[Bug 1865515] Re: MAAS can't deploy to a server with Secure Boot active

Lee Trager lee.trager at canonical.com
Sat May 16 00:14:12 UTC 2020 

This isn't a bug with MAAS, it's a bug with shim/grub. MAAS gets its
bootloaders from the public stream at images.maas.io which is generated
by lp:maas-images. lp:maas-images pulls the bootloaders out of the
archive, its currently set to pull them from bionic.

Secure boot is working in the ephemeral environment it's failing when
trying to local boot into the deployed environment. When an x86_64 UEFI
machine local boots with MAAS it boots over the network, downloads
bootx64.efi(shim) which downloads grubx64.efi and this grub.cfg[1]. The
grub from over the network finds /boot/efi/ubuntu/shimx64.efi on the
local filesystem and chainboots to it. Somehow the chain of trust breaks
here causing the system to halt.

Booting local disk...
Failed to open \efi\boot\grubx64.efi - Not Found
Failed to load image \efi\boot\grubx64.efi: Not Found
start_image() returned Not Found
EFI stub: UEFI Secure Boot is enabled.
Bootloader has not verified loaded image.
System is compromised.  halting.

I tried using the shim and grub from Focal but I still get the same
problem.

[1]
https://git.launchpad.net/maas/tree/src/provisioningserver/templates/uefi/config.local.amd64.template

** Also affects: shim-signed (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: grub (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: grub (Ubuntu)
       Status: New => Confirmed

** Changed in: shim-signed (Ubuntu)
       Status: New => Confirmed

** Summary changed:

- MAAS can't deploy to a server with Secure Boot active
+ Chainbooting from grub over the network to local shim breaks chain of trust

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

Status in MAAS:
  Confirmed
Status in grub package in Ubuntu:
  Confirmed
Status in shim-signed package in Ubuntu:
  Confirmed

Bug description:
  MAAS (2.4.2 and 2.6.2) cannot deploy to a server with Secure Boot
  active. This appears to be a regression of bug #1711203; the symptoms
  are identical. Namely:

  1) The system can begin deployment fine.
  2) After deployment is complete except for the final reboot, the
     system will reboot.
  3) GRUB appears briefly on the screen.
  4) The system console briefly displays the message:
     Bootloader has not verified loaded image
     System is compromised.  halting.
  5) The node powers off.
  6) Eventually MAAS times out on the deployment and declares
     that it's failed.

  I've verified this on three MAAS servers and one node each (jehan, a
  Quanta QuantaGrid D52B-1U in 18T; capella, a Supermicro SYS-6028U-TR4+
  in 1SS, and brennan, an Intel NUC DC53427HYE on my home network).

  Two of the MAAS servers are running MAAS
  2.6.2-7841-ga10625be3-0ubuntu1~18.04.1; the third is on
  2.4.2-7034-g2f5deb8b8-0ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

More information about the foundations-bugs mailing list