Disabling tboot in RHEL6.4+

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6.4 and later
    • tboot

Issue

  • How can one disable/completely remove tboot safely from Red Hat Enterprise Linux 6?
  • How to make sure that it should not get installed by default in Installation using Kickstart file?

Resolution

  • To avoid installation and configuration of tboot in the Red Hat Enterprise Linux 6 machine directly, one can use the following %packages section.

    %packages
@Base --optional
-tboot
<extra packages as administrator wants to install>

Safely removing tboot after installation

  1. Using grubby, add the existing kernel

    # ARGS=$(grep "^[[:space:]]*module /vmlinuz-$(uname -r)" /boot/grub/grub.conf | sed -e 's/^.*x86_64 //' | head -n 1)

# grubby --add-kernel=/boot/vmlinuz-$(uname -r) --args="${ARGS}" --initrd=/boot/initramfs-$(uname -r).img --make-default --title "Red Hat Enterprise Linux without tboot ($(uname -r))"

  2. Edit /boot/grub/grub.conf to add the corresponding root directive to the new menu entry created previously

    # grep -v ^# /boot/grub/grub.conf 
default=0
timeout=5
serial --unit=0 --speed=115200
terminal --timeout=5 serial console
title Red Hat Enterprise Linux without tboot (2.6.32-358.el6.x86_64)
    kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg00-root intel_iommu=on rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us rd_LVM_LV=vg00/swap LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg00/root crashkernel=auto crashkernel=auto console=ttyS0,115200 rd_NO_DM
    initrd /initramfs-2.6.32-358.el6.x86_64.img
title Red Hat Enterprise Linux (2.6.32-358.el6.x86_64)
    root (hd0,0)
    kernel /tboot.gz logging=vga,serial,memory
    module /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg00-root intel_iommu=on rd_NO_LUKS  KEYBOARDTYPE=pc KEYTABLE=us rd_LVM_LV=vg00/swap LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg00/root crashkernel=auto crashkernel=auto console=ttyS0,115200 rd_NO_DM
    module /initramfs-2.6.32-358.el6.x86_64.img

    Here above, the Red Hat Enterprise Linux without tboot entry is missing root (hd0,0), this needs to be added to the entry.

  3. Remove the tboot kernel

    # grubby --remove-kernel=/boot/tboot.gz

# grep -v ^# /boot/grub/grub.conf 
default=0
timeout=5
serial --unit=0 --speed=115200
terminal --timeout=5 serial console
title Red Hat Enterprise Linux without tboot (2.6.32-358.el6.x86_64)
    root (hd0,0)
    kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg00-root intel_iommu=on rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us rd_LVM_LV=vg00/swap LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg00/root crashkernel=auto crashkernel=auto console=ttyS0,115200 rd_NO_DM
    initrd /initramfs-2.6.32-358.el6.x86_64.img

  4. Now one can remove tboot , as it's not in use by grub.

    # yum -y erase tboot

  5. Also make sure to have the contents of the file /etc/sysconfig/kernel are as follows. If not, simply overwrite it with the following contents

    # UPDATEDEFAULT specifies if new-kernel-pkg should make
# new kernels the default
UPDATEDEFAULT=yes

# DEFAULTKERNEL specifies the default kernel package type
DEFAULTKERNEL=kernel

Root Cause

  • Using --optional with a @Base instruct anaconda to install all Optional packages within that group, which includes tboot.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments