Red Hat and CentOS systems not booting due to boothole patch

in great shape / Security updates are unable to boot some Linux systems for the purpose of patching the BootHole UEFI vulnerability.

This morning, an instant bug was shown in Red Hat’s Bugzilla bug tracker – a user found that the RHSA_2020: 3216 grub2 security update and the RHSA-2020: 3218 kernel security update rendered the RHH 8.2 system unbootable. The bug was reported as reproducible on any minimal minimal installation of Red Hat Enterprise Linux 8.2.

The patch was intended to close a newly discovered vulnerability in GRUB2 Boot Manager called BootHole. The vulnerability left a method for system attackers to potentially install “bootkit” malware on Linux systems, although that system was protected with UEFI Secure Boot.

RHEL and CentOS

Unfortunately, patches of Red Hat in GRUB2 and the kernel, once applied, are leaving patched systems. This issue is confirmed to affect RHEL 7.8 and RHEL 8.2, and may also affect RHEL 8.1 and 7.9. The RHEL-derived distribution centros is also affected.

Red Hat is currently advising users not to apply the GRUB2 security patch (RHSA-2020: 3216 or RHSA-2020: 3217) until these issues are resolved. If you manage a RHEL or CentOS system and believe you must have installed these patches, Do not reboot your system. Downgrade the affected package using sudo yum downgrade shim* grub2* mokutil And configure yum Do not upgrade those packages temporarily by adding exclude=grub2* shim* mokutil Service /etc/yum.conf.

If you have already applied the patch and tried (and failed) to reboot, boot from RHEL or CentOS DVD in troubleshooting mode, set up the network, then restore the functionality in your system as mentioned above. Perform similar steps.

Other delivery

Although the bug was first reported in Red Hat Enterprise Linux, apparently related bug reports are also running from other distributions from different families. Ubuntu and Debian users are reporting to systems that cannot boot after installing the GRUB2 update, and Canonical has issued an advisory containing instructions for recovery for the affected systems.

Although the effect of the GRUB2 bug is similar, this scope may vary from distribution to distribution; So far it appears that the Debian / Ubuntu GRUB2 bug is only affecting systems that boot into the BIOS (not UEFI). A fix is ​​already committed to Ubuntu proposed Repository, tested and released for updates Store. Updated and released packages, grub2 (2.02~beta2-36ubuntu3.27) xenial And grub2 (2.04-1ubuntu26.2) focal, Should solve the problem for Ubuntu users.

For Debian users, the fix is ​​available in the newly committed package grub2 (2.02+dfsg1-20+deb10u2).

We do not have any word at this time to describe the flaws or impact of the GRUB2 boothole patch on other distributions such as Arc, Gentoo or Clear Linux.

Leave a Reply

Your email address will not be published.