RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2170840 - uninstall fwupd prevent system to boot due to shim-x64 removal
Summary: uninstall fwupd prevent system to boot due to shim-x64 removal
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: shim
Version: 9.1
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Bootloader engineering team
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-17 11:17 UTC by Danie de Jager
Modified: 2023-03-01 22:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-01 21:59:18 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-149056 0 None None None 2023-02-17 11:19:42 UTC

Description Danie de Jager 2023-02-17 11:17:20 UTC 
Description of problem:
I cleaned up a host running Rocky 9.1. I removed fwupd as I thought I did not need it. My thinking was that I'm running the host in the cloud which won't have any firmware updates.
I did not fully appreciate the consequences of what the removal of shim-x64 will have in my life.

Due to the current dependencies fwupd effectively becomes a required package, even if I don't have a host that would be supported by it. With hindsight I could've removed it without removing dependencies too.

Could the dependency be revaluated for fwupd so not to remove shim-x64 when uninstalling it? 

Version-Release number of selected component (if applicable):
Rocky 9.1

How reproducible:
Very

Steps to Reproduce:
1. yum remove fwupd -y
2. reboot

Actual results:
system no longer able to boot.

Expected results:
only remove fwupd and not packages required to boot the system.

Additional info:
Comment 1 Richard Hughes 2023-02-17 12:57:15 UTC 
> I removed fwupd as I thought I did not need it.

What did "yum remove fwupd -y" say? Is the yum effectively running dnf in 9.1?

> Due to the current dependencies fwupd effectively becomes a required package

Howso? I'm assuming dnf removed shim-x64 to be helpful as shim-x64 was discovered to be an unused leaf package. I'm assuming you could have done "rpm -e fwupd" to avoid removing shim-x64 too?
Comment 2 Louis Abel 2023-02-20 04:44:14 UTC 
The problem is what shim-x64 requires fwupd as a dependency to install. fwupd provides dbxtool, and shim-x64 requires dbxtool. Here's a RHEL 9.1 box showing this issue.

[root@localhost ~]# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.1 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.1"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.1 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.1
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.1"
[root@localhost ~]# dnf repoquery -q shim-x64 --requires
dbxtool >= 0.6-3
efi-filesystem
mokutil >= 1:0.3.0-1
[root@localhost ~]# dnf repoquery -q --whatprovides dbxtool
fwupd-0:1.7.4-2.el9_0.x86_64
fwupd-0:1.7.9-1.el9.x86_64

Removing fwupd wants to take shim-x64 with it as a result.

[root@localhost ~]# rpm -e fwupd
error: Failed dependencies:
        dbxtool >= 0.6-3 is needed by (installed) shim-x64-15.6-1.el9.x86_64
        fwupd(x86-64) = 1.7.9-1.el9 is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2()(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_0.1.1)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_0.9.3)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_0.9.8)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_1.5.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_1.5.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupd.so.2(LIBFWUPD_1.5.8)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5()(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.1.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.7.1)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.8.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.9.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_0.9.7)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.0.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.0.8)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.1.2)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.2.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.2.6)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.2.9)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.3.3)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.4.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.4.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.5.5)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.6.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.6.2)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.7.0)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
        libfwupdplugin.so.5(LIBFWUPDPLUGIN_1.7.3)(64bit) is needed by (installed) fwupd-plugin-flashrom-1.7.9-1.el9.x86_64
Comment 3 Richard Hughes 2023-02-20 07:59:08 UTC 
>         dbxtool >= 0.6-3 is needed by (installed) shim-x64-15.6-1.el9.x86_64

Ahh, so I think this is the one we want to remove or weaken. A weak dep (either suggests or recommends) would be perfect for this. I'll reassign, and we can see what the shim people think.
Comment 4 Robbie Harwood 2023-02-20 13:40:49 UTC 
I don't think we have any interest in supporting removal of fwupd, as it's used to apply DBX updates.
Comment 5 Danie de Jager 2023-02-27 06:19:44 UTC 
@rharwood Are there any DBX updates relevant to Cloud infrastructure? I'm yet so see Secureboot required to boot a host in AWS or Azure. The current defaults for 9.1 would cater for such a environment but if  fwupd is not needed or unused?
I'm simply asking that the dependencies be reevaluated so that the OS bootup don't break if fwupd were removed without fully appreciating it's importance due to reliance by UEFI and shim-x64.
Comment 6 Robbie Harwood 2023-02-27 14:27:07 UTC 
> Are there any DBX updates relevant to Cloud infrastructure?

This suggests misunderstanding of what DBX is.  DBX prohibits booting of known-vulnerable systems: it's a list of known-bad hashes.  It has nothing to do with whether what's booting is a cloud image, or running on bare metal.
Comment 7 Danie de Jager 2023-02-27 14:51:41 UTC 
@rharwood Thanks for clearing that up. Then it make sense to retain dbx and shim-x64 and not remove them should fwupd be removed. Would that be possible?
Comment 8 Jared Dominguez 2023-03-01 21:59:18 UTC 
(In reply to Danie de Jager from comment #7)
> @rharwood Thanks for clearing that up. Then it make sense to retain dbx and
> shim-x64 and not remove them should fwupd be removed. Would that be possible?

See comment #4: "I don't think we have any interest in supporting removal of fwupd, as it's used to apply DBX updates."

Note that virtual machines still use firmware (SeaBIOS or OVMF usually).
Note You need to log in before you can comment on or make changes to this bug.