Bug 1799891 - RHCOS UEFI images are not secure boot compliant
Summary: RHCOS UEFI images are not secure boot compliant
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
: 4.4.0
Assignee: Ben Howard
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-06 19:29 UTC by Ben Howard
Modified: 2020-12-01 20:50 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-13 21:56:48 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-13 21:56:50 UTC

Description Ben Howard 2020-02-06 19:29:57 UTC
RHCOS is UEFI capable but is missing the firmware support for Secure UEFI. As a result, on certain bare metal hardware and cloud providers (Azure Gen2) RHCOS will not boot. 

Our current EFI layout is:
[root@ibm-p8-kvm-03-guest-02 boot]# find efi -type f -exec md5sum {} \; | sort
805369650ed821476003893402c7c8df  efi/EFI/redhat/grub.cfg
a1a08d1393070ef05a912cd08f132a70  efi/EFI/BOOT/grubx64.efi
c748cde9827385f9832a4f0ab1f02550  efi/EFI/BOOT/BOOTX64.EFI

We are missing:
- shim64.efi: provides the MS signing key.
- fbx64.efi: fallback shim in case a disk is moved
- mmx64.efi: needed for key-enrollment for GPL compliance of the SHIM

Comment 1 Ben Howard 2020-02-06 19:31:01 UTC
Fix proposed for CoreOS Assembler.
https://github.com/coreos/coreos-assembler/pull/1105

Comment 2 Ben Howard 2020-02-06 21:57:57 UTC
PR merged. Confirmed that the fix registers keys.

Comment 3 Micah Abbott 2020-03-12 19:59:15 UTC
Pushing back to MODIFIED to attach to errata

Comment 6 Steve Milner 2020-03-12 20:03:57 UTC
Pulled image from https://github.com/openshift/installer/pull/3271:

General cosa run:
[core@ibm-p8-kvm-03-guest-02 boot]$ find efi -type f -exec md5sum {} \; | sort
05557eab696d7b70a2a45ed8126685d3  efi/EFI/redhat/grubx64.efi
05cc95b356fb10e84dcdccb09aa0f032  efi/EFI/redhat/shimx64-redhat.efi
3a0b681a2558863e117d71f3e5c504fc  efi/EFI/redhat/grub.cfg
5a1d0059397afc447de3561d7d508ff3  efi/EFI/redhat/mmx64.efi
b90ffff182e4b99380e6e4d2a9e33753  efi/EFI/redhat/BOOTX64.CSV
c748cde9827385f9832a4f0ab1f02550  efi/EFI/BOOT/BOOTX64.EFI
c748cde9827385f9832a4f0ab1f02550  efi/EFI/redhat/shimx64.efi
f8b0bf703a67a957d946f7278e01dc08  efi/EFI/BOOT/fbx64.efi
[core@ibm-p8-kvm-03-guest-02 boot]$ 


Same results with --uefi and --uefi-secure when using uefi.

Comment 7 Micah Abbott 2020-03-13 13:28:17 UTC
Per comment #6, moving to VERIFIED

Comment 9 errata-xmlrpc 2020-05-13 21:56:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.