Enlarge /. Security updates to patch the BootHole UEFI vulnerability cause some Linux systems to fail to boot at all.
In the early morning, an urgent error occurred in the Red Hat bugzilla bug tracker. One user found that security update RHSA_2020: 3216 grub2 and security update Kernel RHSA-2020: 3218 made an RHEL 8.2 system no longer bootable. The error was reported as reproducible with every clean minimal installation of Red Hat Enterprise Linux 8.2.
The patches should address a newly discovered vulnerability in the GRUB2 boot manager BootHole. The vulnerability itself has given system attackers the ability to potentially install "bootkit" malware on a Linux system, although that system is protected with UEFI Secure Boot.
RHEL and CentOS
Unfortunately, the patches from Red Hat on GRUB2 and the kernel no longer make the patched systems bootable after use. The issue has been confirmed to affect RHEL 7.8 and RHEL 8.2, and can also affect RHEL 8.1 and 7.9. The distribution of RHEL CentOS derivatives is also affected.
Red Hat is currently advising users not to apply the GRUB2 security patches (RHSA-2020: 3216 or RHSA-2020: 3217) until these issues are resolved. If you manage an RHEL or CentOS system and believe you have installed these patches, do not restart your system. Downgrade the affected packages with sudo yum downgrade shim * grub2 * mokutil and configure yum so that these packages are not updated by temporarily adding exclude = grub2 * shim * mokutil to /etc/yum.conf.
If you've already applied and tried (and failed) the patches, boot from an RHEL or CentOS DVD in troubleshooting mode, set up the network, and follow the steps above to restore your system to functionality.
Although the bug was first reported in Red Hat Enterprise Linux, it appears that related bug reports from other distributions from different families are also provided. Ubuntu and Debian users are reporting systems that cannot start after installing GRUB2 updates, and Canonical has issued a notice with instructions on how to restore them on affected systems.
Although the effects of the GRUB2 error are similar, the scope can vary from distribution to distribution. So far, the Debian / Ubuntu GRUB2 error only affects systems that start in BIOS mode (not in UEFI mode). For the repository proposed by Ubuntu, a fix has already been committed, tested and released for the update repository. The updated and published packages grub2 (2.02 ~ beta2-36ubuntu3.27) xenial and grub2 (2.04-1ubuntu26.2) focus should solve the problem for Ubuntu users.
The fix is available for Debian users in the newly committed package grub2 (2.02 + dfsg1-20 + deb10u2).
We currently have no word on bugs or effects of GRUB2 BootHole patches on other distributions such as Arch, Gentoo or Clear Linux.