On two UEFI systems, one with F23 Workstation, the other with F23 Cloud Atomic, I'm finding the grubx64.efi do not have the same hash, even though rpm -q reports the same rpm installed on both. This is unexpected. Does the atomic tree include /boot/efi/EFI/fedora? And if not, is that on the future feature list? CVE-2015-8370 is what made me look at this. On BIOS computers, whether conventional or atomic, GRUB2 user space tools are updated with grub2-2.02-0.25.fc23, but that only updates user space tools. The user has to manually run grub2-install to actually fix the problem. On UEFI conventional installations, grubx64.efi is replaced automatically when the RPM is updated; but apparently not on UEFI atomic installations. Using grub2-install fails because grub2-efi-modules isn't installed by default, and even if it were the resulting grubx64.efi is now no longer signed by Fedora so it'll fail UEFI Secure Boot code signing checks. -- Chris Murphy _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/cloud@xxxxxxxxxxxxxxxxxxxxxxx
