This morning, an instant bug was shown in Red Hat’s Bugzilla bug tracker – a user found that the RHSA_2020: 3216 grub2 security update and the RHSA-2020: 3218 kernel security update rendered the RHH 8.2 system unbootable. The bug was reported as reproducible on any minimal minimal installation of Red Hat Enterprise Linux 8.2.
The patch was intended to close a newly discovered vulnerability in GRUB2 Boot Manager called BootHole. The vulnerability left a method for system attackers to potentially install “bootkit” malware on Linux systems, although that system was protected with UEFI Secure Boot.
RHEL and CentOS
Unfortunately, patches of Red Hat in GRUB2 and the kernel, once applied, are leaving patched systems. This issue is confirmed to affect RHEL 7.8 and RHEL 8.2, and may also affect RHEL 8.1 and 7.9. The RHEL-derived distribution centros is also affected.
Red Hat is currently advising users not to apply the GRUB2 security patch (RHSA-2020: 3216 or RHSA-2020: 3217) until these issues are resolved. If you manage a RHEL or CentOS system and believe you must have installed these patches, Do not reboot your system. Downgrade the affected package using
sudo yum downgrade shim* grub2* mokutil And configure
yum Do not upgrade those packages temporarily by adding
exclude=grub2* shim* mokutil Service
If you have already applied the patch and tried (and failed) to reboot, boot from RHEL or CentOS DVD in troubleshooting mode, set up the network, then restore the functionality in your system as mentioned above. Perform similar steps.
Although the bug was first reported in Red Hat Enterprise Linux, apparently related bug reports are also running from other distributions from different families. Ubuntu and Debian users are reporting to systems that cannot boot after installing the GRUB2 update, and Canonical has issued an advisory containing instructions for recovery for the affected systems.
Although the effect of the GRUB2 bug is similar, this scope may vary from distribution to distribution; So far it appears that the Debian / Ubuntu GRUB2 bug is only affecting systems that boot into the BIOS (not UEFI). A fix is already committed to Ubuntu
proposed Repository, tested and released for
updates Store. Updated and released packages,
grub2 (2.02~beta2- And
grub2 (2.04-1ubuntu26.2) focal, Should solve the problem for Ubuntu users.
For Debian users, the fix is available in the newly committed package
We do not have any word at this time to describe the flaws or impact of the GRUB2 boothole patch on other distributions such as Arc, Gentoo or Clear Linux.