Early this morning, an pressing bug confirmed up at Crimson Hat’s bugzilla bug tracker—a person found that the RHSA_2020:3216 grub2 safety replace and RHSA-2020:3218 kernel safety replace rendered an RHEL eight.2 system unbootable. The bug was reported as reproducible on any clear minimal set up of Crimson Hat Enterprise Linux eight.2.
The patches had been supposed to shut a newly found vulnerability within the GRUB2 boot supervisor known as BootHole. The vulnerability itself left a technique for system attackers to doubtlessly set up “bootkit” malware on a Linux system regardless of that system being protected with UEFI Safe Boot.
RHEL and CentOS
Sadly, Crimson Hat’s patch to GRUB2 and the kernel, as soon as utilized, are leaving patched techniques unbootable. The difficulty is confirmed to have an effect on RHEL 7.eight and RHEL eight.2, and it might have an effect on RHEL eight.1 and seven.9 as nicely. RHEL-derivative distribution CentOS can be affected.
Crimson Hat is presently advising customers to not apply the GRUB2 safety patches (RHSA-2020:3216 or RHSA-2020:3217) till these points have been resolved. In case you administer a RHEL or CentOS system and consider you will have put in these patches, don’t reboot your system. Downgrade the affected packages utilizing sudo yum downgrade shim* grub2* mokutil and configure yum to not improve these packages by briefly including exclude=grub2* shim* mokutil to /and so on/yum.conf.
In case you’ve already utilized the patches and tried (and failed) to reboot, boot from an RHEL or CentOS DVD in Troubleshooting mode, arrange the community, then carry out the identical steps outlined above to be able to restore performance to your system.
Though the bug was first reported in Crimson Hat Enterprise Linux, apparently associated bug stories are rolling in from different distributions from completely different households as nicely. Ubuntu and Debian customers are reporting techniques which can not boot after putting in GRUB2 updates, and Canonical has issued an advisory together with directions for restoration on affected techniques.
Though the impression of the GRUB2 bug is comparable, the scope could also be completely different from distribution to distribution; to this point it seems the Debian/Ubuntu GRUB2 bug is simply affecting techniques which boot in BIOS (not UEFI) mode. A repair has already been dedicated to Ubuntu’s proposed repository, examined, and launched to its updates repository. The up to date and launched packages, grub2 (2.02~beta2-36ubuntu3.27) xenial and grub2 (2.04-1ubuntu26.2) focal, ought to resolve the issue for Ubuntu customers.
For Debian customers, the repair is obtainable in newly dedicated package deal grub2 (2.02+dfsg1-20+deb10u2).
We would not have any phrase at the moment about flaws in or impression of GRUB2 BootHole patches on different distributions equivalent to Arch, Gentoo, or Clear Linux.