Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1862111

Summary: update boot images to address CVE-2020-10713
Product: OpenShift Container Platform Reporter: Micah Abbott <miabbott>
Component: RHCOSAssignee: Micah Abbott <miabbott>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: medium Docs Contact:
Priority: high    
Version: 4.6CC: bbreard, dornelas, imcleod, jligon, nstielau, smilner
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1862112 (view as bug list) Environment:
Last Closed: 2020-10-27 16:21:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1862112, 1862113    

Description Micah Abbott 2020-07-30 13:34:25 UTC 
The mitigation route for OCP customers is to reprovision nodes that may be affected by CVE-2020-10713

To do that, we need to provide new boot images and update the installer to reference them.
Comment 1 Micah Abbott 2020-07-30 19:42:39 UTC 
This is currently being worked on and work will continue next sprint.
Comment 2 Steve Milner 2020-08-04 21:14:30 UTC 
PR: https://github.com/openshift/installer/pull/3983
Comment 5 Michael Nguyen 2020-08-06 13:01:46 UTC 
Verified on 4.6.0-0.nightly-2020-08-06-093209.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-08-06-093209   True        False         12m     Cluster version is 4.6.0-0.nightly-2020-08-06-093209

== log into the bootstrap node and check shim package ==

[core@ip-10-0-18-90 ~]$ rpm -qa | grep shim
shim-x64-15-15.el8_2.x86_64
[core@ip-10-0-18-90 ~]$ rpm-ostree status
State: idle
Deployments:
● ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533
                   Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z)
[core@ip-10-0-18-90 ~]$ rpm -ql shim-x64
/boot/efi/EFI/BOOT/BOOTX64.EFI
/boot/efi/EFI/BOOT/fbx64.efi
/boot/efi/EFI/redhat/BOOTX64.CSV
/boot/efi/EFI/redhat/mmx64.efi
/boot/efi/EFI/redhat/shimx64-redhat.efi
/boot/efi/EFI/redhat/shimx64.efi
[core@ip-10-0-18-90 ~]$ rpm -qi shim-x64
Name        : shim-x64
Version     : 15
Release     : 15.el8_2
Architecture: x86_64
Install Date: Mon 03 Aug 2020 03:42:30 AM UTC
Group       : Unspecified
Size        : 5252606
License     : BSD
Signature   : RSA/SHA256, Fri 31 Jul 2020 11:10:11 PM UTC, Key ID 199e2f91fd431d51
Source RPM  : shim-15-15.el8_2.src.rpm
Build Date  : Fri 31 Jul 2020 09:18:08 PM UTC
Build Host  : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/rhboot/shim/
Summary     : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.
[core@ip-10-0-18-90 ~]$ 


== log into master node and check shim package and bootstrapped shim package ==
$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-134-205.us-west-2.compute.internal   Ready    master   29m   v0.0.0-master+$Format:%h$
ip-10-0-148-218.us-west-2.compute.internal   Ready    worker   17m   v0.0.0-master+$Format:%h$
ip-10-0-175-60.us-west-2.compute.internal    Ready    master   29m   v0.0.0-master+$Format:%h$
ip-10-0-188-122.us-west-2.compute.internal   Ready    worker   17m   v0.0.0-master+$Format:%h$
ip-10-0-201-138.us-west-2.compute.internal   Ready    master   28m   v0.0.0-master+$Format:%h$
ip-10-0-211-133.us-west-2.compute.internal   Ready    worker   17m   v0.0.0-master+$Format:%h$
$ oc debug node/ip-10-0-134-205.us-west-2.compute.internal 
Starting pod/ip-10-0-134-205us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:16a8dde4b893ff0b5b4aeb05474f2f5e2ce9cac45d5d3e98b40c4309e23215a7
              CustomOrigin: Managed by machine-config-operator
                   Version: 46.82.202008032211-0 (2020-08-03T22:15:23Z)

  ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533
                   Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z)
sh-4.4# rpm -q shim-x64
shim-x64-15-15.el8_2.x86_64
sh-4.4# rpm-ostree db list eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 | grep shim
 shim-x64-15-15.el8_2.x86_64

sh-4.4# exit
exit
sh-4.2# exit
exit

Removing debug pod ...


== log into the worker node and check the shim package and the bootstrapped shim package ==
$ oc get node
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-134-205.us-west-2.compute.internal   Ready    master   33m   v0.0.0-master+$Format:%h$
ip-10-0-148-218.us-west-2.compute.internal   Ready    worker   21m   v0.0.0-master+$Format:%h$
ip-10-0-175-60.us-west-2.compute.internal    Ready    master   33m   v0.0.0-master+$Format:%h$
ip-10-0-188-122.us-west-2.compute.internal   Ready    worker   22m   v0.0.0-master+$Format:%h$
ip-10-0-201-138.us-west-2.compute.internal   Ready    master   33m   v0.0.0-master+$Format:%h$
ip-10-0-211-133.us-west-2.compute.internal   Ready    worker   22m   v0.0.0-master+$Format:%h$
$ oc debug node/ip-10-0-148-218.us-west-2.compute.internal
Starting pod/ip-10-0-148-218us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:16a8dde4b893ff0b5b4aeb05474f2f5e2ce9cac45d5d3e98b40c4309e23215a7
              CustomOrigin: Managed by machine-config-operator
                   Version: 46.82.202008032211-0 (2020-08-03T22:15:23Z)

  ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533
                   Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z)
sh-4.4# rpm -q shim-x64
shim-x64-15-15.el8_2.x86_64
sh-4.4# rpm-ostree db list eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 | grep shim
 shim-x64-15-15.el8_2.x86_64
sh-4.4# exit
exit
sh-4.2# exit
exit
Comment 7 errata-xmlrpc 2020-10-27 16:21:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196