[CentOS] After update to 8 (2004) ... system is unbootable - UEFI Secure boot

Sat Aug 8 22:23:23 UTC 2020
Leon Fauster <leonfauster at googlemail.com>

Am 29.07.20 um 20:54 schrieb Phil Perry:
> On 29/07/2020 19:43, Leon Fauster via CentOS wrote:
>>
>> Did you got managed to boot kernel-4.18.0-193.14.2.el8_2 or a newer one?
>> I must still boot into kernel-4.18.0-147.8.1.el8_1.x86_64 ... and with 
>> the upcoming new kernel that depends on a new shim and grub2 package I 
>> wonder about the implications for my XPS hardware ...
>>
> 
> The following article discusses a way to add a hash for older kernels to 
> the Allow List that should allow older kernels to continue to boot:
> 
> https://access.redhat.com/security/vulnerabilities/grub2bootloader
> 
> Quoting...
> 
> Red Hat Enterprise Linux 8
> 
> Due to hardening within the kernel, which is released as part of these 
> updates, previous Red Hat Enterprise Linux 8 kernel versions have not 
> been added to shim’s allow list. If you are running with Secure Boot 
> enabled, and the user needs to boot to an older kernel version, its hash 
> must be manually enrolled into the trust list. This is achieved by 
> executing the following commands:
> 
> # pesign -P -h -i /boot/vmlinuz-<version>
> 
> # mokutil --import-hash <hash value returned from pesign>
> 
> # reboot
> 

Thank you very much, Phil! This helps to boot the old kernel.

Also the newer kernel-4.18.0-193.14.2.el8_2.x86_64 can not boot on
this notebook (Intel i7-8750H (06-9e-0a) / DELL XPS 15 9570).

I had open a bug report already (not public as usual for kernels)

https://bugzilla.redhat.com/show_bug.cgi?id=1848743

Does someone else has this problem?

--
Leon