Bug 1273989 - [Hyper-V] Gen2 VM secure boot certificate signing - RHEL 7.2 Beta/RC
[Hyper-V] Gen2 VM secure boot certificate signing - RHEL 7.2 Beta/RC
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: efibootmgr (Show other bugs)
x86_64 Windows
unspecified Severity high
: rc
: ---
Assigned To: Peter Jones
Release Test Team
Depends On:
  Show dependency treegraph
Reported: 2015-10-21 12:36 EDT by Chris
Modified: 2016-01-22 15:15 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-22 15:15:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris 2015-10-21 12:36:26 EDT
Description of problem:
Secure boot is not possible with any of RHEL 7.x releases.

Version-Release number of selected component (if applicable):
Tested also with the most recent 7.2 RC2.

How reproducible:

Steps to Reproduce:
1. Create a new Gen2 VM
2. Go to the VM settings - Security
3. For the certificate template, select the Microsoft UEFI Certificate Authority.
4. Attach the DVD1 ISO
5. Boot the VM

Actual results:
These messages are displayed when booting from ISO:
error: /images/pxeboot/vmlinuz has invalid signature.
error: you need to load the kernel first.

Expected results:
EFI/UEFI kernel files would have the Microsoft UEFI CA Certificate present, that would allow the secure boot feature on a Gen2 VM.
Comment 2 Yaju Cao 2015-10-22 02:52:35 EDT
Hi Chris,

I think this is expected for the RHEL 7.2 Beta version, according to below document:

Note: the kernel-signing-ca.cer could be found according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html-single/7.2_Release_Notes/index.html

And I have tried with the latest RHEL 7.2 version according to above steps, the guest could boot up with Secure Boot enabled.

For the RHEL 7.2 GA, I think it should just work without above action.
Comment 3 Chris 2015-10-22 03:32:37 EDT
Thank you Yaju for the info, wasn't aware of this limitation as part of the Beta builds.
Will use the steps mentioned in the meantime and verify the GA ISO when released.
Comment 4 Peter Jones 2016-01-22 15:04:01 EST
Since this is really just an artifact of the release process, and should naturally be resolved without any extra work, I'm NAKing this.
Comment 5 RHEL Product and Program Management 2016-01-22 15:15:54 EST
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.