View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017668 | CentOS-7 | shim-x64 | public | 2020-08-13 06:30 | 2020-11-29 21:51 |
Reporter | anish | Assigned To | |||
Priority | urgent | Severity | major | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 7.8-2003 | ||||
Summary | 0017668: Secureboot machine unbootable after upgrade to shim-x64-15-8.el7.x86_64.rpm | ||||
Description | shim-x64-15-7.el7_9.x86_64.rpm was never installed on this machine, upgraded directly to shim-x64-15-8.el7.x86_64.rpm On reboot, shim loading fails with the following message : Booting from Integrated RAID Controller 1: CentOS Linux 7 Could not create MokListRT: Unsupported Could not create MokListXRT: Unsupported Something has gone seriously wrong: import_mok_state() failed: Unsupported Enabling or disabling secureboot does not seem to make a difference, all binaries in EFI/centos fail with the same message | ||||
Steps To Reproduce | Update the following packages : Package shim-x64-15-8.el7.x86_64 Package efibootmgr-17-2.el7.x86_64 Package 1:grub2-tools-2.02-0.86.el7.centos.x86_64 Package 1:grub2-efi-x64-2.02-0.86.el7.centos.x86_64 Package 1:grub2-efi-x64-modules-2.02-0.86.el7.centos.noarch Package mokutil-15-8.el7.x86_64 and reboot | ||||
Additional Information | System Model = PowerEdge R430 System BIOS Version = 2.11.0 Firmware Version = 2.70.70.70 Firmware Build = 45 Last Firmware Update = 02/06/2020 09:55:17 Current efi boot order Boot0000* Embedded NIC 1 Port 1 Partition 1 VenHw(3a191845-5f86-4e78-8fce-c4cff59f9daa) Boot0001* NIC in Slot 2 Port 1 Partition 1 VenHw(d227c733-f75f-4341-b749-4d1759ec8538) Boot0002* Hard drive C: VenHw(d6c0639f-c705-4eb9-aa4f-5802d8823de6)..................@.......@.f.@.......................................................A.....................P.E.R.C. .H.7.3.0. .M.i.n.i.(.b.u.s. .0.1. .d.e.v. .0.0.)... Boot0003* BRCM MBA Slot 0200 v17.0.1 BBS(128,BRCM MBA Slot 0200 v17.0.1,0x0)................f...........K.........................................................A.....................B.R.C.M. .M.B.A. .S.l.o.t. .0.2.0.0. .v.1.7...0...1... Boot0004* QLogic MBA Slot 0500 v7.12.61 BBS(128,QLogic MBA Slot 0500 v7.12.61,0x0)......................................................................................A.....................Q.L.o.g.i.c. .M.B.A. .S.l.o.t. .0.5.0.0. .v.7...1.2...6.1... Boot0005* QLogic MBA Slot 0501 v7.12.61 BBS(128,QLogic MBA Slot 0501 v7.12.61,0x0)......................................................................................A.....................Q.L.o.g.i.c. .M.B.A. .S.l.o.t. .0.5.0.1. .v.7...1.2...6.1... Boot0006* NIC in Slot 2 Port 2 Partition 1 VenHw(56e94a54-7c81-443a-bb9f-c0d240845f54) Boot0018* CentOS Linux 7 HD(2,GPT,43d34998-e0f2-4d07-8232-bb82ed038836,0x1800,0x100000)/File(\EFI\centos\shim.efi) | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | |||||
Output from yum update logs to show that the known bad shim version was never installed on this host Aug 12 13:28:22 Updated: 1:grub2-common-2.02-0.86.el7.centos.noarch Aug 12 13:28:22 Updated: 1:grub2-tools-minimal-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:23 Updated: 1:grub2-tools-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:23 Updated: 1:grub2-tools-extra-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:23 Updated: 1:grub2-pc-modules-2.02-0.86.el7.centos.noarch Aug 12 13:28:23 Updated: 1:grub2-pc-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:24 Updated: mokutil-15-8.el7.x86_64 Aug 12 13:28:30 Updated: kernel-tools-libs-3.10.0-1127.18.2.el7.x86_64 Aug 12 13:28:34 Updated: kernel-tools-3.10.0-1127.18.2.el7.x86_64 Aug 12 13:28:34 Updated: shim-x64-15-8.el7.x86_64 Aug 12 13:28:34 Updated: 1:grub2-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:34 Updated: 1:grub2-efi-x64-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:35 Updated: 1:grub2-efi-x64-modules-2.02-0.86.el7.centos.noarch |
|
Downgrading to shim-x64-15-2.el7.centos.x86_64 + mokutil-15-2.el7.centos.x86_64 fixes the issues, though I believe there is no need to downgrade mokutil. | |
Please check if https://bugzilla.redhat.com/show_bug.cgi?id=1866107 applies to you. If not, you are a lucky winner because except that bug, I have not heard about any other issues created by shim-x64-15-8.el7.x86_64 . In this case you should try to reach RedHat either via https://bugzilla.redhat.com/show_bug.cgi?id=1861977 or by opening a new bug report. | |
Neither of those seem directly applicable here. I was able to narrow this down further This actually is being caused by the TPM being enabled, and not necessarily UEFI/Secureboot. Disabling TPM solves the issue for now | |
anish, please open a new bug against shim-x64-15-8.el7.x86_64 at bugzilla.redhat.com . TPM should be supported ! kindly please crosslink that bug with this one. |
|
We ended up escalating this on the vendor side but for anyone else who hits this, there are 4 supported values for bios.syssecurity.tpmsecurity under poweredge servers https://www.dell.com/support/manuals/en-us/idrac9-lifecycle-controller-v4.x-series/idrac_4.00.00.00_racadm_ar_referenceguide/bios.syssecurity.tpmsecurity-(read-or-write)?guid=guid-c386d390-01d9-4376-85aa-c49a4e1d71e1&lang=en-us Settting it to OnNoPbm will prevent your host from booting past shim. Setting it to any other value, works. The Redhat bug for this is still open but I am not privy to it |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2020-08-13 06:30 | anish | New Issue | |
2020-08-13 06:41 | anish | Note Added: 0037532 | |
2020-08-13 06:49 | anish | Note Added: 0037533 | |
2020-08-13 10:36 | ManuelWolfshant | Note Added: 0037534 | |
2020-08-20 03:19 | anish | Note Added: 0037576 | |
2020-08-20 06:54 | ManuelWolfshant | Note Added: 0037577 | |
2020-08-20 13:15 | ManuelWolfshant | Note Edited: 0037577 | |
2020-08-24 23:33 | toracat | Category | shim-signed => shim-unsigned |
2020-08-24 23:36 | toracat | Category | shim-unsigned => shim-x64 |
2020-11-29 21:51 | anish | Note Added: 0038009 |