Centos7 can't boot with shim-x64-15-7.el7_9.x86_64

Shigechika AIKAWA asked:

The floowing is serial console output:

BdsDxe: starting Boot0003 "CentOS Linux" from HD(1,GPT,A51EC18C-6831-4D47-B93E-B20DBC3F30BF,0x800,0x64000)/\EFI\centos\shimx64.efi

UEFI: Attempting to start image.
Description: CentOS Linux
FilePath: HD(1,GPT,A51EC18C-6831-4D47-B93E-B20DBC3F30BF,0x800,0x64000)/\EFI\centos\shimx64.efi
OptionNumber: 3.

!!!! X64 Exception Type - 0D(#GP - General Protection)  CPU Apic ID - 00000000 !!!!
ExceptionData - 0000000000000000
RIP  - 00000000BF2E5D5C, CS  - 0000000000000038, RFLAGS - 0000000000010006
RAX  - 00000000BFF5FE50, RCX - 000000000000001F, RDX - 00000000BFF31F28
RBX  - 00000000BF352FB0, RSP - 00000000BFF31E50, RBP - 00000000000023C0
RSI  - 00000000BFF31F28, RDI - 0000000000000068
R8   - 00000000BDB8C018, R9  - 000000000000211E, R10 - 00000000BDC6C010
R11  - 00000000BFF31E9A, R12 - 00000000BE791068, R13 - 00000000BF339018
R14  - 00000000BEE21018, R15 - 0000000000000068
DS   - 0000000000000030, ES  - 0000000000000030, FS  - 0000000000000030
GS   - 0000000000000030, SS  - 0000000000000030
CR0  - 0000000080010033, CR2 - 0000000000000000, CR3 - 00000000BF401000
CR4  - 0000000000000668, CR8 - 0000000000000000
DR0  - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
DR3  - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
GDTR - 00000000BF3EEA98 0000000000000047, LDTR - 0000000000000000
IDTR - 00000000BEE1F018 0000000000000FFF,   TR - 0000000000000000
FXSAVE_STATE - 00000000BFF31AB0
!!!! Find image based on IP(0xBF2E5D5C) /build/work/af60adde42b1d1ad5be2a01e4924bb905248/google3/blaze-out/k8-opt/genfiles/third_party/edk2/ovmf_x64_csm_debug_workspace_dir/ovmf_x64_csm_debug_edk2_files_dir/Build/OvmfX64/DEBUG_CLANG38/X64/OvmfPkg/8254TimerDxe/8254Timer/DEBUG/Timer.dll (ImageBase=00000000BF2E4000, EntryPoint=00000000BF2E5AB5) !!!!

My answer:


Red Hat and CentOS 7 shipped an update to the shim package which was meant to patch the recently disclosed Boot Hole vulnerability, but the package actually left systems unbootable. The fixed package versions are shim-*-15-8.el7, which are now available in Red Hat and CentOS repositories. Do not reboot your systems if the shim package versions are lower than this. If you have an unbootable system, you can boot the installation CD in rescue mode or use some other means of mounting the machine storage and manually replace the affected files.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.