Bug 2170840

Summary: uninstall fwupd prevent system to boot due to shim-x64 removal
Product: Red Hat Enterprise Linux 9 Reporter: Danie de Jager <danie.dejager>
Component: shimAssignee: Bootloader engineering team <bootloader-eng-team>
Status: CLOSED NOTABUG QA Contact: Release Test Team <release-test-team-automation>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.1CC: jaredz, rharwood, tucklesepk
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-01 21:59:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Danie de Jager 2023-02-17 11:17:20 UTC
Description of problem:
I cleaned up a host running Rocky 9.1. I removed fwupd as I thought I did not need it. My thinking was that I'm running the host in the cloud which won't have any firmware updates.
I did not fully appreciate the consequences of what the removal of shim-x64 will have in my life.

Due to the current dependencies fwupd effectively becomes a required package, even if I don't have a host that would be supported by it. With hindsight I could've removed it without removing dependencies too.

Could the dependency be revaluated for fwupd so not to remove shim-x64 when uninstalling it? 

Version-Release number of selected component (if applicable):
Rocky 9.1

How reproducible:
Very

Steps to Reproduce:
1. yum remove fwupd -y
2. reboot

Actual results:
system no longer able to boot.

Expected results:
only remove fwupd and not packages required to boot the system.

Additional info:

Comment 1 Richard Hughes 2023-02-17 12:57:15 UTC
> I removed fwupd as I thought I did not need it.

What did "yum remove fwupd -y" say? Is the yum effectively running dnf in 9.1?

> Due to the current dependencies fwupd effectively becomes a required package

Howso? I'm assuming dnf removed shim-x64 to be helpful as shim-x64 was discovered to be an unused leaf package. I'm assuming you could have done "rpm -e fwupd" to avoid removing shim-x64 too?

Comment 2 Louis Abel 2023-02-20 04:44:14 UTC
The problem is what shim-x64 requires fwupd as a dependency to install. fwupd provides dbxtool, and shim-x64 requires dbxtool. Here's a RHEL 9.1 box showing this issue.

[root@localhost ~]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.1 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.1"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.1 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.1
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.1"
[root@localhost ~]# dnf repoquery -q shim-x64 --requires
dbxtool >= 0.6-3
efi-filesystem
mokutil >= 1:0.3.0-1
[root@localhost ~]# dnf repoquery -q --whatprovides dbxtool
fwupd-0:1.7.4-2.el9_0.x86_64
fwupd-0:1.7.9-1.el9.x86_64

Removing fwupd wants to take shim-x64 with it as a result.

[root@localhost ~]# rpm -e fwupd
error: Failed dependencies:
        dbxtool >= 0.6-3 is needed by (installed) shim-x64-15.6-1.el9.x86_64
        fwupd(x86-64) = 1.7.9-1.el9 is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2()(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_0.1.1)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_0.9.3)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_0.9.8)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_1.5.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_1.5.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_1.5.8)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5()(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.1.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.7.1)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.8.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.9.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.9.7)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.0.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.0.8)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.1.2)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.2.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.2.6)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.2.9)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.3.3)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.4.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.4.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.5.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.6.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.6.2)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.7.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.7.3)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64

Comment 3 Richard Hughes 2023-02-20 07:59:08 UTC
>         dbxtool >= 0.6-3 is needed by (installed) shim-x64-15.6-1.el9.x86_64

Ahh, so I think this is the one we want to remove or weaken. A weak dep (either suggests or recommends) would be perfect for this. I'll reassign, and we can see what the shim people think.

Comment 4 Robbie Harwood 2023-02-20 13:40:49 UTC
I don't think we have any interest in supporting removal of fwupd, as it's used to apply DBX updates.

Comment 5 Danie de Jager 2023-02-27 06:19:44 UTC
@rharwood Are there any DBX updates relevant to Cloud infrastructure? I'm yet so see Secureboot required to boot a host in AWS or Azure. The current defaults for 9.1 would cater for such a environment but if  fwupd is not needed or unused?
I'm simply asking that the dependencies be reevaluated so that the OS bootup don't break if fwupd were removed without fully appreciating it's importance due to reliance by UEFI and shim-x64.

Comment 6 Robbie Harwood 2023-02-27 14:27:07 UTC
> Are there any DBX updates relevant to Cloud infrastructure?

This suggests misunderstanding of what DBX is.  DBX prohibits booting of known-vulnerable systems: it's a list of known-bad hashes.  It has nothing to do with whether what's booting is a cloud image, or running on bare metal.

Comment 7 Danie de Jager 2023-02-27 14:51:41 UTC
@rharwood Thanks for clearing that up. Then it make sense to retain dbx and shim-x64 and not remove them should fwupd be removed. Would that be possible?

Comment 8 Jared Dominguez 2023-03-01 21:59:18 UTC
(In reply to Danie de Jager from comment #7)
> @rharwood Thanks for clearing that up. Then it make sense to retain dbx and
> shim-x64 and not remove them should fwupd be removed. Would that be possible?

See comment #4: "I don't think we have any interest in supporting removal of fwupd, as it's used to apply DBX updates."

Note that virtual machines still use firmware (SeaBIOS or OVMF usually).