On two UEFI systems, one with F23 Workstation, the other with F23
Cloud Atomic, I'm finding the grubx64.efi do not have the same hash,
even though rpm -q reports the same rpm installed on both. This is
unexpected.
Does the atomic tree include /boot/efi/EFI/fedora? And if not, is that
on the future feature list?
CVE-2015-8370 is what made me look at this. On BIOS computers, whether
conventional or atomic, GRUB2 user space tools are updated with
grub2-2.02-0.25.fc23, but that only updates user space tools. The user
has to manually run grub2-install to actually fix the problem. On UEFI
conventional installations, grubx64.efi is replaced automatically when
the RPM is updated; but apparently not on UEFI atomic installations.
Using grub2-install fails because grub2-efi-modules isn't installed by
default, and even if it were the resulting grubx64.efi is now no
longer signed by Fedora so it'll fail UEFI Secure Boot code signing
checks.
--
Chris Murphy