On 29/07/2020 19:43, Leon Fauster via CentOS wrote:
Did you got managed to boot kernel-4.18.0-193.14.2.el8_2 or a newer one?
I must still boot into kernel-4.18.0-147.8.1.el8_1.x86_64 ... and with
the upcoming new kernel that depends on a new shim and grub2 package I
wonder about the implications for my XPS hardware ...
The following article discusses a way to add a hash for older kernels to
the Allow List that should allow older kernels to continue to boot:
https://access.redhat.com/security/vulnerabilities/grub2bootloader
Quoting...
Red Hat Enterprise Linux 8
Due to hardening within the kernel, which is released as part of these
updates, previous Red Hat Enterprise Linux 8 kernel versions have not
been added to shim’s allow list. If you are running with Secure Boot
enabled, and the user needs to boot to an older kernel version, its hash
must be manually enrolled into the trust list. This is achieved by
executing the following commands:
# pesign -P -h -i /boot/vmlinuz-<version>
# mokutil --import-hash <hash value returned from pesign>
# reboot
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos