Bug 2106058

Summary: vSphere defaults to SecureBoot on; breaks installation of out-of-tree drivers [4.11.0]
Product: OpenShift Container Platform Reporter: Micah Abbott <miabbott>
Component: RHCOSAssignee: Michael Nguyen <mnguyen>
Status: CLOSED ERRATA QA Contact: HuijingHei <hhei>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.11CC: dornelas, jligon, miabbott, mnguyen, mpytlak, mrussell, nstielau, qzhang, rhcos-triage, travier
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2106055 Environment:
Last Closed: 2022-08-10 11:20:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2106055, 2106062    
Bug Blocks:    

Description Micah Abbott 2022-07-11 16:03:09 UTC 
+++ This bug was initially created as a clone of Bug #2106055 +++

Original discussion - https://github.com/coreos/fedora-coreos-tracker/issues/1119

We made the broad decision to change the metadata of the vSphere artifacts in the following ways:

- change osType to reflect it is a RHEL 8 operating system 
- change hw version to 15

https://github.com/openshift/os/pull/748/

- change the firmware to use EFI by default

https://github.com/coreos/coreos-assembler/pull/2762

- change the firwmare to have SecureBoot enabled by default

https://github.com/coreos/coreos-assembler/pull/2767/


Defaulting to having SecureBoot enabled by default is the most impactful change and we failed to communicate this change more broadly. 

We are in a position where enabling this for new cluster installs may prevent customers + partners from installing out-of-tree kernel modules as part of the day 1 use case.

PM has indicated that the majority of the OCP ecosystem is not ready for this kind of broad change and we should default to having SecureBoot disabled.
Comment 1 RHCOS Bug Bot 2022-07-14 19:40:04 UTC 
The fix for this bug will not be delivered to customers until it lands in an updated bootimage.  That process is tracked in bug 2106062, which has status ASSIGNED.  Moving this bug back to POST.
Comment 2 RHCOS Bug Bot 2022-07-15 04:19:45 UTC 
This bug has been reported fixed in a new RHCOS build and is ready for QE verification.  To mark the bug verified, set the Verified field to Tested.  This bug will automatically move to MODIFIED once the fix has landed in a new bootimage.
Comment 3 Michael Nguyen 2022-07-15 04:23:12 UTC 
Fix has landed in RHCOS 411.86.202207140725-0

To verify, download the RHCOS OVA.

tar xvf rhcos*ova
cat coreos.ovf | grep -i secure

The value should be set to false
Comment 4 HuijingHei 2022-07-15 06:43:34 UTC 
Pre-verify passed with latest RHCOS 411.86.202207150124-0

[coreos-assembler]$ tar xvf rhcos-411.86.202207150124-0-vmware.x86_64.ova 
coreos.ovf
disk.vmdk
[coreos-assembler]$ cat coreos.ovf | grep -i secure
      <vmw:Config ovf:required="false" vmw:key="bootOptions.efiSecureBootEnabled" vmw:value="false"/>
Comment 5 RHCOS Bug Bot 2022-07-18 18:53:49 UTC 
The fix for this bug has landed in a bootimage bump, as tracked in bug 2106062 (now in status MODIFIED).  Moving this bug to MODIFIED.
Comment 8 HuijingHei 2022-07-20 06:31:28 UTC 
Change status to verified according to result in Comment 4
Comment 9 errata-xmlrpc 2022-08-10 11:20:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069