[Bug 1711203] Re: Deployments fail when Secure Boot enabled
Mathieu Trudel-Lapierre
mathieu.tl at gmail.com
Thu Dec 7 22:39:42 UTC 2017
That's not going to change anything -- grub is doing exactly what it
should: ask shim to validate the image it tries to chainload; and the
image *does* validate successfully. The chain of trust is technically
preserved, but shim doesn't manage to make sense of things, and refuses
to continue loading.
This is a "bug" in shim, in that it's not a use case that was
anticipated. Shim makes sense of the shim->fallback->shim->grub case
because in that case things do go through the steps of calling
load_image() and start_image() in firmware.
It also seems to me like a bug in grub because we ought to be loading
things in such a way that shim would be able to make sense of it --
currently, that's not quite the case because some relocations and other
image mangling needs to happen. I have an idea of a hack to fix this,
but I think the "right" fix would be in shim.
What happens is that given that load_image() isn't called directly, when
the second shim runs it doesn't uninstall the protocols and we end up
validating against the first loaded shim when we try to verify the
kernel's signature. This is effectively a variation on an issue that was
fixed in shim for the fallback EFI binary.
In the meantime, there's also a valid workaround: you should be able to
chainload *grub* rather than shim from the disk, and thus maintain the
chain of trust for Secure Boot:
menuentry 'Local' {
echo 'Booting local disk...'
search --set=root --file /efi/ubuntu/grubx64.efi
chainloader /efi/ubuntu/grubx64.efi
}
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1711203
Title:
Deployments fail when Secure Boot enabled
Status in curtin:
Invalid
Status in dellserver:
New
Status in MAAS:
Invalid
Status in maas-images:
Fix Released
Status in grub2 package in Ubuntu:
In Progress
Bug description:
I've recently encountered a problem with deploying nodes on which
Secure Boot is enabled. The symptoms are:
1. The node enlists and commissions fine
2. The node boots and begin deploying fine
3. After deployment completes, the node reboots
4. When booting at this point, after showing a few routine messages,
including a GRUB menu, the node displays the following text on its
screen:
error: invalid video mode specification `text'.
Booting in blind mode
Bootloader has not verified loaded image
System is compromised. halting
Disabling Secure Boot on the node enables it to boot. If this is done
quickly enough, deployment will succeed.
I've encountered this problem on two systems managed by two MAAS
servers: An Intel NUC DC53247HYE and a Cisco UCS C-240 M4 (VIC). One
MAAS server is running 2.2.2 (6099-g8751f91-0ubuntu1~16.04.1) and the
other is running 2.2.1 (6078-g2a6d96e-0ubuntu1~16.04.1). I'm attaching
log files from the first server to this bug report. The affected node
is brennan on that server.
Further observations:
* Once booted, I see that there's no kernel with a .efi.signed extension on
the hard disk. Installing such a kernel does NOT fix the problem;
however, it may be necessary to install such a kernel for a proper fix.
* If I force a boot directly through the Shim and GRUB installed on the
hard disk, the system boots correctly, even with Secure Boot enabled.
I found a copy of the error message in Shim source code, and reports
of this message on Fedora as early as 2014:
* https://github.com/rhboot/shim/blob/master/replacements.c
* https://ask.fedoraproject.org/en/question/39126/bootloader-has-not-verified-loaded-image/
It looks to me as if the Shim that MAAS uses for the post-deployment
boot has been updated/changed to include this strict verification that
the kernel is honoring Secure Boot rules; but the Shim installed to
the hard disk, and used during enlistment and commissioning, does not
perform this check. OTOH, I can't find any evidence of separate Shim
binaries on the MAAS server.
MAAS version information from one server:
$ dpkg -l '*maas*'|cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============================-====================================-============-==================================================
ii maas 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all "Metal as a Service" is a physical cloud and IPAM
ii maas-cert-server 0.2.30-0~76~ubuntu16.04.1 all Ubuntu certification support files for MAAS server
ii maas-cli 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all MAAS client and command-line interface
un maas-cluster-controller <none> <none> (no description available)
ii maas-common 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all MAAS server common files
ii maas-dhcp 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all MAAS DHCP server
ii maas-dns 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all MAAS DNS server
ii maas-proxy 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all MAAS Caching Proxy
ii maas-rack-controller 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all Rack Controller for MAAS
ii maas-region-api 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all Region controller API service for MAAS
ii maas-region-controller 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all Region Controller for MAAS
un maas-region-controller-min <none> <none> (no description available)
un python-django-maas <none> <none> (no description available)
un python-maas-client <none> <none> (no description available)
un python-maas-provisioningserver <none> <none> (no description available)
ii python3-django-maas 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all MAAS server Django web framework (Python 3)
ii python3-maas-client 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all MAAS python API client (Python 3)
ii python3-maas-provisioningserver 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all MAAS server provisioning libraries (Python 3)
To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions
More information about the foundations-bugs
mailing list