1880417 – [vmware] Fail to boot with Secure Boot enabled, kernel lockdown denies iopl access to afterburn

Bug 1880417 - [vmware] Fail to boot with Secure Boot enabled, kernel lockdown denies iopl access to afterburn

Summary: [vmware] Fail to boot with Secure Boot enabled, kernel lockdown denies iopl a...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	RHCOS
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Luca BRUNO
QA Contact:	jima
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-18 13:31 UTC by Micah Abbott
Modified:	2021-02-24 15:20 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1877995
Environment:
Last Closed:	2021-02-24 15:18:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:5633	0	None	None	None	2021-02-24 15:20:53 UTC

Comment 1 Micah Abbott 2020-09-18 13:32:26 UTC

We have a "quickfix" in place for the parent BZ, this BZ is going to track the more complete fix in 4.7

Comment 2 Luca BRUNO 2020-10-21 11:09:58 UTC

The better fix for this landed in https://github.com/coreos/afterburn/releases/tag/v4.5.2, which will head to RHCOS 4.7 soon.

The Ignition side of this same issue is tracked at https://github.com/coreos/ignition/issues/1092 but currently stalled on the upstream library.

Comment 3 Luca BRUNO 2020-11-13 08:01:02 UTC

Final update from the RHCOS pipeline: Afterburn v4.5.3 (which contains the fix for this) just landed in RHCOS 47.82.202011122343-0.

Comment 6 jima 2020-11-19 08:29:28 UTC

Used 47.82.202011122343-0 to deploy upi on vsphere with version 4.7.0-0.nightly-2020-11-18-203317, and enabled secureboot when booting instance. 
The installation is successful. so move the bug to VERIFIED.

Comment 10 errata-xmlrpc 2021-02-24 15:18:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Note You need to log in before you can comment on or make changes to this bug.