eFA 4.0.2 does not boot after grub2/shim security fix

General eFa discussion
Post Reply
MauriceW
Posts: 11
Joined: 10 Jan 2015 10:50

eFA 4.0.2 does not boot after grub2/shim security fix

Post by MauriceW » 01 Aug 2020 11:34

After an update that apparently happened last Thursday, my eFA 4.0.2 appliance on Hyper-V would no longer boot.

This seems to be the cause: https://access.redhat.com/solutions/5272311

After a lot of troubleshooting (downgrading grub2, shim and mokutil) and recreating the grub.cfg file on the EFI partition, I managed to get CentOS 7 booting again.

However, I have two remaining issues:

1. I can only boot by manually choosing the second boot entry in the grub menu (kernel version 3.10.0-1127.13.1.el7). Choosing 3.10.0-1127.18.1.el7 results in a kernel panic about "Unable to mount root fs on unknown-block(0,0).

Also, when booting with 3.10.0-1127.13.1.el7, I need to add "selinux=0" before booting, otherwise it won't work.

2. Once eFA is up & running, mail processing seems to work fine, messages are forwarded to my Exchange server, but they are no longer stored in quarantine on the eFA appliance.

I'm quite surprised nobody else has reported this yet :)

zarkon555
Posts: 2
Joined: 04 Jun 2020 17:11

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Post by zarkon555 » 02 Aug 2020 16:34

I have the same issue.

Trying to get mine to boot again...

-W

User avatar
shawniverson
Posts: 3144
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Post by shawniverson » 02 Aug 2020 17:37

I'm checking my installations, I was afraid this might come down the pipe and affect some folks.
Version eFa 4.0.2 now available!

User avatar
shawniverson
Posts: 3144
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Post by shawniverson » 02 Aug 2020 17:41

I would advise everybody to hold off restarting their instances to allow time for the shim fixes to arrive (mine arrived last night, it appears)

Chances are if you are here, you rebooted while the boot shim bug was active.... :?
Version eFa 4.0.2 now available!

MauriceW
Posts: 11
Joined: 10 Jan 2015 10:50

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Post by MauriceW » 03 Aug 2020 12:50

I ended up provisioning a new eFA VM and used the "v3 to v4" migration procedure to transfer all my settings to the new machine.

Back up & running now, with the updates for grub2 and shim disabled in yum.conf.

I was not able to fix the selinux issue on the old VM and I also noticed a MySQL related error from MailScanner in maillog that looked something like this "install_driver(mysql) failed: Can’t load ‘/usr/lib64/perl5/vendor_perl/auto/DBD/mysql/mysql.so’ for module DBD::mysql: libmysqlclient.so.16:" (not the exact error message, since the old VM is shutdown now). I believe this error was related to the fact that messages were no longer being stored in quarantine, nor were the visible under Recent Messages.

tesme33
Posts: 39
Joined: 22 Mar 2015 10:57
Location: Germany/Munich area

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Post by tesme33 » 03 Aug 2020 21:05

Hi
before reading this post i was doing a yum -update , luckily it didnt do any upgrade/update.
Looking into the linked post from redhat i checked if i have shim installed. What i dont have.
Now im asking myself why i dont have it but others have. Was there a change in the installation procedure ?
Im comming from the release candidate version via changing the repositories.

--

Code: Select all

[root@efa4 milterin]# rpm -qa shim-\* --qf "%{SOURCERPM}\n" | sort | uniq
[root@efa4 milterin]# uname -a
Linux efa4.stuebiland.de 3.10.0-1127.18.2.el7.x86_64 #1 SMP Sun Jul 26 15:27:06 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@efa4 milterin]# cat /etc/centos-release
CentOS Linux release 7.8.2003 (Core)
--

MauriceW
Posts: 11
Joined: 10 Jan 2015 10:50

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Post by MauriceW » 04 Aug 2020 06:27

If I'm not mistaken it only happens if you use UEFI boot and not legacy boot.

I'm running a Generation 2 Hyper-V machine and that will use UEFI boot if the OS supports it (which CentOS 7 does).

Sang15512
Posts: 3
Joined: 24 Aug 2020 10:27

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Post by Sang15512 » 24 Aug 2020 10:46

Good information

Post Reply