Hi all,

I had the same problem with my UEFI bios machine and I fixed it so for Centos 7:

1) Boot from an rescue linux usb

2) When the rescue system is running:

2.1) #chroot /mnt/sysimage

3) Config network:

3.1) # ip addr add X.X.X.X/X dev X

3.2) # ip route add default via X.X.X.X    <--- default router

4) And finally:

#yum downgrade shim* grub2* mokutil

#exit

#reboot

I hope you can fix it with these steps.

El 4/8/20 a las 0:56, Nicolas Kovacs escribió:

Le 03/08/2020 à 19:24, david a écrit :

...

After trying several paths, some suggested on this list, here's my results.

Hi,

Just back from a hiking trip. One of my clients sent me a message that his CentOS server refuses to boot. So tomorrow I have to drive there to figure out what's going on. I guess there's a high probability it's the issue discussed in this thread.

Simple question: besides a tsunami of mailing list and forum messages, is there some to-the-point reliable information about this mess ? As well as some to-the-point reliable information about how to fix it ?

Thanks,

Niki

--

On 8/4/20 2:31 AM, lpeci wrote:

3. Config network:

3.1) # ip addr add X.X.X.X/X dev X

3.2) # ip route add default via X.X.X.X    <--- default router

While I appreciate the thoughts behind this step in the instructions, and I thank you for the post that will be useful to those running fairly traditional servers, there are numerous cases where this simply will not work to bring up a network while booted into the rescue mode chroot.  Not all, and maybe not even most, CentOS machines are traditional servers with simple direct ethernet connections that don't require more steps.  I can just off the top of my head think of three cases where the above won't work:

Case 1: Virtualization host with a bridge on multiple VLANs over a bond.  Depending upon the type of bond, it may or may not be possible to bring up the host's interface to the network with the commands above.  More than half of my server machines here fall under this case.

Case 2: workstation with wired network and 802.1x authentication.

Case 3: workstation or laptop with only a wireless interface that requires a supplicant to authenticate.  Yes, workstation and laptop installs of CentOS do exist and are actively used and are just as important to recover as any traditional server.

For my laptop I was able to recover thanks to the 'nmtui' text-mode interactive interface to NetworkManager, bringing up any of my WiFi SSIDs with authentication; if any of my virtualization hosts had hit this problem (none did, interestingly enough) nmtui would have allowed me to activate the bridge on the host admin vlan quickly and easily from, again, a nice interactive text interface that is dead-simple to use quickly and accurately, and where you don't have to do any extra steps to get the interface name or any other details; nmtui just takes care of it in an intuitive manner.

On 8/4/20 9:51 AM, Johnny Hughes wrote:

On 8/4/20 1:31 AM, lpeci wrote:

...

Hi all,

I had the same problem with my UEFI bios machine and I fixed it so for Centos 7:

1. Boot from an rescue linux usb

2. When the rescue system is running:

2.1) #chroot /mnt/sysimage

3. Config network:

3.1) # ip addr add X.X.X.X/X dev X

3.2) # ip route add default via X.X.X.X    <--- default router

4. And finally:

#yum downgrade shim* grub2* mokutil

#exit

#reboot

I hope you can fix it with these steps.

El 4/8/20 a las 0:56, Nicolas Kovacs escribió:

...

Le 03/08/2020 à 19:24, david a écrit :

...

After trying several paths, some suggested on this list, here's my results.

Hi,

Just back from a hiking trip. One of my clients sent me a message that his CentOS server refuses to boot. So tomorrow I have to drive there to figure out what's going on. I guess there's a high probability it's the issue discussed in this thread.

Simple question: besides a tsunami of mailing list and forum messages, is there some to-the-point reliable information about this mess ? As well as some to-the-point reliable information about how to fix it ?

Thanks,

Niki

The issues should now be resolved.

If you just mount /mnt/sysimage, set an ip address and upgrade (to get th new shim) .. then:

yum reinstall <latest-version>

Everything should just work.

sorry ..

yum reinstall kernsl-<latest_version>

On Tue, 2020-08-04 at 10:36 -0500, Chris Adams wrote:

Once upon a time, Johnny Hughes johnny@centos.org said:

...

The issues should now be resolved.

If you just mount /mnt/sysimage, set an ip address and upgrade (to get th new shim) .. then:

yum reinstall <latest-version>

I'm curious - why does the kernel need to be reinstalled? The shim-x64 package installs its files directly to the EFI partition where they are needed.

+1

Le 04/08/2020 à 08:31, lpeci a écrit :

I had the same problem with my UEFI bios machine and I fixed it so for Centos 7:

1. Boot from an rescue linux usb

2. When the rescue system is running:

2.1) #chroot /mnt/sysimage

3. Config network:

3.1) # ip addr add X.X.X.X/X dev X

3.2) # ip route add default via X.X.X.X    <--- default router

4. And finally:

#yum downgrade shim* grub2* mokutil

#exit

#reboot

I hope you can fix it with these steps.

Thanks for the detailed suggestion.

Unfortunately I couldn't recover the installation, and I had to redo everything from scratch, which cost me the first two days of my holidays.

One thought regularly kept crossing my mind:

"How on earth could this have passed Q & A ?"

:o)

Cheers,

Niki

On 8/6/2020 7:25 AM, Simon Matter via CentOS wrote:

The only real solution I can think of to prevent this would be to make preview versions of updates available to the public so that a lot of people can test them on their hardware, hopefully spare hardware, and give feedback.

A practical equivalent is simply to avoid applying updates for a week to see if someone else gets burned by them. I'm already waiting for a weekend so I don't disrupt work in case a catastrophe happens, and I wait at least a week and watch this list for any reports of disaster. So I haven't experienced this one. Let the impatient do your testing for you.

On Thu, Aug 06, 2020 at 03:57:56PM +0200, Nicolas Kovacs wrote:

Le 04/08/2020 à 08:31, lpeci a écrit :

...

I had the same problem with my UEFI bios machine and I fixed it so for Centos 7:

While this worked for me, it might not work for you...

My "solution" was to boot the previous kernel, which came up just fine, yum remove kernel.xx.yy.zz yum install kernel.xx.yy.zz

which rebuilds the initrd, and voila!

Fred

...

1. Boot from an rescue linux usb

2. When the rescue system is running:

2.1) #chroot /mnt/sysimage

3. Config network:

3.1) # ip addr add X.X.X.X/X dev X

3.2) # ip route add default via X.X.X.X    <--- default router

4. And finally:

#yum downgrade shim* grub2* mokutil

#exit

#reboot

I hope you can fix it with these steps.

Thanks for the detailed suggestion.

Unfortunately I couldn't recover the installation, and I had to redo everything from scratch, which cost me the first two days of my holidays.

One thought regularly kept crossing my mind:

"How on earth could this have passed Q & A ?"

:o)

Cheers,

Niki

-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos

Il 07/08/20 08:22, Johnny Hughes ha scritto:

...

"How on earth could this have passed Q & A ?"

Hi Johnny, Niki's question is spread, legit, in the thoughts in many and many users so don't see this as an attack. Many and many users,though really "if this was tested before release" and I think that many of us are incredulous at what happened on CentOS and in the upstream (specially in the upstream) but as you said CentOS inherits RHEL bugs. I'm reading about many users that lost their trust in RH with the last 2 problem (microcode and shim). This is bad for CentOS.

Well, I mean that would be a valid point if it happened for every install. The issue did not happen on every install. There is no way to test every single hardware and firmware combination for every single computer ever built :)

It would be great if things like this did not happen, but with the universe of possible combinations, i am surprised it does not happen more often.

Probably many users have not updated their machines between the bug release and the resolution (thanks to your fast apply in the weekend, thank you) and many update their centos machines on a 2 months base (if not worst). I think also that many users of CentOS user base have not proclamed their disappointement/the issue on this list or in other channels. For example I simply updated in the wrong time.

We do run boot tests of every single kernel for CentOS. The RHEL team runs many more tests for RHEL. But every possible combination from every vendor can't possibly be tested. Right?

you are right but is not UEFI a standard and it shouldn't work the same on several vendors? I ask this because this patch broken all my uefi workstations.

While CentOS team could not have so much resources to run this type of tests would be great to know what happened to RHEL QA (being RH giant) for this release and given the partenership between CentOS and RH if you know something more on this.....

Thank you.

On 8/7/20 3:46 AM, Nicolas Kovacs wrote:

Le 07/08/2020 à 09:40, Alessandro Baggi a écrit :

...

Probably many users have not updated their machines between the bug release and the resolution (thanks to your fast apply in the weekend, thank you) and many update their centos machines on a 2 months base (if not worst). I think also that many users of CentOS user base have not proclamed their disappointement/the issue on this list or in other channels. For example I simply updated in the wrong time.

I'm using yum-cron to keep all my server updated on a daily basis.

And my question "How could this have passed Q & A" was obviously directed at Red Hat... and *not* at Johnny Hughes and the CentOS team who do their best to deliver the best possible downstream system. I raise my morning coffee mug to your health, guys.

Cheers,

Niki

I can assure you .. a BUNCH of testing was done. Because of the scope of this udpate, the CentOS team was looped in during the embargo stage (we normally are not .. Red Hat Engineering got permission to make this happen for this issue). Normally we see things that are open source only .. not embargoed content. Once the embargo gets lifted, the items become open source. Kudos to the RH team for making this happen.

The CentOS team worked with the RHEL team on this update for several days (more than a week, for sure, maybe 2 weeks)

I gained MUCH respect for all those guys .. especially Peter Jones. He is Mr.Secure Boot.

I personally tested both the c8 and c7 solutions on several machines (All i have access to actually, including several personal machines that have secureboot). I saw some of the testing that happened on the RHEL side. It was extensive.

Microsoft, Debian, Ubuntu and others also had issues with this .. so if you are losing trust, you are losing it with all OS vendors WRT this issue.

All I can say is .. this issue was the hardest thing I have been involved with since starting with the CentOS Project 17 years ago.

Obviously, everyone involved in this build would have prevented this from happening if they could have. Secureboot is complicated.

On 8/7/20 5:30 AM, Phil Perry wrote:

On 07/08/2020 10:01, Johnny Hughes wrote:

...

On 8/7/20 3:46 AM, Nicolas Kovacs wrote:

...

Le 07/08/2020 à 09:40, Alessandro Baggi a écrit :

...

Probably many users have not updated their machines between the bug release and the resolution (thanks to your fast apply in the weekend, thank you) and many update their centos machines on a 2 months base (if not worst). I think also that many users of CentOS user base have not proclamed their disappointement/the issue on this list or in other channels. For example I simply updated in the wrong time.

I'm using yum-cron to keep all my server updated on a daily basis.

And my question "How could this have passed Q & A" was obviously directed at Red Hat... and *not* at Johnny Hughes and the CentOS team who do their best to deliver the best possible downstream system. I raise my morning coffee mug to your health, guys.

Cheers,

Niki

I can assure you .. a BUNCH of testing was done.  Because of the scope of this udpate, the CentOS team was looped in during the embargo stage (we normally are not .. Red Hat Engineering got permission to make this happen for this issue). Normally we see things that are open source only .. not embargoed content.  Once the embargo gets lifted, the items become open source.  Kudos to the RH team for making this happen.

The CentOS team worked with the RHEL team on this update for several days (more than a week, for sure, maybe 2 weeks)

I gained MUCH respect for all those guys .. especially  Peter Jones.  He is Mr.Secure Boot.

I personally tested both the c8 and c7 solutions on several machines (All i have access to actually, including several personal machines that have secureboot).  I saw some of the testing that happened on the RHEL side.  It was extensive.

I'll just add to Johnny's already comprehensive reply. As a member of the CentOS QA team, I personally tested the update on 3 physical machines and all worked fine. Moreover, the QA team was not able to replicate the issue on a single physical machine available to them - the first indication of a problem came from public reports. We give up a huge amount of our personal time and resources to ensure CentOS (and RHEL) are the very best products they can be. I'm unsure what more could have been done.

Thanks Phil,

I very much appreciate all you and the rest of the QA team do.

I know it is a knee jerk reaction to say .. how did that not get caught. I actually said it MYSELF for this very issue. But looking back, I am not sure how we could have caught it.

"Stuff Happens" :)

There are just a huge number of possible combinations.

...

Microsoft, Debian, Ubuntu and others also had issues with this .. so if you are losing trust, you are losing it with all OS vendors WRT this issue.

All I can say is .. this issue was the hardest thing I have been involved with since starting with the CentOS Project 17 years ago.

Obviously, everyone involved in this build would have prevented this from happening if they could have.  Secureboot is complicated.

Il 07/08/20 14:53, Johnny Hughes ha scritto:

On 8/7/20 5:30 AM, Phil Perry wrote:

...

On 07/08/2020 10:01, Johnny Hughes wrote:

...

On 8/7/20 3:46 AM, Nicolas Kovacs wrote:

...

Le 07/08/2020 à 09:40, Alessandro Baggi a écrit :

...

Probably many users have not updated their machines between the bug release and the resolution (thanks to your fast apply in the weekend, thank you) and many update their centos machines on a 2 months base (if not worst). I think also that many users of CentOS user base have not proclamed their disappointement/the issue on this list or in other channels. For example I simply updated in the wrong time.

I'm using yum-cron to keep all my server updated on a daily basis.

And my question "How could this have passed Q & A" was obviously directed at Red Hat... and *not* at Johnny Hughes and the CentOS team who do their best to deliver the best possible downstream system. I raise my morning coffee mug to your health, guys.

Cheers,

Niki

I can assure you .. a BUNCH of testing was done.  Because of the scope of this udpate, the CentOS team was looped in during the embargo stage (we normally are not .. Red Hat Engineering got permission to make this happen for this issue). Normally we see things that are open source only .. not embargoed content.  Once the embargo gets lifted, the items become open source.  Kudos to the RH team for making this happen.

The CentOS team worked with the RHEL team on this update for several days (more than a week, for sure, maybe 2 weeks)

I gained MUCH respect for all those guys .. especially  Peter Jones.  He is Mr.Secure Boot.

I personally tested both the c8 and c7 solutions on several machines (All i have access to actually, including several personal machines that have secureboot).  I saw some of the testing that happened on the RHEL side.  It was extensive.

I'll just add to Johnny's already comprehensive reply. As a member of the CentOS QA team, I personally tested the update on 3 physical machines and all worked fine. Moreover, the QA team was not able to replicate the issue on a single physical machine available to them - the first indication of a problem came from public reports. We give up a huge amount of our personal time and resources to ensure CentOS (and RHEL) are the very best products they can be. I'm unsure what more could have been done.

Thanks Phil,

I very much appreciate all you and the rest of the QA team do.

I know it is a knee jerk reaction to say .. how did that not get caught. I actually said it MYSELF for this very issue. But looking back, I am not sure how we could have caught it.

"Stuff Happens" :)

There are just a huge number of possible combinations.

Hi Johnny,

what is the current status of the notification tool for security updates on C8? There are possibilities to get soon announces on ML for EL8?

Would be great have the tool working.

Thank you.

Il 07/08/20 17:39, Leon Fauster via CentOS ha scritto:

Am 07.08.20 um 17:17 schrieb Alessandro Baggi:

...

Hi Johnny,

what is the current status of the notification tool for security updates on C8? There are possibilities to get soon announces on ML for EL8?

Would be great have the tool working.

As I understand some kind of mapping must be implemented for indexcode+gitcommitid beetween CentOS and RH ...

https://lists.centos.org/pipermail/centos/2020-August/351263.html

-- Leon

Hi Leon,

so we won't have announces soon. Until this happen why not push them on list manually?

Il 09/08/20 10:40, Johnny Hughes ha scritto:

On 8/9/20 2:49 AM, Alessandro Baggi wrote:

...

Il 07/08/20 17:39, Leon Fauster via CentOS ha scritto:

...

Am 07.08.20 um 17:17 schrieb Alessandro Baggi:

...

Hi Johnny,

what is the current status of the notification tool for security updates on C8? There are possibilities to get soon announces on ML for EL8?

Would be great have the tool working.

As I understand some kind of mapping must be implemented for indexcode+gitcommitid beetween CentOS and RH ...

https://lists.centos.org/pipermail/centos/2020-August/351263.html

-- Leon

Hi Leon,

so we won't have announces soon. Until this happen why not push them on list manually?

Push what to the list .. i don't have anything to push?

We have this:

https://feeds.centos.org/

Hi Johnny,

thank you for the resource.

Il 07/08/20 10:46, Nicolas Kovacs ha scritto:

Le 07/08/2020 à 09:40, Alessandro Baggi a écrit :

...

Probably many users have not updated their machines between the bug release and the resolution (thanks to your fast apply in the weekend, thank you) and many update their centos machines on a 2 months base (if not worst). I think also that many users of CentOS user base have not proclamed their disappointement/the issue on this list or in other channels. For example I simply updated in the wrong time.

I'm using yum-cron to keep all my server updated on a daily basis.

And my question "How could this have passed Q & A" was obviously directed at Red Hat... and *not* at Johnny Hughes and the CentOS team who do their best to deliver the best possible downstream system. I raise my morning coffee mug to your health, guys.

Cheers,

Niki

Hi Niki,

I intended what you mean.

Il 07/08/20 10:47, Johnny Hughes ha scritto:

On 8/7/20 2:40 AM, Alessandro Baggi wrote:

...

Il 07/08/20 08:22, Johnny Hughes ha scritto:

...

...

"How on earth could this have passed Q & A ?"

Hi Johnny, Niki's question is spread, legit, in the thoughts in many and many users so don't see this as an attack. Many and many users,though really "if this was tested before release" and I think that many of us are incredulous at what happened on CentOS and in the upstream (specially in the upstream) but as you said CentOS inherits RHEL bugs. I'm reading about many users that lost their trust in RH with the last 2 problem (microcode and shim). This is bad for CentOS.

...

Well, I mean that would be a valid point if it happened for every install.  The issue did not happen on every install.  There is no way to test every single hardware and firmware combination for every single computer ever built :)

It would be great if things like this did not happen, but with the universe of possible combinations, i am surprised it does not happen more often.

Probably many users have not updated their machines between the bug release and the resolution (thanks to your fast apply in the weekend, thank you) and many update their centos machines on a 2 months base (if not worst). I think also that many users of CentOS user base have not proclamed their disappointement/the issue on this list or in other channels. For example I simply updated in the wrong time.

...

We do run boot tests of every single kernel for CentOS.  The RHEL team runs many more tests for RHEL.  But every possible combination from every vendor can't possibly be tested. Right?

you are right but is not UEFI a standard and it shouldn't work the same on several vendors? I ask this because this patch broken all my uefi workstations.

It would be nice if it did .. however, this worked on many UEFI/Secureboot machines. It did not work on a small subset of machines.

...

While CentOS team could not have so much resources to run this type of tests would be great to know what happened to RHEL QA (being RH giant) for this release and given the partenership between CentOS and RH if you know something more on this.....

I have not seen the full post event account if what actually happened. I do know that many Red Hatters worked many hours over the last weekend to fix it. I am sure a public post will be made (if not already there) .. if someone knows where it is, post a link.

If I don't see it posted soon, I'll look for it and post here.

Thank you Johnny.

On Fri, 7 Aug 2020 at 09:15, Chris Adams linux@cmadams.net wrote:

Once upon a time, Alessandro Baggi alessandro.baggi@gmail.com said:

...

you are right but is not UEFI a standard and it shouldn't work the same on several vendors? I ask this because this patch broken all my uefi workstations.

The great thing about standards is there's so many to choose from! Also relevant: https://xkcd.com/927/

UEFI has gone through a number of revisions over the years, and has optional bits like Secure Boot (which itself has gone through revisions). Almost any set of standards has undefined corners where vendors interpret things differently. Vendors also have bugs in weird places sometimes.

I go with the lines from Pirates of the Carribean movie.. it is less of a rigid code and more a set of guidelines. Computer programmers are a surly lot, and most take any MUST/SHALL in a standard a personal challenge on how to make it pass a test but do so in an interesting way.

The firmware and boot loaders arguably are the least "exercised" parts of a system - both change rarely and there are few implementations. There's not many combinations, and they don't change a lot.

I'm interested to read about the cause of this issue - something like this can be a lesson on "hmm, hadn't thought of that before" type things to watch for in other areas. -- Chris Adams linux@cmadams.net _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos

Once upon a time, Alessandro Baggi alessandro.baggi@gmail.com said:

...

you are right but is not UEFI a standard and it shouldn't work the same on several vendors? I ask this because this patch broken all my uefi workstations.

The great thing about standards is there's so many to choose from! Also relevant: https://xkcd.com/927/

UEFI has gone through a number of revisions over the years, and has optional bits like Secure Boot (which itself has gone through revisions). Almost any set of standards has undefined corners where vendors interpret things differently. Vendors also have bugs in weird places sometimes.

The firmware and boot loaders arguably are the least "exercised" parts of a system - both change rarely and there are few implementations. There's not many combinations, and they don't change a lot.

I'm interested to read about the cause of this issue - something like this can be a lesson on "hmm, hadn't thought of that before" type things to watch for in other areas.

If you ask me I think the real root of the problem is that the UEFI/Secure Boot developers didn't know KISS - or they forgot about it. Once such a beast is born you can not handle it correctly no matter how much you try.

Regards, Simon