I test some version to replace CentOs on my production server. I can’t choose a distribution woth No UEFI or no SecureBoot. I hope this problem will be solved quickly, otherwise I would have to turn to AlmaLinux.
When shim 15.5 is released, it will be fixed. I don’t have an ETA on that though (that’s more of an upstream thing). According to Sherif though, there are some versions of ESXi that are working just fine with kdump. @Sherif are you able to give a bit more info here?
Secureboot is working fine on RockyLinux 8.5, you will be able to boot the machine in secureboot and verify that everything is signed with correct certs. We are using shim 15.4 + few critical patches that didn’t make it yet to the upstream distro, more info here about our review and the patches that we included based on the shim-review committee Shim 15.4 for Rocky Linux 8 · Issue #194 · rhboot/shim-review · GitHub
However, there was a bug that seems to be solved with 15.5 which still in RC and didn’t make it to the upstream as well, we did some tests as far as we can since we can’t load certs into EXSi UEFI firmware and we do have an internal ticket open with vmware and they recommend us to include the patch @nazunalika mentioned, which will be included with shim 15.5 once it is released by the upstream distro. The bug is only effecting kexec which is needed to load kdump, doesn’t effect the secureboot verify and booting process. We still have no ETA regarding when 15.5 will be released by the upstream vendor.
Some members managed to get Rocky with secrureboot running without kdump on ESXi 7.0.3 and some other members managed to get secureboot running with kdump on esxi 7.0.2.
I do to update every esxi and Vcenter, but I need time for this. If I have some news, i answer in this topic. For the moment, with Esxi 7.0.2build17867351, shim 15.4-2.el8_5.2.rocky and kexec-tools 2.0.20.el8 this is not good.
I have the same problem with the latest version of Rocky look the image, any idea how to fix? The machine is under VMWARE ESXi Version 6.7 P05… I have also changed the /etc/default/grub in the line from auto to 256M but don’t solve
GRUB_CMDLINE_LINUX=“crashkernel=256M resume=/dev/mapper/rl-swap rd.lvm.lv=rl/root rd.lvm.lv=rl/swap”
@Opa114 and @Badou_Dream, as I understand it, there’s a bug in the secure boot process that most vendors ignore, which means secure boot works for most people. VMWare doesn’t ignore it, and so secure boot is broken.
shim 15.5 fixes this. It was released in the upstream 8.6 edition, but is not yet in the Rocky one. That’s because MS needs to sign the shim to help secure the entire secure boot chain. Rocky put in a request to sign that shim in March.
They responded to a few questions and up until yesterday, all of the recent posts have been Rocky asking if there are any updates or any more information needed.
That request was closed yesterday without signing the shim because of new CVE’s and Rocky needs to open a new request.
So, there is a fix for this. The ability to implement is out of the Rocky Linux’ team hands. I wouldn’t expect any solution soon, because of both the time this request languished and the need to stay bug for bug compatible with upstream, which already has a signed 15.5 shim.