Early this morning, an emergency bug appeared in the bugzilla tracker bugzilla ̵
The patches were designed to close a recently discovered vulnerability in the GRUB2 startup manager called BootHole. The vulnerability itself left a method for system attackers to potentially install “bootkit” malware on a Linux system, even though the system is protected by UEFI Secure Boot.
RHEL and CentOS
Unfortunately, the Red Hat patch to GRUB2 and the kernel, once applied, leave patch systems out of order. The problem has been confirmed to affect RHEL 7.8 and RHEL 8.2, and may affect RHEL 8.1 and 7.9. The RHEL-derived distribution of CentOS is also affected.
Currently, Red Hat advises users not to apply GRUB2 security patches (RHSA-2020: 3216 or RHSA-2020: 3217) until these issues are resolved. If you are administering RHEL or CentOS and you think you may have installed these patches, do not restart your system, Reduce affected packages through
sudo yum downgrade shim* grub2* mokutil and configure
yum do not upgrade these packages by adding temporarily
exclude=grub2* shim* mokutil to
If you have already applied the patches and tried (and failed) to reboot, boot from DVD RHEL or CentOS in troubleshooting mode, set up the network, and then follow the same steps described above to restore the functionality of your system.
Although the bug was first reported on Red Hat Enterprise Linux, apparently related bug reports are being distributed by other distributions from different families. Ubuntu and Debian users are reporting systems that cannot be started after installing GRUB2 updates, and Canonical has issued advice including instructions on how to recover affected systems.
Although the impact of the GRUB2 error is similar, the range may vary from spread to spread; for now, the Debian / Ubuntu GRUB2 error appears to only affect systems that are booting in BIOS mode (not UEFI). Ubuntu has already been fixed
proposed storage, tested and put into it
updates storage. Updated and released packages,
grub2 (2.02~beta2- and
grub2 (2.04-1ubuntu26.2) focal, should resolve the issue for Ubuntu users.
For Debian users, the fix is available in a new package
We currently have no words about the shortcomings or impact of GRUB2 BootHole patches on other distributions such as Arch, Gentoo or Clear Linux.