 |
Related (?) -> https://bugzilla.redhat.com/show_bug.cgi?id=1477735 |
 |
The workaround seems a little more complex than it could be. Here's a better way # yum --disablerepo=base,updates --enablerepo=C7.3.1611-base,C7.3.1611-updates shell > remove mokutil shim-x64 > install mokutil shim > run --> Running transaction check ---> Package mokutil.x86_64 0:0.9-2.el7 will be installed ---> Package mokutil.x86_64 0:12-1.el7.centos will be erased ---> Package shim.x86_64 0:0.9-2.el7 will be installed ---> Package shim-x64.x86_64 0:12-1.el7.centos will be erased --> Finished Dependency Resolution ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: mokutil x86_64 0.9-2.el7 C7.3.1611-base 37 k shim x86_64 0.9-2.el7 C7.3.1611-base 638 k Removing: mokutil x86_64 12-1.el7.centos @base 82 k shim-x64 x86_64 12-1.el7.centos @base 6.2 M |
|
|
I have tested the issue on a Toshiba Z30 running RHEL 7.4. First I deleted a key (mokutil --delete <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able go through the deletion process. Second, I added the same key (mokutil --import <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able to add the key. At this point, either: (1) the CentOS version of shim/mokutil has the problem. Or (2) this is hardware-specific. Or both. mokutil-12-1.el7.x86_64 shim-x64-12-1.el7.x86_64 shim-unsigned-0.9-1.el7.x86_64 |
 |
This issue only happen on CentOS. I did try RHEL7.4 before. It works normally. |
|
|
Thanks for the info. So, this IS a CentOS issue. @kbsingh, @JohnnyHughes, any idea how to fix this? |
|
|
@kbsingh@karan.org The changelog says: * Thu Aug 31 2017 Karanbir Singh <kbsingh@centos.org> - 12-1.el7.centos - interim build Will there be a "final" build? Or should this wait for the next point release? |
|
|
Reminder sent to: JohnnyHughes, kbsingh@karan.org Response appreciated. |
|
|
Reminder sent to: kbsingh@karan.org Is the plan now to fix this in the upcoming EL7.5? |
|
|
Hi Is the plan to fix this in the near future? At the moment Im running with Trevorhs solution. Running fully updated CentOS 7.5 |
|
|
Got this problem in centos-7.4.1708 and trevorh's solution worked beautifully! To anyone that wants to try their solution, these flags may be useful (to put in with the other yum flags): --setopt=obsoletes=0 ^ Necessary in order to install old packages -y ^ yum did not want to find an old version of mokutil, so I just ran "install shim" with the -y flag before entering shell and it installed the right mokutil version as a dependency. After reinstalling these packages, the UEFI key management appeared on reboot. Hope this helps someone~ |
 |
I've just started a completely new/separated process to build/sign all the kernel+shim+grub2+fwupdate rpm pkgs, so also having a look at opened bug reports It seems the switch to /boot/efi/EFI/centos introduced some issues. The following changes worked for me : cp /boot/efi/EFI/centos/mmx64.efi /boot/efi/EFI/centos/MokManager.efi cp /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/BOOT/fallback.efi After that, I was able to "mokutil --import <key>.der ; systemctl reboot" and then entered MokManager to let me enroll that new key. This was tested on a freshly installed CentOS 7.5.1804 x86_64. Can some other people confirm that it then works fine ? After some feedback we'll introduce all fixes into newer pkg and we'll ask for some testers/feedback (but long way to go as it has also to go through Microsoft signing) |
|
|
cp /boot/efi/EFI/centos/mmx64.efi /boot/efi/EFI/centos/MokManager.efi cp /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/BOOT/fallback.efi works on mine also. CentOS Linux release 7.5.1804 (Core) with kernel 3.10.0-862.9.1.el7.x86_64 |
|
|
Hi guys, It was a long way but we got updated shim that is now signed by Microsoft and so we'd need feedback. That new shim has normally a fix for the mokmanager issue, so we'd like to get confirmation that it solves issues on your side Here are the pkgs : https://people.centos.org/arrfab/shim/results/shim-signed-20180824151850/ Please note that while shim itself is signed by Microsoft, the rpm pkg isn't yet signed, as it will be *after* validation/QA and so it will be pushed to updates the normal way. We'd like to collect as many answers as possible before pushing those pkgs to mirror.centos.org Also worth noting that the new shim embeds also the new cert to be able to boot the new kernels we'll build soon (as we had to re-key , due to changes at the build system level) |
|
|
Those updated shim packages were signed/pushed to CR repository. After some time they'll be also pushed to Updates repo. The more feedback we'll get, the faster those packages will be promoted to Updates See also https://blog.centos.org/2018/08/secureboot-rolling-out-new-shim-pkgs-for-centos-7-5-1804-in-cr-repository-asking-for-testers-feedback/ |
|
|
new shim/shim-unsigned pkgs (version 12-2.el7) were signed/pushed to updates, so closing this bug request |
- Anonymous
