0017668: Secureboot machine unbootable after upgrade to shim-x64-15-8.el7.x86_64.rpm - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0017668	CentOS-7	shim-x64	public	2020-08-13 06:30	2020-11-29 21:51

Reporter	anish	Assigned To
Priority	urgent	Severity	major	Reproducibility	always
Status	new	Resolution	open
Product Version	7.8-2003

Summary	0017668: Secureboot machine unbootable after upgrade to shim-x64-15-8.el7.x86_64.rpm
Description	shim-x64-15-7.el7_9.x86_64.rpm was never installed on this machine, upgraded directly to shim-x64-15-8.el7.x86_64.rpm On reboot, shim loading fails with the following message : Booting from Integrated RAID Controller 1: CentOS Linux 7 Could not create MokListRT: Unsupported Could not create MokListXRT: Unsupported Something has gone seriously wrong: import_mok_state() failed: Unsupported Enabling or disabling secureboot does not seem to make a difference, all binaries in EFI/centos fail with the same message
Steps To Reproduce	Update the following packages : Package shim-x64-15-8.el7.x86_64 Package efibootmgr-17-2.el7.x86_64 Package 1:grub2-tools-2.02-0.86.el7.centos.x86_64 Package 1:grub2-efi-x64-2.02-0.86.el7.centos.x86_64 Package 1:grub2-efi-x64-modules-2.02-0.86.el7.centos.noarch Package mokutil-15-8.el7.x86_64 and reboot
Additional Information	System Model = PowerEdge R430 System BIOS Version = 2.11.0 Firmware Version = 2.70.70.70 Firmware Build = 45 Last Firmware Update = 02/06/2020 09:55:17 Current efi boot order Boot0000* Embedded NIC 1 Port 1 Partition 1 VenHw(3a191845-5f86-4e78-8fce-c4cff59f9daa) Boot0001* NIC in Slot 2 Port 1 Partition 1 VenHw(d227c733-f75f-4341-b749-4d1759ec8538) Boot0002* Hard drive C: VenHw(d6c0639f-c705-4eb9-aa4f-5802d8823de6)..................@.......@.f.@.......................................................A.....................P.E.R.C. .H.7.3.0. .M.i.n.i.(.b.u.s. .0.1. .d.e.v. .0.0.)... Boot0003* BRCM MBA Slot 0200 v17.0.1 BBS(128,BRCM MBA Slot 0200 v17.0.1,0x0)................f...........K.........................................................A.....................B.R.C.M. .M.B.A. .S.l.o.t. .0.2.0.0. .v.1.7...0...1... Boot0004* QLogic MBA Slot 0500 v7.12.61 BBS(128,QLogic MBA Slot 0500 v7.12.61,0x0)......................................................................................A.....................Q.L.o.g.i.c. .M.B.A. .S.l.o.t. .0.5.0.0. .v.7...1.2...6.1... Boot0005* QLogic MBA Slot 0501 v7.12.61 BBS(128,QLogic MBA Slot 0501 v7.12.61,0x0)......................................................................................A.....................Q.L.o.g.i.c. .M.B.A. .S.l.o.t. .0.5.0.1. .v.7...1.2...6.1... Boot0006* NIC in Slot 2 Port 2 Partition 1 VenHw(56e94a54-7c81-443a-bb9f-c0d240845f54) Boot0018* CentOS Linux 7 HD(2,GPT,43d34998-e0f2-4d07-8232-bb82ed038836,0x1800,0x100000)/File(\EFI\centos\shim.efi)
Tags	No tags attached.

abrt_hash
URL

anish 2020-08-13 06:41 reporter ~0037532	Output from yum update logs to show that the known bad shim version was never installed on this host Aug 12 13:28:22 Updated: 1:grub2-common-2.02-0.86.el7.centos.noarch Aug 12 13:28:22 Updated: 1:grub2-tools-minimal-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:23 Updated: 1:grub2-tools-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:23 Updated: 1:grub2-tools-extra-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:23 Updated: 1:grub2-pc-modules-2.02-0.86.el7.centos.noarch Aug 12 13:28:23 Updated: 1:grub2-pc-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:24 Updated: mokutil-15-8.el7.x86_64 Aug 12 13:28:30 Updated: kernel-tools-libs-3.10.0-1127.18.2.el7.x86_64 Aug 12 13:28:34 Updated: kernel-tools-3.10.0-1127.18.2.el7.x86_64 Aug 12 13:28:34 Updated: shim-x64-15-8.el7.x86_64 Aug 12 13:28:34 Updated: 1:grub2-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:34 Updated: 1:grub2-efi-x64-2.02-0.86.el7.centos.x86_64 Aug 12 13:28:35 Updated: 1:grub2-efi-x64-modules-2.02-0.86.el7.centos.noarch

anish 2020-08-13 06:49 reporter ~0037533	Downgrading to shim-x64-15-2.el7.centos.x86_64 + mokutil-15-2.el7.centos.x86_64 fixes the issues, though I believe there is no need to downgrade mokutil.

ManuelWolfshant 2020-08-13 10:36 manager ~0037534	Please check if https://bugzilla.redhat.com/show_bug.cgi?id=1866107 applies to you. If not, you are a lucky winner because except that bug, I have not heard about any other issues created by shim-x64-15-8.el7.x86_64 . In this case you should try to reach RedHat either via https://bugzilla.redhat.com/show_bug.cgi?id=1861977 or by opening a new bug report.

anish 2020-08-20 03:19 reporter ~0037576	Neither of those seem directly applicable here. I was able to narrow this down further This actually is being caused by the TPM being enabled, and not necessarily UEFI/Secureboot. Disabling TPM solves the issue for now

ManuelWolfshant 2020-08-20 06:54 manager ~0037577 Last edited: 2020-08-20 13:15	anish, please open a new bug against shim-x64-15-8.el7.x86_64 at bugzilla.redhat.com . TPM should be supported ! kindly please crosslink that bug with this one.

anish 2020-11-29 21:51 reporter ~0038009	We ended up escalating this on the vendor side but for anyone else who hits this, there are 4 supported values for bios.syssecurity.tpmsecurity under poweredge servers https://www.dell.com/support/manuals/en-us/idrac9-lifecycle-controller-v4.x-series/idrac_4.00.00.00_racadm_ar_referenceguide/bios.syssecurity.tpmsecurity-(read-or-write)?guid=guid-c386d390-01d9-4376-85aa-c49a4e1d71e1&lang=en-us Settting it to OnNoPbm will prevent your host from booting past shim. Setting it to any other value, works. The Redhat bug for this is still open but I am not privy to it

Date Modified	Username	Field	Change
2020-08-13 06:30	anish	New Issue
2020-08-13 06:41	anish	Note Added: 0037532
2020-08-13 06:49	anish	Note Added: 0037533
2020-08-13 10:36	ManuelWolfshant	Note Added: 0037534
2020-08-20 03:19	anish	Note Added: 0037576
2020-08-20 06:54	ManuelWolfshant	Note Added: 0037577
2020-08-20 13:15	ManuelWolfshant	Note Edited: 0037577
2020-08-24 23:33	toracat	Category	shim-signed => shim-unsigned
2020-08-24 23:36	toracat	Category	shim-unsigned => shim-x64
2020-11-29 21:51	anish	Note Added: 0038009