Uploaded image for project: 'CentOS Stream Pipeline'
  1. CentOS Stream Pipeline
  2. CS-1782

Secure Boot is broken with CentOS Stream 9 with UEFI Revocation List from Release Date: March 14, 2023


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • None
    • False
    • System must be installable and runnable with Secure Boot enabled and updated revocation list from Release Date: March 14, 2023
    • Testable

      Secure Boot will be broken or is broken with updated Revocation List from 2023.

      I failed installing CentOS Stream 9 with Secure Boot on my laptop. Then I failed using CentOS Stream 9 with secure boot with custom signed efi files. This lead me to poke around revocation lists for uefi. 

      I found that CentOS Stream 9 will not be/ is not able to boot with Secure Boot anymore for any systems that use an updated revocation list from 2023. More Precisely this update will break secure boot for CentOS Stream 9. 

      From https://uefi.org/revocationlistfile/archive Release Date: March 14, 2023

      Trying to use this revocation list with dbxtool, gives me this error: 

      Validierung des ESP-Inhalts ist fehlgeschlagen: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [xyz] is present in dbx

      This is how I concluded, that an updated revocation list from 2023 will break secure boot for centos Stream 9. I hope this conclusion is correct and not a false statement.

      Suggestion: One way to quickly deal with the bug would be to provide an option to downgrade dbx tables or revocation lists. From my experiments this seems not to be possible with dbxtool or fwupdmgr. Could you suggest a method to deal with this.

      Problem is that some laptops might be delivered with updated revocation lists. I assume that mine is, because I just cannot get CentOS Stream 9 to Secure Boot although RHEL9 Secure Boot works without any issues.

            bstinson@redhat.com Brian Stinson
            mark.schuette@protonmail.ch Mark Christoph Schütte
            3 Vote for this issue
            13 Start watching this issue