Chapter 1 Notices

Table of Contents

• 1.1 [2020-07-29] Key update for CVE-2020-10713
• 1.2 [2018-11-15] Key expiry update

A system in Secure Boot mode only loads boot loaders and kernels that have been signed by Oracle. Oracle updates the kernel and grub2 packages to sign them with a valid Extended Validation (EV) certificate in the event that a key may expire or for additional security updates. The EV certificate is compiled into the shim binary and is signed by Microsoft. This feature is fully supported from Oracle Linux 7 Update 3 onward.

All kernels and affected packages released previously should continue to work at their current version. However, if you intend to update kernel or packages, these notices apply and you should perform an atomic update in accordance with the instructions provided here.

The following sections describe events where the kernels and associated packages are updated with new keys. Each section describes the minimum kernel versions affected by the change and the package versions that are updated with the new keys.

1.1 [2020-07-29] Key update for CVE-2020-10713

Oracle has updated the key that it uses to sign UEK kernels and grub instances in response to CVE-2020-10713. This update affects users on Oracle Linux 7 and Oracle Linux 8.

Newer kernel versions are signed with the new key and require that other components are updated as an atomic operation if you upgrade the system .

Oracle Linux 7

On Oracle Linux 7 the following kernel package versions, or higher, are signed with the new key:

• Red Hat Compatible Kernel (RHCK).  v3.10.0-1127.18.2

• Unbreakable Enterprise Kernel Release 3 (UEK R3).  v3.8.13-118.47.2

• Unbreakable Enterprise Kernel Release 4 (UEK R4).  v4.1.12-124.40.6.3

• Unbreakable Enterprise Kernel Release 5 (UEK R5).  v4.14.35-1902.304.6.3

• Unbreakable Enterprise Kernel Release 6 (UEK R6).  v5.4.17-2011.4.6

The following package versions are signed using the same EV certificate as the latest kernel releases:

• grub2.  v2.02-0.82.0.5 (required)

• shim-x64.  v15-2.0.5 (required)

• fwupdate-efi.  v12-5.0.5 (optional)

Oracle Linux 8

On Oracle Linux 8 the following kernel package versions, or higher, are signed with the new key:

• Red Hat Compatible Kernel (RHCK).  v4.18.0-193.14.3

• Unbreakable Enterprise Kernel Release 6 (UEK R6).  v5.4.17-2011.4.6

The following package versions are signed using the same EV certificate as the latest kernel releases:

• grub2.  v2.02-82.0.2 (required)

• shim-x64.  v15-11.0.5 (required)

• fwupdate-efi.  v11-3.0.3.el8 (optional)

• fwupd.  v1.1.4-6.0.2.el8 (optional)

1.2 [2018-11-15] Key expiry update

Oracle has updated the key that it uses to sign kernels and grub instances to avoid key expiry. This update affects users on Oracle Linux 7.

Newer kernel versions are signed with the new key and require that other components are updated as an atomic operation if you upgrade the system .

The update affects all UEK releases, as well as the RHCK. The following kernel package versions, or higher, are signed with the new key:

• Red Hat Compatible Kernel (RHCK).  v3.10.0-957.0

• Oracle Modified Red Hat Compatible Kernel (RHCK).  v3.10.0-957.0.0.0.2

• Unbreakable Enterprise Kernel Release 3 (UEK R3).  v3.8.13-118.27.1

• Unbreakable Enterprise Kernel Release 4 (UEK R4).  v4.1.12-124.22.1

• Unbreakable Enterprise Kernel Release 5 (UEK R5).  v4.14.35-1818.4.6

The following package versions are signed using the same EV certificate as the latest kernel releases:

• grub2.  v2.02-0.76.0.3 (required)

• shim-x64.  v15-1.0.3 (required)

• fwupdate-efi.  v12-5.0.3 (optional)

Copyright © 2020, Oracle and/or its affiliates. Legal Notices