[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

Lee Trager 1865515 at bugs.launchpad.net
Thu Jan 7 22:21:25 UTC 2021 

Using "exit 1" to to chainboot breaks if there is no UEFI boot entry.
MAAS currently has two known bugs where this is the case. There may be
more, we need to test all operating systems MAAS supports.

LP:1906379 - Ubuntu is removing the UEFI boot entry during shutdown for CentOS.
LP:1910600 - MAAS does not create a UEFI boot entry for VMware ESXi 6.7

If we apply the patch in #41 we will be breaking existing deployments.
There is no way for MAAS to fix this, the user will have to manually
login and configure the system.

config.local.amd64.template originally chainbooted to the operating
system based on the operating system name. We had to change this because
MAAS has no way to know what operating system a custom image is or how
to handle when RHEL changed its UEFI path. For example is custom/myimage
Ubuntu, CentOS, Windows or VMware?

I'm hesitant to use this fix as we will likely be breaking existing
deployments.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

Status in MAAS:
  Triaged
Status in OEM Priority Project:
  Confirmed
Status in shim:
  New
Status in grub2 package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Invalid
Status in grub2 source package in Focal:
  Triaged
Status in shim-signed source package in Focal:
  Invalid
Status in grub2 source package in Groovy:
  Triaged
Status in shim-signed source package in Groovy:
  Invalid

Bug description:
  MAAS (2.4.2 and 2.6.2) cannot deploy to a server with Secure Boot
  active. This appears to be a regression of bug #1711203; the symptoms
  are identical. Namely:

  1) The system can begin deployment fine.
  2) After deployment is complete except for the final reboot, the
     system will reboot.
  3) GRUB appears briefly on the screen.
  4) The system console briefly displays the message:
     Bootloader has not verified loaded image
     System is compromised.  halting.
  5) The node powers off.
  6) Eventually MAAS times out on the deployment and declares
     that it's failed.

  I've verified this on three MAAS servers and one node each (jehan, a
  Quanta QuantaGrid D52B-1U in 18T; capella, a Supermicro SYS-6028U-TR4+
  in 1SS, and brennan, an Intel NUC DC53427HYE on my home network).

  Two of the MAAS servers are running MAAS
  2.6.2-7841-ga10625be3-0ubuntu1~18.04.1; the third is on
  2.4.2-7034-g2f5deb8b8-0ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

More information about the foundations-bugs mailing list