[Bug 1960564] [NEW] GCE shielded VM integrity monitoring reports errors
Ivan Kapelyukhin
1960564 at bugs.launchpad.net
Thu Feb 10 22:30:07 UTC 2022
Public bug reported:
[Impact]
* GCE shielded VM instances created from official Ubuntu images
starting with focal get integrity monitoring errors after second reboot
without any actions or changes by the user.
* This is due to `initrdless_boot_fallback_triggered` variable in
/boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
is empty in the image prior to boot.
[Test Plan]
* To reproduce the bug:
1. Create a GCE shielded VM instance with integrity monitoring enabled:
a) focal:
gcloud compute instances create \
integrity-test-focal \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2004-lts \
--image-project=ubuntu-os-cloud \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
b) impish:
gcloud compute instances create \
integrity-test-impish \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2110 \
--image-project=ubuntu-os-cloud \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
c) jammy:
gcloud compute instances create \
integrity-test-jammy \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2204-lts \
--image-project=ubuntu-os-cloud-devel \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
2. SSH into the instance and reboot it: `sudo reboot`
3. After the instance is rebooted, check integrity monitoring logs:
a) The easy way -- SSH into the instance and run:
curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash
b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query
* To verify the fix:
1. Build a custom image with the fixed version of `livecd-rootfs`
2. Upload it to GCE
3. Register it in GCE with the same secureboot DBX as the official images
4. Create an instance
5. Reboot it
6. Check integrity logs
[Where problems could occur]
* Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
would break.
[Other Info]
* I will build and register custom images the same way official images are built and registered by CPC.
* I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification.
** Affects: livecd-rootfs (Ubuntu)
Importance: Undecided
Assignee: Ivan Kapelyukhin (ikapelyukhin)
Status: New
** Description changed:
[Impact]
- * GCE shielded VM instances created from official Ubuntu images starting with
- focal get integrity monitoring errors after second reboot without any actions
- or changes by the user.
+ * GCE shielded VM instances created from official Ubuntu images
+ starting with focal get integrity monitoring errors after second reboot
+ without any actions or changes by the user.
- * This is due to `initrdless_boot_fallback_triggered` variable in
- /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv is empty
- in the image prior to boot.
+ * This is due to `initrdless_boot_fallback_triggered` variable in
+ /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
+ is empty in the image prior to boot.
[Test Plan]
- * To reproduce the bug:
- 1. Create a GCE shielded VM instance with integrity monitoring enabled:
- a) focal:
- gcloud compute instances create \
- integrity-test-focal \
- --machine-type "n2d-standard-2" \
- --zone "europe-west1-d" \
- --maintenance-policy=TERMINATE \
- --image-family=ubuntu-2004-lts \
- --image-project=ubuntu-os-cloud \
- --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
- --scopes https://www.googleapis.com/auth/logging.read \
- --shielded-integrity-monitoring \
- --shielded-secure-boot
- b) impish:
- gcloud compute instances create \
- integrity-test-impish \
- --machine-type "n2d-standard-2" \
- --zone "europe-west1-d" \
- --maintenance-policy=TERMINATE \
- --image-family=ubuntu-2110 \
- --image-project=ubuntu-os-cloud \
- --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
- --scopes https://www.googleapis.com/auth/logging.read \
- --shielded-integrity-monitoring \
- --shielded-secure-boot
- c) jammy:
- gcloud compute instances create \
- integrity-test-jammy \
- --machine-type "n2d-standard-2" \
- --zone "europe-west1-d" \
- --maintenance-policy=TERMINATE \
- --image-family=ubuntu-2204-lts \
- --image-project=ubuntu-os-cloud-devel \
- --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
- --scopes https://www.googleapis.com/auth/logging.read \
- --shielded-integrity-monitoring \
- --shielded-secure-boot
- 2. SSH into the instance and reboot it: `sudo reboot`
- 3. After the instance is rebooted, check integrity monitoring logs:
- a) The easy way -- SSH into the instance and run:
- curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash
- b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query
+ * To reproduce the bug:
+ 1. Create a GCE shielded VM instance with integrity monitoring enabled:
+ a) focal:
+ gcloud compute instances create \
+ integrity-test-focal \
+ --machine-type "n2d-standard-2" \
+ --zone "europe-west1-d" \
+ --maintenance-policy=TERMINATE \
+ --image-family=ubuntu-2004-lts \
+ --image-project=ubuntu-os-cloud \
+ --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
+ --scopes https://www.googleapis.com/auth/logging.read \
+ --shielded-integrity-monitoring \
+ --shielded-secure-boot
+ b) impish:
+ gcloud compute instances create \
+ integrity-test-impish \
+ --machine-type "n2d-standard-2" \
+ --zone "europe-west1-d" \
+ --maintenance-policy=TERMINATE \
+ --image-family=ubuntu-2110 \
+ --image-project=ubuntu-os-cloud \
+ --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
+ --scopes https://www.googleapis.com/auth/logging.read \
+ --shielded-integrity-monitoring \
+ --shielded-secure-boot
+ c) jammy:
+ gcloud compute instances create \
+ integrity-test-jammy \
+ --machine-type "n2d-standard-2" \
+ --zone "europe-west1-d" \
+ --maintenance-policy=TERMINATE \
+ --image-family=ubuntu-2204-lts \
+ --image-project=ubuntu-os-cloud-devel \
+ --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
+ --scopes https://www.googleapis.com/auth/logging.read \
+ --shielded-integrity-monitoring \
+ --shielded-secure-boot
+ 2. SSH into the instance and reboot it: `sudo reboot`
+ 3. After the instance is rebooted, check integrity monitoring logs:
+ a) The easy way -- SSH into the instance and run:
+ curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash
+ b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query
- * To verify the fix:
- 1. Build a custom image with the fixed version of `livecd-rootfs`
- 2. Upload it to GCE
- 3. Register it in GCE with the same secureboot DBX as the official images
- 4. Create an instance
- 5. Reboot it
- 6. Check integrity logs
+ * To verify the fix:
+ 1. Build a custom image with the fixed version of `livecd-rootfs`
+ 2. Upload it to GCE
+ 3. Register it in GCE with the same secureboot DBX as the official images
+ 4. Create an instance
+ 5. Reboot it
+ 6. Check integrity logs
[Where problems could occur]
- * Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
- would break.
+ * Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
+ would break.
[Other Info]
- * I will build and register custom images the same way official images are
- built and registered by CPC.
- * I can also spin up instances created from official/custom images and provide
- SSH access to them on request for bug reproduction/fix verification.
+ * I will build and register custom images the same way official images are built and registered by CPC.
+ * I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification.
** Changed in: livecd-rootfs (Ubuntu)
Assignee: (unassigned) => Ivan Kapelyukhin (ikapelyukhin)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1960564
Title:
GCE shielded VM integrity monitoring reports errors
Status in livecd-rootfs package in Ubuntu:
New
Bug description:
[Impact]
* GCE shielded VM instances created from official Ubuntu images
starting with focal get integrity monitoring errors after second
reboot without any actions or changes by the user.
* This is due to `initrdless_boot_fallback_triggered` variable in
/boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
is empty in the image prior to boot.
[Test Plan]
* To reproduce the bug:
1. Create a GCE shielded VM instance with integrity monitoring enabled:
a) focal:
gcloud compute instances create \
integrity-test-focal \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2004-lts \
--image-project=ubuntu-os-cloud \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
b) impish:
gcloud compute instances create \
integrity-test-impish \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2110 \
--image-project=ubuntu-os-cloud \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
c) jammy:
gcloud compute instances create \
integrity-test-jammy \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2204-lts \
--image-project=ubuntu-os-cloud-devel \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
2. SSH into the instance and reboot it: `sudo reboot`
3. After the instance is rebooted, check integrity monitoring logs:
a) The easy way -- SSH into the instance and run:
curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash
b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query
* To verify the fix:
1. Build a custom image with the fixed version of `livecd-rootfs`
2. Upload it to GCE
3. Register it in GCE with the same secureboot DBX as the official images
4. Create an instance
5. Reboot it
6. Check integrity logs
[Where problems could occur]
* Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
would break.
[Other Info]
* I will build and register custom images the same way official images are built and registered by CPC.
* I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1960564/+subscriptions
More information about the foundations-bugs
mailing list