[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust
Dimitri John Ledkov
1865515 at bugs.launchpad.net
Thu Jan 7 12:33:08 UTC 2021
I can use grub from hirsute, to boot into Ubuntu's grub, then execute
`exit 1` to fallback to the next BootOrder bootentry and boot into
centos8 with Secureboot on.
Meaning the chain of events is Ubuntu's Shim => Ubuntu's grub => exit 1
=> Centos Shim => Centos Grub => complete boot, and bootctl still
reports that secureboot is on & dmesg/kernel too.
This will need the new grub and changes to MAAS how it does the "boot
from local drive" menu entry.
See https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu37
The file that maas streams use from
https://images.maas.io/ephemeral-v3/stable/bootloaders/uefi/amd64/20201123.0/grub2-signed.tar.xz
is this one
http://archive.ubuntu.com/ubuntu/dists/hirsute/main/uefi/grub2-amd64/2.04-1ubuntu37/grubnetx64.efi.signed
This is what needs to be deployed on the Maas provisioning side.
Then in MAAS for the boot from local drive menuentry should change i.e.
https://github.com/maas/maas/blob/master/src/provisioningserver/templates/uefi/config.local.amd64.template
should be "just"
---8<---
set default="0"
set timeout=0
menuentry 'Local' {
echo 'Booting local disk...'
exit 1
}
---8<---
And then assuming that provisioning / curtin sets up correct bootorder
entries _or_ a removable media path is autodetected by the device
firmware, things should "just work".
I note that maas streams use grubnetx64.efi.signed from bionic-updates,
and this change is currently only in hirsute.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1865515
Title:
Chainbooting from grub over the network to local shim breaks chain of
trust
Status in MAAS:
Triaged
Status in OEM Priority Project:
New
Status in shim:
New
Status in grub2 package in Ubuntu:
Fix Released
Status in shim-signed package in Ubuntu:
Invalid
Status in grub2 source package in Focal:
Triaged
Status in shim-signed source package in Focal:
Invalid
Status in grub2 source package in Groovy:
Triaged
Status in shim-signed source package in Groovy:
Invalid
Bug description:
MAAS (2.4.2 and 2.6.2) cannot deploy to a server with Secure Boot
active. This appears to be a regression of bug #1711203; the symptoms
are identical. Namely:
1) The system can begin deployment fine.
2) After deployment is complete except for the final reboot, the
system will reboot.
3) GRUB appears briefly on the screen.
4) The system console briefly displays the message:
Bootloader has not verified loaded image
System is compromised. halting.
5) The node powers off.
6) Eventually MAAS times out on the deployment and declares
that it's failed.
I've verified this on three MAAS servers and one node each (jehan, a
Quanta QuantaGrid D52B-1U in 18T; capella, a Supermicro SYS-6028U-TR4+
in 1SS, and brennan, an Intel NUC DC53427HYE on my home network).
Two of the MAAS servers are running MAAS
2.6.2-7841-ga10625be3-0ubuntu1~18.04.1; the third is on
2.4.2-7034-g2f5deb8b8-0ubuntu1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions
More information about the foundations-bugs
mailing list