Bug 1856821
| Summary: | [4.4.z] unable to boot RHCOS 4.5 with SecureBoot enabled | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Micah Abbott <miabbott> | |
| Component: | RHCOS | Assignee: | Micah Abbott <miabbott> | |
| Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 4.4 | CC: | bbreard, bgilbert, dornelas, imcleod, jjung, jligon, lmohanty, mnguyen, nstielau, vlaad, walters, wking | |
| Target Milestone: | --- | Keywords: | UpcomingSprint | |
| Target Release: | 4.4.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: Booting RHCOS with Secure Boot enabled
Consequence: RHCOS is unable to boot
Fix: Including a rebuilt 8.2 kernel with proper signatures for Secure Boot
Result: RHCOS is able to boot successfully with Secure Boot enabled
|
Story Points: | --- | |
| Clone Of: | 1856820 | |||
| : | 1856822 (view as bug list) | Environment: | ||
| Last Closed: | 2020-07-21 10:31:06 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1856501, 1856820, 1857238 | |||
| Bug Blocks: | 1856822 | |||
|
Comment 1
Micah Abbott
2020-07-15 03:34:05 UTC
Verified on RHCOS 44.82.202007141430-0 which is included in OCP 4.4.0-0.nightly-2020-07-14-173909 $ cosa run --qemu-firmware uefi-secure --qemu-image ./rhcos-44.82.202007141430-0-qemu.x86_64.qcow2 + podman run --rm -ti --security-opt label=disable --privileged --uidmap=1000:0:1 --uidmap=0:1:1000 --uidmap 1001:1001:64536 -v /srv/rhcos:/srv/ --device /dev/kvm --device /dev/fuse --tmpfs /tmp -v /var/tmp:/var/tmp --name cosa quay.io/coreos-assembler/coreos-assembler:latest run --qemu-firmware uefi-secure --qemu-image ./rhcos-44.82.202007141430-0-qemu.x86_64.qcow2 virtio journal connected - sshd started Warning: Permanently added '[127.0.0.1]:43197' (ECDSA) to the list of known hosts. Red Hat Enterprise Linux CoreOS 44.82.202007141430-0 Part of OpenShift 4.4, RHCOS is a Kubernetes native operating system managed by the Machine Config Operator (`clusteroperator/machine-config`). WARNING: Direct SSH access to machines is not recommended; instead, make configuration changes via `machineconfig` objects: https://docs.openshift.com/container-platform/4.4/architecture/architecture-rhcos.html --- Last login: Thu Jul 16 13:19:53 2020 [core@cosa-devsh ~]$ rpm-ostree status State: idle AutomaticUpdates: disabled Deployments: * ostree://d76e0c8094248dcfe475077dee2766ba9cd59e5b1849715d4130b3adb43600a6 Version: 44.82.202007141430-0 (2020-07-14T14:36:52Z) [core@cosa-devsh ~]$ dmesg | grep -i secure [ 0.000000] secureboot: Secure boot enabled [ 0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7 [ 4.053613] integrity: Loaded X.509 cert 'Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c' [core@cosa-devsh ~]$ [core@cosa-devsh ~]$ rpm -q kernel kernel-4.18.0-193.13.2.el8_2.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2913 Removing UpgradeBlocker from this older bug, to remove it from the suspect queue described in [1]. If you feel like this bug still needs to be a suspect, please add keyword again. [1]: https://github.com/openshift/enhancements/pull/475 |