RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1477735 - Shim was unable to measure state into the TPM
Summary: Shim was unable to measure state into the TPM
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: shim
Version: 7.4
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Peter Jones
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-02 18:46 UTC by Forrest Taylor
Modified: 2021-12-10 15:11 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-11 20:46:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Disk information (1.52 KB, text/plain)
2017-08-02 19:11 UTC, Forrest Taylor 		no flags Details
grub.cfg (6.87 KB, text/plain)
2017-08-02 19:11 UTC, Forrest Taylor 		no flags Details
View All

Description Forrest Taylor 2017-08-02 18:46:28 UTC 
Description of problem:
After updating to RHEL7.4 (from an updated 7.3), the machine was not able to boot in UEFI Secure Boot.  shim was updated to shim-x64 and grub2-efi was updated to grub2-efi-x64.  At boot, the system reports:

Something has gone seriously wrong: Invalid Parameter
Shim was unable to measure state into the TPM

The system will no longer boot.  This system was installed with RHEL7.0 and has been updated and rebooted several times since then without issue.


Version-Release number of selected component (if applicable):
grub2-efi-x64-2.02-0.64.el7
shim-x64-12-1.el7

How reproducible:
Always

Steps to Reproduce:
1. Update to latest RHEL7.3
2. Use UEFI Secure Boot
3. Update to RHEL7.4

Actual results:
Won't boot.
Comment 2 Forrest Taylor 2017-08-02 19:11:13 UTC 
Created attachment 1308431 [details]
Disk information

Output of gdisk -l and df -h.
Comment 3 Forrest Taylor 2017-08-02 19:11:46 UTC 
Created attachment 1308432 [details]
grub.cfg

Grub configuration file.
Comment 4 Forrest Taylor 2017-08-03 20:55:31 UTC 
After much work, I was able to workaround the issue by reverting to older packages.

1. Leave EFI and Secure Boot enabled.
2. Boot from a RHEL ISO and start Anaconda rescue.
3. Configure networking.
4. Remove the new packages:
# yum remove mokutil grub2-tools grub2-tools-minimal grub2-tools-extra grub2-tools-efi grub2-efi shim
5. Install the old packages, excluding the new packages and ignoring obsoletes:
yum install shim-0.9-2.el7 grub2-efi-2.02-0.44.el7 grub2-tools-2.02-0.44.el7 mokutil-0.9-2.el7 -x shim-x64,grub2-efi-x64,grub2-tools-extra,grub2-tools-minimal --setopt=obsoletes=0
6. Reboot (SELinux will run the first time you reboot, so it will reboot a second time).
Comment 6 Laurent G. 2018-04-22 15:37:51 UTC 
The uefi secure boot bug is present in rhel 7.4, fedora 27, fedora 28 beta. 

Supposing you're in uefi secure mode:

If you install from scratch rhel 7.4: it will not boot.

If you install from scratch fedora 27: it will not boot.

If you install from scratch fedora 28 beta: it will not boot.


Would it be wise to revert shim to the previous stable version in rhel 7.5 and fedora 28 ?

--
Laurent
Comment 8 Forrest Taylor 2018-11-01 14:39:27 UTC 
I upgraded to RHEL7.6, and it boots for me now using UEFI Secure Boot.

$ yum list installed shim* grub2*

Installed Packages
grub2-common.noarch                 1:2.02-0.76.el7          @rhel-7-server-rpms
grub2-efi-x64.x86_64                1:2.02-0.76.el7          @rhel-7-server-rpms
grub2-tools.x86_64                  1:2.02-0.76.el7          @rhel-7-server-rpms
grub2-tools-extra.x86_64            1:2.02-0.76.el7          @rhel-7-server-rpms
grub2-tools-minimal.x86_64          1:2.02-0.76.el7          @rhel-7-server-rpms
shim-x64.x86_64                     15-1.el7                 @rhel-7-server-rpms

$ bootctl status
...
  Secure Boot: enabled
   Setup Mode: user

Selected Firmware Entry:
        Title: Red Hat Enterprise Linux
    Partition: /dev/disk/by-partuuid/d22e9115-23a5-4f73-9c03-1a3c0a280fc4
         File: └─/EFI/redhat/shim.efi
...
Comment 9 Chris Williams 2019-06-11 20:46:09 UTC 
Closing current release based on Comment 8.
Note You need to log in before you can comment on or make changes to this bug.