seems the updated pushed recently to centos stream (I updated about an hour ago) now cause my pc to hang after BIOS...it never gets to grub
could this be the GRUB_ENABLE_BLSCFG issue that has come downstream from fedora ?
any advice would be most greatly appreciated thanks
Il giorno gio 30 lug 2020 alle ore 12:55 Andy Hall andyjohnhall@gmail.com ha scritto:
seems the updated pushed recently to centos stream (I updated about an hour ago) now cause my pc to hang after BIOS...it never gets to grub
could this be the GRUB_ENABLE_BLSCFG issue that has come downstream from fedora ?
any advice would be most greatly appreciated thanks
I think you can follow here: Bug 1861977 https://bugzilla.redhat.com/show_bug.cgi?id=1861977 - RHSA-2020:3216 grub2 security update renders system unbootable
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
On Thu, Jul 30, 2020 at 12:59 PM Sandro Bonazzola sbonazzo@redhat.com wrote:
Il giorno gio 30 lug 2020 alle ore 12:55 Andy Hall andyjohnhall@gmail.com ha scritto:
seems the updated pushed recently to centos stream (I updated about an hour ago) now cause my pc to hang after BIOS...it never gets to grub
could this be the GRUB_ENABLE_BLSCFG issue that has come downstream from fedora ?
any advice would be most greatly appreciated thanks
I think you can follow here: Bug 1861977 https://bugzilla.redhat.com/show_bug.cgi?id=1861977 - RHSA-2020:3216 grub2 security update renders system unbootable
The classical situation where the treatment is worse than the disease..... keep calm and test better before release... Also because, if I understand correctly, this vulnerability requires anyway physical access or rights to modify a pxe boot network config to create its damages...
On Thu, 30 Jul 2020 Sandro Bonazzola wrote...
I think you can follow here: Bug 1861977 https://bugzilla.redhat.com/show_bug.cgi?id=1861977 - RHSA-2020:3216 grub2 security update renders system unbootable
Thanks very much...I can confirm the following does work...
1) booting to rhel-8 (centos-8) troubleshooting mode from a boot CD / USB 2) chrooted to /mnt/sysimage 3) setup networking 4) yum downgrade shim-x64 grub2* 5) add exclude=grub2* shim* to /etc/yum.conf 6) reboot
N.B. If you are on CentOS-stream then the repos will NOT have the older packages so just point to the CentOS repo ( or download from that repo and rpm -Uvh --force to install them )
On 7/30/20 6:54 AM, Andy Hall wrote:
seems the updated pushed recently to centos stream (I updated about an hour ago) now cause my pc to hang after BIOS...it never gets to grub
This affected me this morning on my regular, non-Stream, CentOS 8.2.2004 install. Boot up, see the update notice, think "hmm, I have plenty of time before that morning meeting, sure, why not do this update, must be the 'Boot Hole' update Johnny mentioned." After the update, on reboot the screen kept the Dell meatball in the middle but then had 'hash' marks all over the screen. Neither a regular power button press nor CTRL-ALT-DEL did anything, had to hard power off by holding the power button down until it powered off. Yay, fun, let's reschedule that morning meeting, guys, my computer is acting up right now..... In my case, the instructions for downgrading in the referenced Bugzilla did not work to restore normal booting.
The use of the install DVD iso's rescue mode was required; once booted into rescue mode (on my Dell Precision M6700 laptop, pressing F12 during boot to get the boot menu, then selecting the USB stick in UEFI mode, since my machine is a UEFI-booting machine, and after chrooting to /mnt/sysimage, I performed the downgrade, but on reboot the system still hung completely. So, rebooting back into rescue mode, chroot /mnt/sysimage, nmtui (and activate the network interface I needed, since it's wifi), and then running the grub2-install I got an error; needed to install grub2-efi-x64-modules to run grub2-install. But a bare grub2-install did not fix the problem for me; so, reboot into rescue mode again, chroot /mnt/sysimage again, and then run the recommended UEFI grub2 reinstall procedure (linked from https://bugzilla.redhat.com/show_bug.cgi?id=1101352 pointing to https://bugzilla.redhat.com/show_bug.cgi?id=1220066 ):
dnf reinstall grub2-efi shim grub2-tools
And I'm now rebooting correctly, after a complete system autorelabel...... This may or may not work for you, since I did several steps and reboots, so I don't know what actually 'fixed' the booting, nor do I have time today to try to reproduce. I do now know to be extra careful on my other UEFI C8 systems, and I won't be doing any remote updates on those, only from the console, with bootable media at hand.... argh.
Moral of the story? Have the install DVD on a USB stick and available to boot into rescue mode, know how to boot rescue mode (from the installer boot menu select 'troubleshooting....' then 'rescue....' and option 1 once the menu shows), know how to activate network interfaces in text mode (either nmcli or nmtui works fine for this), and know a few basic dnf commands. And have an alternate means of doing basic web searches available; my android phone this morning was used for that.....
However, what is really odd to me is that after the dnf downgrade of grub2 and shim, which did get logged in /var/log/dnf.log, when issuing a dnf update I don't see the grub2 and shim updates listed anymore. And, where the blue blazes is the log of updates done from the GUI updater? Went to look for it to back out whatever got updated, and in my cursory booted-into-the-chroot-via-rescue-mode-tiny-text-screen state quit looking for it; I may try to find it later today.
On 7/30/20 10:35 AM, Lamar Owen wrote:
However, what is really odd to me is that after the dnf downgrade of grub2 and shim, which did get logged in /var/log/dnf.log, when issuing a dnf update I don't see the grub2 and shim updates listed anymore.
So I'm on the latest kernel, but downrev on grub2 and a dnf update does now list the updated release. When I get enough time to reproduce I might try the update again.
On 7/30/20 10:51 AM, Lamar Owen wrote:
On 7/30/20 10:35 AM, Lamar Owen wrote:
However, what is really odd to me is that after the dnf downgrade of grub2 and shim, which did get logged in /var/log/dnf.log, when issuing a dnf update I don't see the grub2 and shim updates listed anymore.
So I'm on the latest kernel, but downrev on grub2 and a dnf update does now list the updated release. When I get enough time to reproduce I might try the update again.
So, the first update this morning was with the GUI updater that does the update during a reboot. I just updated to the '87 release of grub2 using dnf from the command line, and the update was successful, with a correctly booting system. So I can't reproduce the issue on this laptop.
On Thu, Jul 30, 2020 at 9:34 PM Lamar Owen lowen@pari.edu wrote:
On 7/30/20 10:51 AM, Lamar Owen wrote:
On 7/30/20 10:35 AM, Lamar Owen wrote:
However, what is really odd to me is that after the dnf downgrade of grub2 and shim, which did get logged in /var/log/dnf.log, when issuing a dnf update I don't see the grub2 and shim updates listed anymore.
So I'm on the latest kernel, but downrev on grub2 and a dnf update does now list the updated release. When I get enough time to reproduce I might try the update again.
So, the first update this morning was with the GUI updater that does the update during a reboot. I just updated to the '87 release of grub2 using dnf from the command line, and the update was successful, with a correctly booting system. So I can't reproduce the issue on this laptop.
Red Hat fixes are available.
https://access.redhat.com/errata/RHBA-2020:3265 https://access.redhat.com/errata/RHBA-2020:3262
wait for CentOS.
-- Lee
On 8/1/20 1:13 PM, Thomas Stephen Lee wrote:
On Thu, Jul 30, 2020 at 9:34 PM Lamar Owen <lowen@pari.edu mailto:lowen@pari.edu> wrote:
On 7/30/20 10:51 AM, Lamar Owen wrote: > On 7/30/20 10:35 AM, Lamar Owen wrote: >> However, what is really odd to me is that after the dnf downgrade of >> grub2 and shim, which did get logged in /var/log/dnf.log, when >> issuing a dnf update I don't see the grub2 and shim updates listed >> anymore. > > So I'm on the latest kernel, but downrev on grub2 and a dnf update > does now list the updated release. When I get enough time to > reproduce I might try the update again. So, the first update this morning was with the GUI updater that does the update during a reboot. I just updated to the '87 release of grub2 using dnf from the command line, and the update was successful, with a correctly booting system. So I can't reproduce the issue on this laptop.Red Hat fixes are available.
https://access.redhat.com/errata/RHBA-2020:3265 https://access.redhat.com/errata/RHBA-2020:3262
wait for CentOS.
These were released over the weekend.
-
Andy Hall -
Gianluca Cecchi -
Johnny Hughes -
Lamar Owen -
Sandro Bonazzola -
Thomas Stephen Lee