Bug 2049214

Summary: Build grub2 against the pesign for targets in CentOS Stream and RHEL 9 GA
Product: Red Hat Enterprise Linux 9 Reporter: Brian Stinson <bstinson>
Component: grub2Assignee: Bootloader engineering team <bootloader-eng-team>
Status: CLOSED ERRATA QA Contact: Oliver Gutiérrez <ogutierr>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, jwboyer, ogutierr, rharwood, rvr
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://gitlab.com/redhat/centos-stream/rpms/grub2/-/merge_requests/21
Whiteboard:
Fixed In Version: grub2-2.06-21.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:51:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian Stinson 2022-02-01 18:12:58 UTC 
We currently have the well-known secureboot certificates available for CentOS Stream and RHEL 9. We should switch to using the pesign targets in CentOS Stream koji so that we sign grub2 correctly.
Comment 3 Brian Stinson 2022-02-17 20:48:06 UTC 
The CentOS Stream x86_64 build of grub2-2.06-21.el9 reports this:

• pesign -l --in=grubx64.efi                                                                                                                                                        
---------------------------------------------
certificate address is 0x7f345acee008
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is CentOS Secure Boot Signing 202
The signer's email address is security
Signing time: Wed Feb 16, 2022
There were certs or crls included.
---------------------------------------------

The RHEL build of grub2-2.06-21.el9 reports:

• pesign -l --in=grubx64.efi
---------------------------------------------
certificate address is 0x7f1fd07f3008
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Secure Boot Signing 502
The signer's email address is secalert
Signing time: Wed Feb 16, 2022
There were certs or crls included.
---------------------------------------------


This is what I expected in both cases. Additionally, a host pre-installed with CentOS Stream 9 from the mirrors and manually upgraded to grub2-2.06-21 boots properly and reports the following once booted:
• mokutil --sb-state                                 
SecureBoot enabled

What other cases should we include to consider this VERIFIED?
Comment 4 Oliver Gutiérrez 2022-02-18 09:46:08 UTC 
From my POV that should be enough, as the purpose of the patch is precisely use the correct signing for each system. If the certificates are correct, the machine boots  and secureboot status is enabled, should be all round.

What we need is to have this merged in c9s and I need to double check this on my side.
Comment 13 Brian Stinson 2022-02-21 19:53:59 UTC 
We have a couple of good reports on IRC and on this bug for CentOS Stream: https://bugzilla.redhat.com/show_bug.cgi?id=2027505

CentOS is booting properly with Secureboot enabled.
Comment 18 errata-xmlrpc 2022-05-17 15:51:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: grub2), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3925