Description of problem:
A customer sees a screen of death in Grub or Shim on HP xl230k hardware since he rebooted after updating to latest kernel + Grub2 + Shim fixing Boot Hold Vulnerability:
I don't know if Secure Boot is enabled, I will get a sosreport soon.
We were able to recover by keeping latest kernel but downgrading grub2, shim and mokutil packages to previous release.
Version-Release number of selected component (if applicable):
grub2-2.02-0.86.el7_8 / shim-x64-15-7.el7_8
Always for customer
Created attachment 1702918 [details]
1st error message
Created attachment 1702919 [details]
2nd error message
Looks like BZ 1861977 is the same for RHEL8
Created attachment 1702922 [details]
dmidecode of HPE hardware hitting this
Hit on HPE (see attached dmidecode) with SecureBoot disabled.
Although running CentOS 7, my systems were also impacted by this issue. For reference my hardware is:
Secure Boot off (I think but did not find it explicitly listed in the BIOS settings)
Updates applied via yum-cron
My steps to a temporary work-around:
1) boot rescue disk
2) chroot /mnt/sysimage
3) ip address add...
4) ip route add...
5) update /etc/resolv.conf if necessary
6) yum downgrade shim-x64 mokutil grub2\*
7) restore resolve.conf if updated
System now boots and runs with the following:
Should probably also blacklist the above packages until this is properly resolved.
I had problems running the downgrade command on CentOS, failing with a complaint about already having the minimum version. I manually downloaded the older versions of the packages from the base repository and specified those downloaded files on the yum downgrade command line. After that, I successfully rebooted, waited for the selinux relabel and reboot, and then things came up fine.
Problem: Cannot boot past bios after update. No select kernel options.
Workaround: Boot from live usb. install timeshift from epel. revert to pre-existing, pre-update snapshot. remove live usb. reboot.
OS: centos 7
Vendor: American Megatrends Inc.
Release Date: 10/09/2014
Runtime Size: 64 kB
ROM Size: 8192 kB
PCI is supported
APM is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
BIOS ROM is socketed
EDD is supported
5.25"/1.2 MB floppy services are supported (int 13h)
3.5"/720 kB floppy services are supported (int 13h)
3.5"/2.88 MB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
ACPI is supported
USB legacy is supported
BIOS boot specification is supported
Targeted content distribution is supported
UEFI is supported
BIOS Revision: 4.6
BIOS Language Information
Language Description Format: Long
Installable Languages: 3
Currently Installed Language: en|US|iso8859-1
vendor: ASUSTeK COMPUTER INC.
physical id: 0
version: Rev X.0x
slot: To be filled by O.E.M.
vendor: American Megatrends Inc.
physical id: 0
capabilities: pci apm upgrade shadowing cdboot bootselect socketedrom edd int13floppy1200 int13floppy720 int13floppy2880 int5printscreen int9keyboard int14serial int17printer acpi usb biosbootspecification uefi
Received a warning re epel on previous (or near to it) attempt to update.
I just wanted to post a brief note that updated shim packages are now available and can be used in conjunction with previously released grub2, fwupd, and fwupdate packages. Both https://access.redhat.com/security/vulnerabilities/grub2bootloader and https://access.redhat.com/solutions/5272311 have been updated with links to the new shim package bugfix errata.
What about CentOS?
(In reply to Olimp Bockowski from comment #23)
> What about CentOS?
Released over the weekend as well.
For EL 7 - the -8 packages released to address the bug within the -7.
￼ - shim-x64-15-8.el7.x86_64.rpm 2020-07-31 23:30 680K
For EL8 - the -15 packages released to address the bug within the -14.
- shim-x64-15-15.el8_2.x86_64.rpm 2020-08-01 02:35 666K