[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

Julian Andres Klode 1865515 at bugs.launchpad.net
Thu Sep 17 15:31:53 UTC 2020 

Further analysis today suggests the issue is that shim never uninstalls
the old shim protocols, and then things get weird. Patching shim to call
to the parent shim to uninstall itself, rather than falsely attempting
to uninstall it ourselves, makes it work, but it's just a hack so far.

We can patch this properly I suppose by introducing a new shim protocol
that can be used to uninstall shims, but this is obviously a problem, as
you'll need updated shims on both the maas server and the client.

So, while I think we understand the issue better, I'm afraid this looks
to be a long term issue that needs fixes in all other distros you want
to load as well, and agreement with upstream on how to solve.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

Status in MAAS:
  Confirmed
Status in grub2 package in Ubuntu:
  Triaged
Status in shim-signed package in Ubuntu:
  Triaged
Status in grub2 source package in Focal:
  New
Status in shim-signed source package in Focal:
  New
Status in grub2 source package in Groovy:
  Triaged
Status in shim-signed source package in Groovy:
  Triaged

Bug description:
  MAAS (2.4.2 and 2.6.2) cannot deploy to a server with Secure Boot
  active. This appears to be a regression of bug #1711203; the symptoms
  are identical. Namely:

  1) The system can begin deployment fine.
  2) After deployment is complete except for the final reboot, the
     system will reboot.
  3) GRUB appears briefly on the screen.
  4) The system console briefly displays the message:
     Bootloader has not verified loaded image
     System is compromised.  halting.
  5) The node powers off.
  6) Eventually MAAS times out on the deployment and declares
     that it's failed.

  I've verified this on three MAAS servers and one node each (jehan, a
  Quanta QuantaGrid D52B-1U in 18T; capella, a Supermicro SYS-6028U-TR4+
  in 1SS, and brennan, an Intel NUC DC53427HYE on my home network).

  Two of the MAAS servers are running MAAS
  2.6.2-7841-ga10625be3-0ubuntu1~18.04.1; the third is on
  2.4.2-7034-g2f5deb8b8-0ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

More information about the foundations-bugs mailing list