Bug 1880417

Summary: [vmware] Fail to boot with Secure Boot enabled, kernel lockdown denies iopl access to afterburn
Product: OpenShift Container Platform Reporter: Micah Abbott <miabbott>
Component: RHCOSAssignee: Luca BRUNO <lucab>
Status: CLOSED ERRATA QA Contact: jima
Severity: high Docs Contact:
Priority: urgent    
Version: 4.6CC: bbreard, bgilbert, dornelas, imcleod, jima, jjung, jligon, lucab, miabbott, mnguyen, nstielau, smilner, walters, xtian
Target Milestone: ---Keywords: Regression
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1877995 Environment:
Last Closed: 2021-02-24 15:18:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Micah Abbott 2020-09-18 13:32:26 UTC 
We have a "quickfix" in place for the parent BZ, this BZ is going to track the more complete fix in 4.7
Comment 2 Luca BRUNO 2020-10-21 11:09:58 UTC 
The better fix for this landed in https://github.com/coreos/afterburn/releases/tag/v4.5.2, which will head to RHCOS 4.7 soon.

The Ignition side of this same issue is tracked at https://github.com/coreos/ignition/issues/1092 but currently stalled on the upstream library.
Comment 3 Luca BRUNO 2020-11-13 08:01:02 UTC 
Final update from the RHCOS pipeline: Afterburn v4.5.3 (which contains the fix for this) just landed in RHCOS 47.82.202011122343-0.
Comment 6 jima 2020-11-19 08:29:28 UTC 
Used 47.82.202011122343-0 to deploy upi on vsphere with version 4.7.0-0.nightly-2020-11-18-203317, and enabled secureboot when booting instance. 
The installation is successful. so move the bug to VERIFIED.
Comment 10 errata-xmlrpc 2021-02-24 15:18:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633