2017-12-16 20:28 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0014050CentOS-7shimpublic2017-12-14 15:07
Product Version 
Target VersionFixed in Version 
Summary0014050: Failed to Enter Shim UEFI key management screen while rebooting on CentOS7 if upgrade to 7-4.1708
Description#rpm --query centos-release

#yum update

#rpm --query centos-release

We found failed to enter Shim UEFI key management while rebooting on CentOS7 if upgrade product version to 7.4.1708. Users are forced to either disable secureboot or not use any 3rd party drivers.

relative package version:
Kernel version => 3.10.0-693.5.2.el7.x86_64,
mokutil ==> mokutil 12-1.el7.centos,
shim ==> shim-x64-12-1.el7.centos
Steps To ReproduceStep 1 create key
openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \
-batch -config configuration_file.config -outform DER \
-out public_key.der \
-keyout private_key.priv

Step 2 enroll key
mokutil --import my_signing_key_pub.der

Step 3 reboot

Step 4 cannot see Shim UEFI key management screen and jump into OS directly
Additional InformationWe found the possible root cause is mokutil upgrade via yum. We rollback the whole system to 7-1.1503 and only update mokutil to 12-1.el7.centos. This issue happened.

With Product Version 7-4.1708, rollback mokutil to older version
1) Download the older version mokutil and shim for ver 0.9-2.el7 to local
2) remove the new version 12-1.el7 via yum command
yum remove mokutil.x86_64 shim-x64.x86_64
3) Install older version via rpm command
rpm -ivh mokutil-0.9-2.el7.x86_64.rpm shim-0.9-2.el7.x86_64.rpm
4) Reboot
5) Enroll new key
TagsNo tags attached.
Attached Files




toracat (manager)

Related (?) -> https://bugzilla.redhat.com/show_bug.cgi?id=1477735


TrevorH (developer)

Last edited: 2017-11-02 22:32

View 2 revisions

The workaround seems a little more complex than it could be. Here's a better way

# yum --disablerepo=base,updates --enablerepo=C7.3.1611-base,C7.3.1611-updates shell
> remove mokutil shim-x64
> install mokutil shim
> run
--> Running transaction check
---> Package mokutil.x86_64 0:0.9-2.el7 will be installed
---> Package mokutil.x86_64 0:12-1.el7.centos will be erased
---> Package shim.x86_64 0:0.9-2.el7 will be installed
---> Package shim-x64.x86_64 0:12-1.el7.centos will be erased
--> Finished Dependency Resolution

 Package Arch Version Repository Size
 mokutil x86_64 0.9-2.el7 C7.3.1611-base 37 k
 shim x86_64 0.9-2.el7 C7.3.1611-base 638 k
 mokutil x86_64 12-1.el7.centos @base 82 k
 shim-x64 x86_64 12-1.el7.centos @base 6.2 M


toracat (manager)

Last edited: 2017-11-02 22:34

View 3 revisions

I have tested the issue on a Toshiba Z30 running RHEL 7.4.

First I deleted a key (mokutil --delete <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able go through the deletion process.

Second, I added the same key (mokutil --import <xxx.der>) and did a reboot. The Shim UEFI key management screen appeared upon reboot and I was able to add the key.

At this point, either:

(1) the CentOS version of shim/mokutil has the problem.


(2) this is hardware-specific.

Or both.



kuoshen (reporter)

This issue only happen on CentOS. I did try RHEL7.4 before. It works normally.


toracat (manager)

Thanks for the info. So, this IS a CentOS issue.

@kbsingh, @JohnnyHughes, any idea how to fix this?


toracat (manager)


The changelog says:

* Thu Aug 31 2017 Karanbir Singh <kbsingh@centos.org> - 12-1.el7.centos
- interim build

Will there be a "final" build? Or should this wait for the next point release?


toracat (manager)

Reminder sent to: JohnnyHughes, kbsingh@karan.org

Response appreciated.

-Issue History
Date Modified Username Field Change
2017-10-24 06:32 kuoshen New Issue
2017-10-31 19:53 toracat Status new => acknowledged
2017-11-01 00:15 toracat Note Added: 0030501
2017-11-01 00:48 TrevorH Note Added: 0030502
2017-11-02 22:30 toracat Note Added: 0030514
2017-11-02 22:32 toracat Note Edited: 0030514 View Revisions
2017-11-02 22:32 toracat Note Edited: 0030502 View Revisions
2017-11-02 22:34 toracat Note Edited: 0030514 View Revisions
2017-11-03 03:07 kuoshen Note Added: 0030516
2017-11-03 04:20 toracat Note Added: 0030518
2017-11-03 04:21 toracat Status acknowledged => assigned
2017-11-08 19:18 toracat Note Added: 0030543
2017-12-14 15:07 toracat Note Added: 0030748
+Issue History