[CentOS] Boot failed on latest CentOS 7 update

Sun Aug 2 18:43:26 UTC 2020
Pete Biggs <pete at biggs.org.uk>

> On the side note: it is Microsoft that signs one of Linux packages
> now. We seem to have made one more step away from “our” computers
> being _our computers_. Am I wrong?

Secure booting using UEFI requires that the code is signed - that is
the "secure" bit.  Microsoft are the CA for that signing. There's
nothing sinister about it, they aren't signing the RPM package just one
of the bits of code in the package. I seem to remember that Microsoft
were the most vocal advocates for secure booting to get around boot
sector viruses and in order to facilitate a more universal uptake they
committed to signing any UEFI boot code from other OSes so long as it
came from a bona fide source.

You don't have to use UEFI secure booting - most machines can fall back
to legacy booting using BIOS settings. If you do that, you won't use
any Microsoft signed code.

I haven't looked in detail at the bug this all was supposed to fix, but
I think it had the capability of by-passing the UEFI security checking,
hence why the release of the advisory was delayed until the OSes were
patched and why there was a scramble to get everything out in time.
It's a nasty bug and was difficult to fix from what I've heard.