The mitigation route for OCP customers is to reprovision nodes that may be affected by CVE-2020-10713 To do that, we need to provide new boot images and update the installer to reference them.
This is currently being worked on and work will continue next sprint.
PR: https://github.com/openshift/installer/pull/3983
Verified on 4.6.0-0.nightly-2020-08-06-093209. $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.nightly-2020-08-06-093209 True False 12m Cluster version is 4.6.0-0.nightly-2020-08-06-093209 == log into the bootstrap node and check shim package == [core@ip-10-0-18-90 ~]$ rpm -qa | grep shim shim-x64-15-15.el8_2.x86_64 [core@ip-10-0-18-90 ~]$ rpm-ostree status State: idle Deployments: ● ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z) [core@ip-10-0-18-90 ~]$ rpm -ql shim-x64 /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/redhat/BOOTX64.CSV /boot/efi/EFI/redhat/mmx64.efi /boot/efi/EFI/redhat/shimx64-redhat.efi /boot/efi/EFI/redhat/shimx64.efi [core@ip-10-0-18-90 ~]$ rpm -qi shim-x64 Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Mon 03 Aug 2020 03:42:30 AM UTC Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri 31 Jul 2020 11:10:11 PM UTC, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri 31 Jul 2020 09:18:08 PM UTC Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. [core@ip-10-0-18-90 ~]$ == log into master node and check shim package and bootstrapped shim package == $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-134-205.us-west-2.compute.internal Ready master 29m v0.0.0-master+$Format:%h$ ip-10-0-148-218.us-west-2.compute.internal Ready worker 17m v0.0.0-master+$Format:%h$ ip-10-0-175-60.us-west-2.compute.internal Ready master 29m v0.0.0-master+$Format:%h$ ip-10-0-188-122.us-west-2.compute.internal Ready worker 17m v0.0.0-master+$Format:%h$ ip-10-0-201-138.us-west-2.compute.internal Ready master 28m v0.0.0-master+$Format:%h$ ip-10-0-211-133.us-west-2.compute.internal Ready worker 17m v0.0.0-master+$Format:%h$ $ oc debug node/ip-10-0-134-205.us-west-2.compute.internal Starting pod/ip-10-0-134-205us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# rpm-ostree status State: idle Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:16a8dde4b893ff0b5b4aeb05474f2f5e2ce9cac45d5d3e98b40c4309e23215a7 CustomOrigin: Managed by machine-config-operator Version: 46.82.202008032211-0 (2020-08-03T22:15:23Z) ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z) sh-4.4# rpm -q shim-x64 shim-x64-15-15.el8_2.x86_64 sh-4.4# rpm-ostree db list eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 | grep shim shim-x64-15-15.el8_2.x86_64 sh-4.4# exit exit sh-4.2# exit exit Removing debug pod ... == log into the worker node and check the shim package and the bootstrapped shim package == $ oc get node NAME STATUS ROLES AGE VERSION ip-10-0-134-205.us-west-2.compute.internal Ready master 33m v0.0.0-master+$Format:%h$ ip-10-0-148-218.us-west-2.compute.internal Ready worker 21m v0.0.0-master+$Format:%h$ ip-10-0-175-60.us-west-2.compute.internal Ready master 33m v0.0.0-master+$Format:%h$ ip-10-0-188-122.us-west-2.compute.internal Ready worker 22m v0.0.0-master+$Format:%h$ ip-10-0-201-138.us-west-2.compute.internal Ready master 33m v0.0.0-master+$Format:%h$ ip-10-0-211-133.us-west-2.compute.internal Ready worker 22m v0.0.0-master+$Format:%h$ $ oc debug node/ip-10-0-148-218.us-west-2.compute.internal Starting pod/ip-10-0-148-218us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# rpm-ostree status State: idle Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:16a8dde4b893ff0b5b4aeb05474f2f5e2ce9cac45d5d3e98b40c4309e23215a7 CustomOrigin: Managed by machine-config-operator Version: 46.82.202008032211-0 (2020-08-03T22:15:23Z) ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z) sh-4.4# rpm -q shim-x64 shim-x64-15-15.el8_2.x86_64 sh-4.4# rpm-ostree db list eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 | grep shim shim-x64-15-15.el8_2.x86_64 sh-4.4# exit exit sh-4.2# exit exit
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196