Bug 1856821 - [4.4.z] unable to boot RHCOS 4.5 with SecureBoot enabled
Summary: [4.4.z] unable to boot RHCOS 4.5 with SecureBoot enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.4
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.4.z
Assignee: Micah Abbott
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On: 1856501 1856820 1857238
Blocks: 1856822
TreeView+ depends on / blocked
 
Reported: 2020-07-14 14:10 UTC by Micah Abbott
Modified: 2021-04-05 17:48 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Booting RHCOS with Secure Boot enabled Consequence: RHCOS is unable to boot Fix: Including a rebuilt 8.2 kernel with proper signatures for Secure Boot Result: RHCOS is able to boot successfully with Secure Boot enabled
Clone Of: 1856820
: 1856822 (view as bug list)
Environment:
Last Closed: 2020-07-21 10:31:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2913 0 None None None 2020-07-21 10:31:13 UTC

Comment 1 Micah Abbott 2020-07-15 03:34:05 UTC 
We never shipped the affected kernel in any OCP/RHCOS 4.4.z releases.  An RHCOS 4.4 build was *made* with the affected kernel, but was never consumed into a release payload.  So this BZ is more of a tracker issue.

That being said, the fixed kernel (kernel-4.18.0-193.13.2.el8_2.x86_64) was included as part of RHCOS 44.82.202007141430-0, which is part of 4.4.0-0.nightly-2020-07-14-173909.

Marking as MODIFIED for the OCP BZ bot to sweep this into an errata.
Comment 4 Michael Nguyen 2020-07-16 13:22:34 UTC 
Verified on RHCOS 44.82.202007141430-0 which is included in OCP 4.4.0-0.nightly-2020-07-14-173909


 $ cosa run --qemu-firmware uefi-secure --qemu-image ./rhcos-44.82.202007141430-0-qemu.x86_64.qcow2
+ podman run --rm -ti --security-opt label=disable --privileged --uidmap=1000:0:1 --uidmap=0:1:1000 --uidmap 1001:1001:64536 -v /srv/rhcos:/srv/ --device /dev/kvm --device /dev/fuse --tmpfs /tmp -v /var/tmp:/var/tmp --name cosa quay.io/coreos-assembler/coreos-assembler:latest run --qemu-firmware uefi-secure --qemu-image ./rhcos-44.82.202007141430-0-qemu.x86_64.qcow2
virtio journal connected - sshd started
Warning: Permanently added '[127.0.0.1]:43197' (ECDSA) to the list of known hosts.
Red Hat Enterprise Linux CoreOS 44.82.202007141430-0
  Part of OpenShift 4.4, RHCOS is a Kubernetes native operating system
  managed by the Machine Config Operator (`clusteroperator/machine-config`).

WARNING: Direct SSH access to machines is not recommended; instead,
make configuration changes via `machineconfig` objects:
  https://docs.openshift.com/container-platform/4.4/architecture/architecture-rhcos.html

---
Last login: Thu Jul 16 13:19:53 2020
[core@cosa-devsh ~]$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
* ostree://d76e0c8094248dcfe475077dee2766ba9cd59e5b1849715d4130b3adb43600a6
                   Version: 44.82.202007141430-0 (2020-07-14T14:36:52Z)
[core@cosa-devsh ~]$ dmesg | grep -i secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI secure boot; see man kernel_lockdown.7
[    4.053613] integrity: Loaded X.509 cert 'Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c'
[core@cosa-devsh ~]$ 
[core@cosa-devsh ~]$ rpm -q kernel
kernel-4.18.0-193.13.2.el8_2.x86_64
Comment 6 errata-xmlrpc 2020-07-21 10:31:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2913
Comment 7 W. Trevor King 2021-04-05 17:48:03 UTC 
Removing UpgradeBlocker from this older bug, to remove it from the suspect queue described in [1].  If you feel like this bug still needs to be a suspect, please add keyword again.

[1]: https://github.com/openshift/enhancements/pull/475
Note You need to log in before you can comment on or make changes to this bug.