View Issue Details

IDProjectCategoryView StatusLast Update
0017668CentOS-7shim-x64public2020-11-29 21:51
Reporteranish 
PriorityurgentSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.8-2003 
Target VersionFixed in Version 
Summary0017668: Secureboot machine unbootable after upgrade to shim-x64-15-8.el7.x86_64.rpm
Descriptionshim-x64-15-7.el7_9.x86_64.rpm was never installed on this machine, upgraded directly to shim-x64-15-8.el7.x86_64.rpm

On reboot, shim loading fails with the following message :

Booting from Integrated RAID Controller 1: CentOS Linux 7
Could not create MokListRT: Unsupported
Could not create MokListXRT: Unsupported
Something has gone seriously wrong: import_mok_state() failed: Unsupported


Enabling or disabling secureboot does not seem to make a difference, all binaries in EFI/centos fail with the same message
Steps To ReproduceUpdate the following packages :

Package shim-x64-15-8.el7.x86_64
Package efibootmgr-17-2.el7.x86_64
Package 1:grub2-tools-2.02-0.86.el7.centos.x86_64
Package 1:grub2-efi-x64-2.02-0.86.el7.centos.x86_64
Package 1:grub2-efi-x64-modules-2.02-0.86.el7.centos.noarch
Package mokutil-15-8.el7.x86_64

and reboot
Additional InformationSystem Model = PowerEdge R430
System BIOS Version = 2.11.0
Firmware Version = 2.70.70.70
Firmware Build = 45
Last Firmware Update = 02/06/2020 09:55:17

Current efi boot order

Boot0000* Embedded NIC 1 Port 1 Partition 1 VenHw(3a191845-5f86-4e78-8fce-c4cff59f9daa)
Boot0001* NIC in Slot 2 Port 1 Partition 1 VenHw(d227c733-f75f-4341-b749-4d1759ec8538)
Boot0002* Hard drive C: VenHw(d6c0639f-c705-4eb9-aa4f-5802d8823de6)..................@.......@.f.@.......................................................A.....................P.E.R.C. .H.7.3.0. .M.i.n.i.(.b.u.s. .0.1. .d.e.v. .0.0.)...
Boot0003* BRCM MBA Slot 0200 v17.0.1 BBS(128,BRCM MBA Slot 0200 v17.0.1,0x0)................f...........K.........................................................A.....................B.R.C.M. .M.B.A. .S.l.o.t. .0.2.0.0. .v.1.7...0...1...
Boot0004* QLogic MBA Slot 0500 v7.12.61 BBS(128,QLogic MBA Slot 0500 v7.12.61,0x0)......................................................................................A.....................Q.L.o.g.i.c. .M.B.A. .S.l.o.t. .0.5.0.0. .v.7...1.2...6.1...
Boot0005* QLogic MBA Slot 0501 v7.12.61 BBS(128,QLogic MBA Slot 0501 v7.12.61,0x0)......................................................................................A.....................Q.L.o.g.i.c. .M.B.A. .S.l.o.t. .0.5.0.1. .v.7...1.2...6.1...
Boot0006* NIC in Slot 2 Port 2 Partition 1 VenHw(56e94a54-7c81-443a-bb9f-c0d240845f54)
Boot0018* CentOS Linux 7 HD(2,GPT,43d34998-e0f2-4d07-8232-bb82ed038836,0x1800,0x100000)/File(\EFI\centos\shim.efi)

TagsNo tags attached.
abrt_hash
URL

Activities

anish

anish

2020-08-13 06:41

reporter   ~0037532

Output from yum update logs to show that the known bad shim version was never installed on this host

Aug 12 13:28:22 Updated: 1:grub2-common-2.02-0.86.el7.centos.noarch
Aug 12 13:28:22 Updated: 1:grub2-tools-minimal-2.02-0.86.el7.centos.x86_64
Aug 12 13:28:23 Updated: 1:grub2-tools-2.02-0.86.el7.centos.x86_64
Aug 12 13:28:23 Updated: 1:grub2-tools-extra-2.02-0.86.el7.centos.x86_64
Aug 12 13:28:23 Updated: 1:grub2-pc-modules-2.02-0.86.el7.centos.noarch
Aug 12 13:28:23 Updated: 1:grub2-pc-2.02-0.86.el7.centos.x86_64
Aug 12 13:28:24 Updated: mokutil-15-8.el7.x86_64
Aug 12 13:28:30 Updated: kernel-tools-libs-3.10.0-1127.18.2.el7.x86_64
Aug 12 13:28:34 Updated: kernel-tools-3.10.0-1127.18.2.el7.x86_64
Aug 12 13:28:34 Updated: shim-x64-15-8.el7.x86_64
Aug 12 13:28:34 Updated: 1:grub2-2.02-0.86.el7.centos.x86_64
Aug 12 13:28:34 Updated: 1:grub2-efi-x64-2.02-0.86.el7.centos.x86_64
Aug 12 13:28:35 Updated: 1:grub2-efi-x64-modules-2.02-0.86.el7.centos.noarch
anish

anish

2020-08-13 06:49

reporter   ~0037533

Downgrading to shim-x64-15-2.el7.centos.x86_64 + mokutil-15-2.el7.centos.x86_64 fixes the issues, though I believe there is no need to downgrade mokutil.
ManuelWolfshant

ManuelWolfshant

2020-08-13 10:36

manager   ~0037534

Please check if https://bugzilla.redhat.com/show_bug.cgi?id=1866107 applies to you. If not, you are a lucky winner because except that bug, I have not heard about any other issues created by shim-x64-15-8.el7.x86_64 . In this case you should try to reach RedHat either via https://bugzilla.redhat.com/show_bug.cgi?id=1861977 or by opening a new bug report.
anish

anish

2020-08-20 03:19

reporter   ~0037576

Neither of those seem directly applicable here. I was able to narrow this down further This actually is being caused by the TPM being enabled, and not necessarily UEFI/Secureboot. Disabling TPM solves the issue for now
ManuelWolfshant

ManuelWolfshant

2020-08-20 06:54

manager   ~0037577

Last edited: 2020-08-20 13:15

View 2 revisions

anish, please open a new bug against shim-x64-15-8.el7.x86_64 at bugzilla.redhat.com . TPM should be supported !
kindly please crosslink that bug with this one.

anish

anish

2020-11-29 21:51

reporter   ~0038009

We ended up escalating this on the vendor side but for anyone else who hits this, there are 4 supported values for bios.syssecurity.tpmsecurity under poweredge servers https://www.dell.com/support/manuals/en-us/idrac9-lifecycle-controller-v4.x-series/idrac_4.00.00.00_racadm_ar_referenceguide/bios.syssecurity.tpmsecurity-(read-or-write)?guid=guid-c386d390-01d9-4376-85aa-c49a4e1d71e1&lang=en-us

Settting it to OnNoPbm will prevent your host from booting past shim. Setting it to any other value, works. The Redhat bug for this is still open but I am not privy to it

Issue History

Date Modified Username Field Change
2020-08-13 06:30 anish New Issue
2020-08-13 06:41 anish Note Added: 0037532
2020-08-13 06:49 anish Note Added: 0037533
2020-08-13 10:36 ManuelWolfshant Note Added: 0037534
2020-08-20 03:19 anish Note Added: 0037576
2020-08-20 06:54 ManuelWolfshant Note Added: 0037577
2020-08-20 13:15 ManuelWolfshant Note Edited: 0037577 View Revisions
2020-08-24 23:33 toracat Category shim-signed => shim-unsigned
2020-08-24 23:36 toracat Category shim-unsigned => shim-x64
2020-11-29 21:51 anish Note Added: 0038009