Trevorhs solution.

Running fully updated CentOS 7.5
TheBurnerGuy

TheBurnerGuy

2018-06-05 15:26

reporter   ~0032014

Got this problem in centos-7.4.1708 and trevorh's solution worked beautifully!
To anyone that wants to try their solution, these flags may be useful (to put in with the other yum flags):
--setopt=obsoletes=0
^ Necessary in order to install old packages
-y
^ yum did not want to find an old version of mokutil, so I just ran "install shim" with the -y flag before entering shell and it installed the right mokutil version as a dependency.
After reinstalling these packages, the UEFI key management appeared on reboot.
Hope this helps someone~
arrfab

arrfab

2018-07-18 13:27

administrator   ~0032302

I've just started a completely new/separated process to build/sign all the kernel+shim+grub2+fwupdate rpm pkgs, so also having a look at opened bug reports
It seems the switch to /boot/efi/EFI/centos introduced some issues.

The following changes worked for me :
cp /boot/efi/EFI/centos/mmx64.efi /boot/efi/EFI/centos/MokManager.efi
cp /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/BOOT/fallback.efi

After that, I was able to "mokutil --import <key>.der ; systemctl reboot" and then entered MokManager to let me enroll that new key. This was tested on a freshly installed CentOS 7.5.1804 x86_64.
Can some other people confirm that it then works fine ? After some feedback we'll introduce all fixes into newer pkg and we'll ask for some testers/feedback (but long way to go as it has also to go through Microsoft signing)
redbow_kimee

redbow_kimee

2018-07-22 15:51

reporter   ~0032333

cp /boot/efi/EFI/centos/mmx64.efi /boot/efi/EFI/centos/MokManager.efi
cp /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/BOOT/fallback.efi

works on mine also. CentOS Linux release 7.5.1804 (Core) with kernel 3.10.0-862.9.1.el7.x86_64
arrfab

arrfab

2018-08-25 06:17

administrator   ~0032591

Hi guys,
It was a long way but we got updated shim that is now signed by Microsoft and so we'd need feedback.
That new shim has normally a fix for the mokmanager issue, so we'd like to get confirmation that it solves issues on your side
Here are the pkgs : https://people.centos.org/arrfab/shim/results/shim-signed-20180824151850/

Please note that while shim itself is signed by Microsoft, the rpm pkg isn't yet signed, as it will be *after* validation/QA and so it will be pushed to updates the normal way.

We'd like to collect as many answers as possible before pushing those pkgs to mirror.centos.org
Also worth noting that the new shim embeds also the new cert to be able to boot the new kernels we'll build soon (as we had to re-key , due to changes at the build system level)
arrfab

arrfab

2018-08-30 06:18

administrator   ~0032625

Those updated shim packages were signed/pushed to CR repository. After some time they'll be also pushed to Updates repo.
The more feedback we'll get, the faster those packages will be promoted to Updates
See also https://blog.centos.org/2018/08/secureboot-rolling-out-new-shim-pkgs-for-centos-7-5-1804-in-cr-repository-asking-for-testers-feedback/
arrfab

arrfab

2018-09-18 14:25

administrator   ~0032752

new shim/shim-unsigned pkgs (version 12-2.el7) were signed/pushed to updates, so closing this bug request

Issue History

Date Modified Username Field Change
2017-10-24 06:32 kuoshen New Issue
2017-10-31 19:53 toracat Status new => acknowledged
2017-11-01 00:15 toracat Note Added: 0030501
2017-11-01 00:48 TrevorH Note Added: 0030502
2017-11-02 22:30 toracat Note Added: 0030514
2017-11-02 22:32 toracat Note Edited: 0030514 View Revisions
2017-11-02 22:32 toracat Note Edited: 0030502 View Revisions
2017-11-02 22:34 toracat Note Edited: 0030514 View Revisions
2017-11-03 03:07 kuoshen Note Added: 0030516
2017-11-03 04:20 toracat Note Added: 0030518
2017-11-03 04:21 toracat Status acknowledged => assigned
2017-11-08 19:18 toracat Note Added: 0030543
2017-12-14 15:07 toracat Note Added: 0030748
2018-01-26 07:43 toracat Relationship added child of 0008360
2018-01-26 07:44 toracat Tag Attached: QA-7.5
2018-03-01 17:49 toracat Note Added: 0031342
2018-05-24 10:34 saint Note Added: 0031906
2018-06-05 15:26 TheBurnerGuy Note Added: 0032014
2018-07-18 13:27 arrfab Note Added: 0032302
2018-07-22 15:51 redbow_kimee Note Added: 0032333
2018-08-25 06:17 arrfab Status assigned => feedback
2018-08-25 06:17 arrfab Note Added: 0032591
2018-08-30 06:18 arrfab Note Added: 0032625
2018-09-18 14:25 arrfab Status feedback => resolved
2018-09-18 14:25 arrfab Resolution open => fixed
2018-09-18 14:25 arrfab Note Added: 0032752