Bug 2106058 - vSphere defaults to SecureBoot on; breaks installation of out-of-tree drivers [4.11.0]
Summary: vSphere defaults to SecureBoot on; breaks installation of out-of-tree drivers...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.11
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: ---
: 4.11.0
Assignee: Michael Nguyen
QA Contact: HuijingHei
URL:
Whiteboard:
Depends On: 2106055 2106062
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-11 16:03 UTC by Micah Abbott
Modified: 2022-08-10 11:21 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 2106055
Environment:
Last Closed: 2022-08-10 11:20:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 11:21:09 UTC

Description Micah Abbott 2022-07-11 16:03:09 UTC 
+++ This bug was initially created as a clone of Bug #2106055 +++

Original discussion - https://github.com/coreos/fedora-coreos-tracker/issues/1119

We made the broad decision to change the metadata of the vSphere artifacts in the following ways:

- change osType to reflect it is a RHEL 8 operating system 
- change hw version to 15

https://github.com/openshift/os/pull/748/

- change the firmware to use EFI by default

https://github.com/coreos/coreos-assembler/pull/2762

- change the firwmare to have SecureBoot enabled by default

https://github.com/coreos/coreos-assembler/pull/2767/


Defaulting to having SecureBoot enabled by default is the most impactful change and we failed to communicate this change more broadly. 

We are in a position where enabling this for new cluster installs may prevent customers + partners from installing out-of-tree kernel modules as part of the day 1 use case.

PM has indicated that the majority of the OCP ecosystem is not ready for this kind of broad change and we should default to having SecureBoot disabled.
Comment 1 RHCOS Bug Bot 2022-07-14 19:40:04 UTC 
The fix for this bug will not be delivered to customers until it lands in an updated bootimage.  That process is tracked in bug 2106062, which has status ASSIGNED.  Moving this bug back to POST.
Comment 2 RHCOS Bug Bot 2022-07-15 04:19:45 UTC 
This bug has been reported fixed in a new RHCOS build and is ready for QE verification.  To mark the bug verified, set the Verified field to Tested.  This bug will automatically move to MODIFIED once the fix has landed in a new bootimage.
Comment 3 Michael Nguyen 2022-07-15 04:23:12 UTC 
Fix has landed in RHCOS 411.86.202207140725-0

To verify, download the RHCOS OVA.

tar xvf rhcos*ova
cat coreos.ovf | grep -i secure

The value should be set to false
Comment 4 HuijingHei 2022-07-15 06:43:34 UTC 
Pre-verify passed with latest RHCOS 411.86.202207150124-0

[coreos-assembler]$ tar xvf rhcos-411.86.202207150124-0-vmware.x86_64.ova 
coreos.ovf
disk.vmdk
[coreos-assembler]$ cat coreos.ovf | grep -i secure
      <vmw:Config ovf:required="false" vmw:key="bootOptions.efiSecureBootEnabled" vmw:value="false"/>
Comment 5 RHCOS Bug Bot 2022-07-18 18:53:49 UTC 
The fix for this bug has landed in a bootimage bump, as tracked in bug 2106062 (now in status MODIFIED).  Moving this bug to MODIFIED.
Comment 8 HuijingHei 2022-07-20 06:31:28 UTC 
Change status to verified according to result in Comment 4
Comment 9 errata-xmlrpc 2022-08-10 11:20:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069
Note You need to log in before you can comment on or make changes to this bug.