[Bug 1862279] Re: arm64 Secure Boot fails w/ "error: cannot load image."

Steve Langasek steve.langasek at canonical.com
Wed Feb 26 20:15:26 UTC 2020 

also note that the previous version of shim did not work on arm64 AT
ALL.  This version of shim we just got signed is the first one with
arm64 support.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1862279

Title:
  arm64 Secure Boot fails w/ "error: cannot load image."

Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in shim package in Ubuntu:
  New

Bug description:
  I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1)
  on arm64 today. Unfortunately, I was unable to boot a kernel. I tried
  manually running commands in the GRUB shell to try and get more info,
  and here's the error I get:

  grub> insmod gzio
  grub> linux (hd0,gpt1)/boot/vmlinuz-5.4.0-13-generic
  grub> boot
  error: cannot load image.

  This is better then it was previously - shim used to crash before
  starting GRUB (bug 1811901 and bug 1811722). But obviously there are
  still issues somewhere. Prior to this shim binary being signed, I
  believe I had tested the unsigned binary in a VM using a custom
  signing certificate. I think I still have that VM around, so I maybe
  able to use it for comparison.

  = My setup =
  I tried to make this test simulate a real setup as much as possible. Here's roughly what I did:

  Installed an arm64 server w/ bionic
  # need a new QEMU for EnrollDefaultKeys.efi
  sudo apt-add-repository cloud-archive:train
  sudo apt update
  sudo apt install uvtool
  sudo gpasswd -a ubuntu libvirt
  # log out/back in
  # no focal images yet
  uvt-simplestreams-libvirt -v sync release=eoan
  uvt-kvm create focal arch=arm64 release=eoan
  uvt-kvm wait focal
  uvt-kvm ssh focal
  guest> sudo sed -i 's/eoan/focal/' /etc/apt/sources.list
  guest> # Also enabled focal-proposed to get latest shim-signed
  guest> sudo apt update
  guest> sudo apt dist-upgrade
  guest> sudo apt install shim-signed
  guest> sudo grub-install
  # On an x86 host, I built the latest edk2 package and copied out the AARCH64 build of
  # EnrollDefaultKeys.efi. I scp'd this over to the focal guest, and put it in the EFI
  # system partition
  guest> sudo poweroff
  virsh edit focal
  # Add the following to inject the Pk/KEK keys:
  #  <qemu:commandline>
  #    <qemu:arg value='-smbios'/>
  #    <qemu:arg value='type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRVYnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxAbGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TBxYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCToVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxstlzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpiCKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VMcPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7fnf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYYeWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwYvctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr1DKaD4x9JD3yKQ=='/>
  #  </qemu:commandline>
  #
  virsh start focal; virsh console focal
  # Interrupt focal boot, drop to an EFI shell, then ran the following
  # which will load the PK/Kek1 and Microsoft keys and enable SecureBoot
  Shell> fs0:
  FS0:\> EnrollDefaultKeys.efi
  info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
  info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
  info: success
  FS0:\> reset -s
  # Then, finally, try and boot in SB mode:
  virsh start focal; virsh console focal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1862279/+subscriptions

More information about the foundations-bugs mailing list