-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
False
-
None
-
False
-
System must be installable and runnable with Secure Boot enabled and updated revocation list from Release Date: March 14, 2023
-
Testable
Secure Boot will be broken or is broken with updated Revocation List from 2023.
I failed installing CentOS Stream 9 with Secure Boot on my laptop. Then I failed using CentOS Stream 9 with secure boot with custom signed efi files. This lead me to poke around revocation lists for uefi.
I found that CentOS Stream 9 will not be/ is not able to boot with Secure Boot anymore for any systems that use an updated revocation list from 2023. More Precisely this update will break secure boot for CentOS Stream 9.
From https://uefi.org/revocationlistfile/archive Release Date: March 14, 2023
Trying to use this revocation list with dbxtool, gives me this error:
Validierung des ESP-Inhalts ist fehlgeschlagen: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [xyz] is present in dbx
This is how I concluded, that an updated revocation list from 2023 will break secure boot for centos Stream 9. I hope this conclusion is correct and not a false statement.
Suggestion: One way to quickly deal with the bug would be to provide an option to downgrade dbx tables or revocation lists. From my experiments this seems not to be possible with dbxtool or fwupdmgr. Could you suggest a method to deal with this.
Problem is that some laptops might be delivered with updated revocation lists. I assume that mine is, because I just cannot get CentOS Stream 9 to Secure Boot although RHEL9 Secure Boot works without any issues.
- is duplicated by
-
CS-1744 centos stream 9 fails to boot with secure boot enabled
- Closed