Hide Forgot
Description of problem: After updating to RHEL7.4 (from an updated 7.3), the machine was not able to boot in UEFI Secure Boot. shim was updated to shim-x64 and grub2-efi was updated to grub2-efi-x64. At boot, the system reports: Something has gone seriously wrong: Invalid Parameter Shim was unable to measure state into the TPM The system will no longer boot. This system was installed with RHEL7.0 and has been updated and rebooted several times since then without issue. Version-Release number of selected component (if applicable): grub2-efi-x64-2.02-0.64.el7 shim-x64-12-1.el7 How reproducible: Always Steps to Reproduce: 1. Update to latest RHEL7.3 2. Use UEFI Secure Boot 3. Update to RHEL7.4 Actual results: Won't boot.
Created attachment 1308431 [details] Disk information Output of gdisk -l and df -h.
Created attachment 1308432 [details] grub.cfg Grub configuration file.
After much work, I was able to workaround the issue by reverting to older packages. 1. Leave EFI and Secure Boot enabled. 2. Boot from a RHEL ISO and start Anaconda rescue. 3. Configure networking. 4. Remove the new packages: # yum remove mokutil grub2-tools grub2-tools-minimal grub2-tools-extra grub2-tools-efi grub2-efi shim 5. Install the old packages, excluding the new packages and ignoring obsoletes: yum install shim-0.9-2.el7 grub2-efi-2.02-0.44.el7 grub2-tools-2.02-0.44.el7 mokutil-0.9-2.el7 -x shim-x64,grub2-efi-x64,grub2-tools-extra,grub2-tools-minimal --setopt=obsoletes=0 6. Reboot (SELinux will run the first time you reboot, so it will reboot a second time).
The uefi secure boot bug is present in rhel 7.4, fedora 27, fedora 28 beta. Supposing you're in uefi secure mode: If you install from scratch rhel 7.4: it will not boot. If you install from scratch fedora 27: it will not boot. If you install from scratch fedora 28 beta: it will not boot. Would it be wise to revert shim to the previous stable version in rhel 7.5 and fedora 28 ? -- Laurent
I upgraded to RHEL7.6, and it boots for me now using UEFI Secure Boot. $ yum list installed shim* grub2* Installed Packages grub2-common.noarch 1:2.02-0.76.el7 @rhel-7-server-rpms grub2-efi-x64.x86_64 1:2.02-0.76.el7 @rhel-7-server-rpms grub2-tools.x86_64 1:2.02-0.76.el7 @rhel-7-server-rpms grub2-tools-extra.x86_64 1:2.02-0.76.el7 @rhel-7-server-rpms grub2-tools-minimal.x86_64 1:2.02-0.76.el7 @rhel-7-server-rpms shim-x64.x86_64 15-1.el7 @rhel-7-server-rpms $ bootctl status ... Secure Boot: enabled Setup Mode: user Selected Firmware Entry: Title: Red Hat Enterprise Linux Partition: /dev/disk/by-partuuid/d22e9115-23a5-4f73-9c03-1a3c0a280fc4 File: └─/EFI/redhat/shim.efi ...
Closing current release based on Comment 8.