search for: secureboot

Hi! I'm working currently on integration of UEFI/SecureBoot support into oVirt. And I have several questions about UEFI/SecureBoot support in libvirt. Can you please help me with them? For UEFI I add the following to the XML: <loader readonly="yes" secure="no" type="pflash"> /usr/share/OVMF/OVMF_CODE.secboot.fd </loa...

We are aware of the Boot Hole vulnerability in grub2 (CVE-2020-1073) and are working on releasing new packages for CentOS Linux 7, CentOS Linux 8 and CentOS Stream in response. These should make it out to a mirror near you shortly. /!\ Secureboot Systems - Please do a full update /!\ CentOS Linux 8 and CentOS Stream systems with secureboot enabled MUST update the kernel, grub2, and shim packages together. As part of this CVE, we have re-issued the kernel and shim signing certificate authorities, and previously released EL8 kernels cannot...

When we consolidated all CentOS Distro builders in a new centralized setup, covering all arches (so basically x86_64, i386, ppc64le, ppc64, aarch64 and armhfp those days), we wanted also to add redundancy where it was possible to. The interesting "SecureBoot" corner case came on the table and we had to find a different way to build the following packages: - shim (both signed and unsigned) - grub2 - fwupdate - kernel The other reason why we considered rebuilding it is that the cert we were using has expired : curl --location --silent https://...

...Aug 5, 2019 at 9:21 AM Alessandro Baggi > <alessandro.baggi at gmail.com> wrote: >> >> Il 05/08/19 18:07, Akemi Yagi ha scritto: >>> On Mon, Aug 5, 2019 at 9:01 AM Alessandro Baggi >>> <alessandro.baggi at gmail.com> wrote: > >>> Do you have secureboot enabled? Then yes, that requires a proper key. >>> >>> Akemi >> >> Yes I have secureboot enabled. If usefull to others in list this could >> helps: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administrati...

Hi all, I updated a Dell XPS laptop from CentOS 8.1 (1911) to 8.2 (2004). Installed kernels are kernel-4.18.0-147.5.1.el8_1.x86_64 kernel-4.18.0-147.8.1.el8_1.x86_64 kernel-4.18.0-193.6.3.el8_2.x86_64 Unfortunately I can not boot into the latest kernel-4.18.0-193.6.3.el8_2.x86_64. After grub2 screen I only see following line: EFI stub: UEFI Secure Boot is enabled Booting into the older

...entosproject.org> Content-Type: text/plain; charset=utf-8 We are aware of the Boot Hole vulnerability in grub2 (CVE-2020-1073) and are working on releasing new packages for CentOS Linux 7, CentOS Linux 8 and CentOS Stream in response. These should make it out to a mirror near you shortly. /!\ Secureboot Systems - Please do a full update /!\ CentOS Linux 8 and CentOS Stream systems with secureboot enabled MUST update the kernel, grub2, and shim packages together. As part of this CVE, we have re-issued the kernel and shim signing certificate authorities, and previously released EL8 kernels cannot...

...>> >>> Looking good. I assume your running kernel is 3.10.0-957.27.2.el7 ? >>> >>> Akemi > >> Reading from dmesg seems that the module is not accepted by kernel due >> to invalid signature. I need to sign the module with a key? > > Do you have secureboot enabled? Then yes, that requires a proper key. > > Akemi > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > Yes I have secureboot enabled. If usefull to others in list this could...

...> > AWS doesn't offer UEFI Secure Boot, so I'm not sure how that's relevant. > > It seems like you're reaching for criticisms of mokutil because you > don't like it, rather than because there is a demonstrable problem > with it. yeah, I just realized, duh, secureboot on a VM is not an issue at all, so never mind all that. I do think the whole secureboot thing is a bad idea on a general purpose computer system, seems like an attempt at creating product lock in and turning the x86 PC into an appliance, which it really isn't. -- john r pierce, recycling...

On 02/08/2020 16:26, Valeri Galtsev wrote: > > On the side note: it is Microsoft that signs one of Linux packages now. We seem to have made one more step away from ?our? computers being _our computers_. Am I wrong? > > Valeri > Microsoft are the Certificate Authority for SecureBoot and most SB-enabled hardware (most x86 hardware) comes with a copy of the Microsoft key preinstalled allowing binaries that are signed by Microsoft to work. In the case of linux, that is the shim which becomes the root of trust to load everything else. If you are not happy with that you can al...

Is there any known incompatibility with the latest 32-bit (i386) CentOS 6 and the latest Lenovo x3650 M5 servers? I?ve been running i386 CentOS 6.X on 3 year old x3650 M4 servers without any issues. Our development environment has not been ported to 64-bit (x86_64) yet, so we are stuck using i386 for another few months. When I try to boot from the netinstall ISO image I just get a ?Boot Failed?

...after that the normal kernel >> output scrolls over the screen (rhgb quiet disabled). >> >> Is the new kernel correctly signed? >> >> What can I do? >> >> -- >> Thanks >> Leon > > Hi Leon, > > Don't think that it's due to secureboot, as on my work laptop (thinkpad > t490s), I have secureboot on, and kernel working fine. > > OTOH, on my family laptop (also in secureboot mode), when I updated from > 8.1.1011 to 8.2.2004, laptop became unresponsive during the > microcode_ctl update (in scriptlet) and after that it...

...t;alessandro.baggi at gmail.com> wrote: >>>> >>>> Il 05/08/19 18:07, Akemi Yagi ha scritto: >>>>> On Mon, Aug 5, 2019 at 9:01 AM Alessandro Baggi >>>>> <alessandro.baggi at gmail.com> wrote: >>> >>>>> Do you have secureboot enabled? Then yes, that requires a proper key. >>>>> >>>>> Akemi >>>> >>>> Yes I have secureboot enabled. If usefull to others in list this could >>>> helps: >>>> >>>> https://access.redhat.com/documentation/e...

...sandro Baggi >> <alessandro.baggi at gmail.com> wrote: >>> >>> Il 05/08/19 18:07, Akemi Yagi ha scritto: >>>> On Mon, Aug 5, 2019 at 9:01 AM Alessandro Baggi >>>> <alessandro.baggi at gmail.com> wrote: >> >>>> Do you have secureboot enabled? Then yes, that requires a proper key. >>>> >>>> Akemi >>> >>> Yes I have secureboot enabled. If usefull to others in list this could >>> helps: >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu...

...after that the normal kernel >> output scrolls over the screen (rhgb quiet disabled). >> >> Is the new kernel correctly signed? >> >> What can I do? >> >> -- >> Thanks >> Leon > > Hi Leon, > > Don't think that it's due to secureboot, as on my work laptop (thinkpad > t490s), I have secureboot on, and kernel working fine. > > OTOH, on my family laptop (also in secureboot mode), when I updated from > 8.1.1011 to 8.2.2004, laptop became unresponsive during the > microcode_ctl update (in scriptlet) and after that it...

...bootloader (with F22 and CentOS 7 >>>> installer images). There's no really useful information in any >>>> of the logs. >>>> >> >> I haven't tried EFI with 440fx, only with q35. I haven't found an >> option to enable EFI neither a secureboot anywhere in >> virt-manager. > >q35 doesn't help here. secureboot is in the EFI config menus (press ><ESC> or <DEL> in the guest while booting, go look at the boot >configuration, and you'll see secureboot options -- it's disabled by >default and not abl...

On Sun, Jun 12, 2016 at 10:46 AM, Ned Slider <ned at unixmail.co.uk> wrote: > > > On 12/06/16 16:45, Globe Trotter wrote: >> >> Hi, >> I am a new CentOS user (quite familiar with Fedora 1-23+) and I decided to >> try a new install of CentOS on a ASUS R503U. >> >> However, I can not get hibernate to work. I try: >> systemctl hibenaate

...ialization, but the VM exits ungracefully >> after the bootloader (with F22 and CentOS 7 installer images). There's >> no really useful information in any of the logs. >> I haven't tried EFI with 440fx, only with q35. I haven't found an option to enable EFI neither a secureboot anywhere in virt-manager. >> Using qemu-kvm directly (qemu-kvm -bios >> /usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd -m 1G -cdrom >> ~rbarry/Downloads/Fedora-Server-netinst-x86_64-22.iso) boots and loads >> successfully. > We don't use '-bios' but '...

...el is still possible. The > above line appears and after that the normal kernel > output scrolls over the screen (rhgb quiet disabled). > > Is the new kernel correctly signed? > > What can I do? > > -- > Thanks > Leon Hi Leon, Don't think that it's due to secureboot, as on my work laptop (thinkpad t490s), I have secureboot on, and kernel working fine. OTOH, on my family laptop (also in secureboot mode), when I updated from 8.1.1011 to 8.2.2004, laptop became unresponsive during the microcode_ctl update (in scriptlet) and after that it auto-reset itself , so i...

Le 07/08/2020 ? 09:40, Alessandro Baggi a ?crit?: > Probably many users have not updated their machines between the bug release and > the resolution (thanks to your fast apply in the weekend, thank you) and many > update their centos machines on a 2 months base (if not worst). I think also > that many users of CentOS user base have not proclamed their > disappointement/the issue on

...or sure, maybe 2 weeks) > > I gained MUCH respect for all those guys .. especially Peter Jones. He > is Mr.Secure Boot. > > I personally tested both the c8 and c7 solutions on several machines > (All i have access to actually, including several personal machines that > have secureboot). I saw some of the testing that happened on the RHEL > side. It was extensive. > I'll just add to Johnny's already comprehensive reply. As a member of the CentOS QA team, I personally tested the update on 3 physical machines and all worked fine. Moreover, the QA team was not ab...