RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1496952 - grub2-efi-x64 and shim-x64 packages will always fail rpm --verify if /boot/efi is mounted
Summary: grub2-efi-x64 and shim-x64 packages will always fail rpm --verify if /boot/ef...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: grub2
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: rc
: ---
Assignee: Peter Jones
QA Contact: Release Test Team
URL:
Whiteboard:
: 1584947 (view as bug list)
Depends On:
Blocks: 1392968 1477664 1534323 1571842
TreeView+ depends on / blocked
 
Reported: 2017-09-28 19:33 UTC by James Ralston
Modified: 2021-06-10 13:09 UTC (History)
5 users (show)

Fixed In Version: grub2-2.02-0.79.el7, fwupdate-12-4.el7, shim-15-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:02:09 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2014 0 None None None 2019-08-06 12:02:26 UTC

Description James Ralston 2017-09-28 19:33:33 UTC 
(I'm filing this against the grub2 package, but it affects the shim-signed package equally.)

Description of problem:

The grub2-efi-x64 package packages files under /boot/efi with the following attributes:

drwxr-xr-x    2 root    root  /boot/efi/EFI/redhat
drwxr-xr-x    2 root    root  /boot/efi/EFI/redhat/fonts
-rwxr-xr-x    1 root    root  /boot/efi/EFI/redhat/fonts/unicode.pf2
-rw-r--r--    1 root    root  /boot/efi/EFI/redhat/grub.cfg
-rwx------    1 root    root  /boot/efi/EFI/redhat/grubenv
-rwxr-xr-x    1 root    root  /boot/efi/EFI/redhat/grubx64.efi

The shim-x64 package packages files under /boot/efi with the following attributes:

-rw-r--r--    1 root    root  /boot/efi/EFI/BOOT/BOOTX64.EFI
-rw-r--r--    1 root    root  /boot/efi/EFI/BOOT/fbx64.efi
-rw-r--r--    1 root    root  /boot/efi/EFI/redhat/BOOT.CSV
-rw-r--r--    1 root    root  /boot/efi/EFI/redhat/BOOTX64.CSV
-rw-r--r--    1 root    root  /boot/efi/EFI/redhat/mmx64.efi
-rw-r--r--    1 root    root  /boot/efi/EFI/redhat/shim.efi
-rw-r--r--    1 root    root  /boot/efi/EFI/redhat/shimx64-redhat.efi
-rw-r--r--    1 root    root  /boot/efi/EFI/redhat/shimx64.efi

However, the /boot/efi filesystem is an EFI System Partition (ESP), which is simply a FAT partition with a particular type code. FAT partitions do not support individual file access modes. Instead, Linux generates fake mode attributes for directories/files in vfat filesystems using the umask/dmask/fmask fstab(5) options.

Effectively, this means that while the mode for files can be set when a vfat filesystem is mounted, all files in the vfat filesystem will appear to have the same mode. Similarly, the mode of directories can be specified, but all directories will have that mode.

Since the grub2-efi-x64 and shim-x64 packages contribute files under /boot/efi with varying file modes, and because neither package employs the rpm %verify directive to prevent rpm --verify from attempting to verify the file modes, there is no combination of umask/dmask/fmask mount options that will allow the /boot/efi ESP to be mounted without rpm --verify flagging one or more files under /boot/efi as having invalid file modes.

Thus, this is a packaging error, and should be corrected.

This might not seem like a big deal, but on hosts that are required to comply with the United States Government Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs), when a package's on-disk contents differs in owners, groups, or file modes from what the package database asserts is correct, that is a Category I finding (the most severe finding).

Version-Release number of selected component (if applicable):

grub2-efi-x64-2.02-0.64.el7.x86_64
shim-x64-12-1.el7.x86_64

Additional info:

There are at least two ways to solve this:

1) Ensure the RPM packages package /boot/efi and everything underneath it with consistent file modes. For example, ensure that all directories are mode 0755, and all files are mode 0644. This will permit specifying dmask/fmask mount options to match what the RPM database asserts (e.g., dmask=0022,fmask=0133), and thus rpm --verify will not throw errors.

2) Ensure the RPM packages use the %(verify not mode) directive on /boot/efi and everything underneath it, so that rpm --verify will not check the file modes on /boot/efi or anything underneath it.

Of these options, I think option #2 is conceptually cleaner: since there is every expectation that /boot/efi will be mounted as an ESP, the modes on /boot/efi and everything underneath it are irrelevant, and RPM should not attempt to verify them.

I think the only reason to go for option #1 would be to protect naive system administrators from accidentally mounting /boot/efi with insane mask settings (e.g., umask=0000). But since anaconda generates a sane umask (umask=0077), and there's no guarantee that such a system administrator would pay attention to the output of rpm --verify anyway, I don't think this additional protection is worth it.
Comment 2 James Ralston 2017-09-28 19:39:31 UTC 
Cross-filed as support case 01942096.
Comment 5 Peter Jones 2018-06-29 18:19:12 UTC 
*** Bug 1584947 has been marked as a duplicate of this bug. ***
Comment 9 Peter Jones 2018-09-24 21:31:42 UTC 
*** Bug 1455788 has been marked as a duplicate of this bug. ***
Comment 17 Jan Stodola 2019-06-25 11:50:25 UTC 
[root@localhost ~]# for x in `rpm -qa | grep -E "shim|grub|fwupdate"`; do echo -n "$x"; rpm -V $x && echo " ... OK"; done
grub2-common-2.02-0.80.el7.noarch ... OK
grub2-pc-modules-2.02-0.80.el7.noarch ... OK
grub2-2.02-0.80.el7.x86_64 ... OK
grub2-efi-x64-2.02-0.80.el7.x86_64 ... OK
shim-x64-15-2.el7.x86_64 ... OK
fwupdate-libs-12-5.el7.x86_64 ... OK
grub2-tools-extra-2.02-0.80.el7.x86_64 ... OK
grub2-pc-2.02-0.80.el7.x86_64 ... OK
fwupdate-efi-12-5.el7.x86_64 ... OK
fwupdate-12-5.el7.x86_64 ... OK
grubby-8.28-26.el7.x86_64 ... OK
grub2-tools-minimal-2.02-0.80.el7.x86_64 ... OK
grub2-tools-2.02-0.80.el7.x86_64 ... OK
[root@localhost ~]#

Moving to VERIFIED.
Comment 19 errata-xmlrpc 2019-08-06 12:02:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2014
Note You need to log in before you can comment on or make changes to this bug.