[Bug 1960564] Update Released

Łukasz Zemczak 1960564 at bugs.launchpad.net
Thu Mar 10 17:10:27 UTC 2022


The verification of the Stable Release Update for livecd-rootfs has
completed successfully and the package is now being released to
-updates.  Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1960564

Title:
  GCE shielded VM integrity monitoring reports errors

Status in livecd-rootfs package in Ubuntu:
  Fix Released
Status in livecd-rootfs source package in Focal:
  Fix Released
Status in livecd-rootfs source package in Impish:
  Fix Released
Status in livecd-rootfs source package in Jammy:
  Fix Released

Bug description:
  [Impact]

   * GCE shielded VM instances created from official Ubuntu images
  starting with focal get integrity monitoring errors after second
  reboot without any actions or changes by the user.

   * This is due to `initrdless_boot_fallback_triggered` variable in
  /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
  is empty in the image prior to boot.

  [Test Plan]

   * To reproduce the bug:
     1. Create a GCE shielded VM instance with integrity monitoring enabled:
       a) focal:
         gcloud compute instances create \
           integrity-test-focal \
           --machine-type "n2d-standard-2" \
           --zone "europe-west1-d" \
           --maintenance-policy=TERMINATE \
           --image-family=ubuntu-2004-lts \
           --image-project=ubuntu-os-cloud \
           --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
           --scopes https://www.googleapis.com/auth/logging.read \
           --shielded-integrity-monitoring \
           --shielded-secure-boot
        b) impish:
          gcloud compute instances create \
            integrity-test-impish \
            --machine-type "n2d-standard-2" \
            --zone "europe-west1-d" \
            --maintenance-policy=TERMINATE \
            --image-family=ubuntu-2110 \
            --image-project=ubuntu-os-cloud \
            --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
            --scopes https://www.googleapis.com/auth/logging.read \
            --shielded-integrity-monitoring \
            --shielded-secure-boot
        c) jammy:
          gcloud compute instances create \
            integrity-test-jammy \
            --machine-type "n2d-standard-2" \
            --zone "europe-west1-d" \
            --maintenance-policy=TERMINATE \
            --image-family=ubuntu-2204-lts \
            --image-project=ubuntu-os-cloud-devel \
            --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
            --scopes https://www.googleapis.com/auth/logging.read \
            --shielded-integrity-monitoring \
            --shielded-secure-boot
     2. SSH into the instance and reboot it: `sudo reboot`
     3. After the instance is rebooted, check integrity monitoring logs:
       a) The easy way -- SSH into the instance and run:
         curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash
       b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query

   * To verify the fix:
     1. Build a custom image with the fixed version of `livecd-rootfs`
     2. Upload it to GCE
     3. Register it in GCE with the same secureboot DBX as the official images
     4. Create an instance
     5. Reboot it
     6. Check integrity logs

  [Where problems could occur]

   * Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
   would break.

  [Other Info]

   * I will build and register custom images the same way official images are  built and registered by CPC.
   * I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1960564/+subscriptions




More information about the foundations-bugs mailing list