IBM Support

Malformed RHEL Secure Boot Certificate in FW1050 and FW1050.10

News


Abstract

As of FW1050, support for Linux secure boot includes full dynamic key management for GRUB and the Linux kernel. Current versions of Linux distributions do not support dynamic key management. Future Linux distributions releases are expected to support dynamic key management. Until then, do not enable dynamic key management on FW1050 or FW1050.10. These two firmware releases include a malformed Red Hat verification certificate that is incorporated into the logical partition (LPAR) secure boot dynamic key store when the dynamic key management is enabled (and prevents future updates). Do not enable secure boot dynamic key management until a Linux distribution supports the dynamic key management. When the Linux distribution supports secure boot dynamic key management, then you must ensure the system is updated to at least FW1050.20 before you enable secure boot dynamic key management on the LPAR.

Content

Linux Releases Affected
All Linux distribution releases running logical partitions (LPARs) on FW1050 and FW1050.10.
 
IBM Systems Affected
IBM Power10
 
Symptoms
The bad certificate contains an empty key authority identifier. No method exists to remove the bad certificate until future Linux distributions that support secure boot dynamic key management are available.
Workaround
After the bad certificate is incorporated into the LPAR key store, you can use the following workarounds:
If secure boot is not required on the LPAR, then the secure boot can be disabled until the LPAR can be recovered through one of the following methods below:
Before Linux distribution support of dynamic key secure boot, the only way to recover the LPAR secure boot key store is by returning the LPAR to the secure boot static key management. To return to the static key management, complete the following steps:
  1. Backup all data in the effected LPAR.
  2. Remove the LPAR completely.
  3. Create a new LPAR.
  4. Restore data from the backup.
In future Linux distributions that support dynamic key management, you can create a special update that clears the keystore, which removes the bad certificate.
Fix Outlook

FW1050.20 and later versions include a properly formed Red Hat Enterprise Linux (RHEL) verification certificate.

I/O device impacted

None.

[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SGMV157","label":"IBM Support for Red Hat Enterprise Linux Server"},"ARM Category":[{"code":"a8m0z000000Gnl7AAC","label":"Red Hat Enterprise Linux"},{"code":"a8m0z000000GnlCAAS","label":"SUSE Linux Enterprise Server"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
11 June 2024

UID

ibm17156248

Page Feedback