Early in the morning, an urgent bug appeared in Red Hat’s error tracker ̵1; the user found that security update RHSA_2020: 3216 grub2 and security update kernel RHSA-2020: 3218 caused RHEL 8.2 to not start. The error was reported as reproducible with each clean minimal installation of Red Hat Enterprise Linux 8.2.
The fixes were designed to close a newly discovered vulnerability in the GRUB2 deployment manager called BootHole. The vulnerability itself left system attackers a way to potentially install a “bootkit” malware on a Linux system, even though the system is protected by UEFI Secure Boot technology.
RHEL and CentOS
Unfortunately, the Red Hat patch on GRUB2 and the kernel, once applied, leave repaired systems without booting. It was confirmed that the problem affected RHEL 7.8 and RHEL 8.2 and may also affect RHEL 8.1 and 7.9. The distribution of RHEL-derivatives of CentOS is also affected.
Red Hat currently recommends that users do not apply GRUB2 security fixes (RHSA-2020: 3216 or RHSA-2020: 3217) until these issues have been resolved. If you manage RHEL or CentOS and you believe you have installed these patches, do not restart the system, Reduce the number of affected packages with
sudo yum downgrade shim* grub2* mokutil and configure
yum do not upgrade these packages by adding them temporarily
exclude=grub2* shim* mokutil on the
If you have already applied patches and tried (and failed) to restart, boot from RHEL or CentOS DVD in troubleshooting mode, set up the network, and then follow the same steps above to restore system functionality.
Although the bug was first reported in Red Hat Enterprise Linux, apparently related bug reports are spreading from other distributions from different families. Ubuntu and Debian users report systems that cannot be booted after installing GRUB2 updates, and Canonical has issued a recommendation, including recovery instructions, on the affected systems.
Although the impact of the GRUB2 error is similar, the extent may vary from distribution to distribution; so far, the Debian / Ubuntu GRUB2 bug seems to only affect systems that boot in BIOS (not UEFI) mode. The fix has already been made for Ubuntu
proposed storage, tested and released into its
updates Storage. Updated and released packages,
grub2 (2.02~beta2- and
grub2 (2.04-1ubuntu26.2) focal, should solve the problem for Ubuntu users.
For Debian users, the fix is available in a newly bound package
We currently have no word on bugs or the impact of GRUB2 BootHole fixes on other distributions such as Arch, Gentoo or Clear Linux.