Earlier this morning, an urgent bug appeared on Red Hat’s bugzilla bug tracker: A user discovered that security update RHSA_2020: 3216 grub2 and kernel security update RHSA-2020: 3218 caused the RHEL 8.2 system to fail. could start. The error was reported as playable on any minimal clean installation of Red Hat Enterprise Linux 8.2.
The patches were intended to close a newly discovered vulnerability in the GRUB2 boot manager called BootHole. The vulnerability itself left a method for system attackers to install “bootkit” malware on a Linux system even though that system is protected with UEFI Secure Boot.
RHEL and CentOS
Unfortunately, the Red Hat patch for GRUB2 and the kernel, once applied, leave patched systems unbootable. The problem is confirmed to affect RHEL 7.8 and RHEL 8.2, and may also affect RHEL 8.1 and 7.9. Distribution derived from RHEL CentOS is also affected.
Red Hat currently recommends that users do not apply GRUB2 security patches (RHSA-2020: 3216 or RHSA-2020: 3217) until these issues have been resolved. If you manage a RHEL or CentOS system and think you may have installed these patches, don’t restart your system. Download the affected packages using sudo yum downgrade shim* grub2* mokutil and configure yum do not update those packages by temporarily adding exclude=grub2* shim* mokutil to /etc/yum.conf.
If you have already applied the patches and tried (and failed) to reboot, boot from a RHEL or CentOS DVD in troubleshooting mode, configure the network, then perform the same steps outlined above to restore the functionality of your system.
Other distributions
Although the bug was first reported on Red Hat Enterprise Linux, apparently related bug reports are also coming in from other distributions from different families. Ubuntu and Debian users are reporting systems that cannot start after installing GRUB2 updates, and Canonical has issued a notice that includes instructions for recovery on affected systems.
Although the impact of the GRUB2 error is similar, the scope may be different from one distribution to another; So far it seems that the Debian / Ubuntu GRUB2 bug only affects systems booting in BIOS mode (not UEFI). A solution for Ubuntu has already been compromised proposed repository, tested and released to your updates repository. The updated and released packages, grub2 (2.02~beta2- and grub2 (2.04-1ubuntu26.2) focal, should solve the problem for Ubuntu users.
For Debian users, the solution is available in a newly confirmed package grub2 (2.02+dfsg1-20+deb10u2).
We have no word at this time about failures or impact of GRUB2 BootHole patches on other distributions like Arch, Gentoo or Clear Linux.
