[Bug 1960564] Re: GCE shielded VM integrity monitoring reports errors
Launchpad Bug Tracker
1960564 at bugs.launchpad.net
Thu Mar 10 17:11:44 UTC 2022
This bug was fixed in the package livecd-rootfs - 2.664.40
---------------
livecd-rootfs (2.664.40) focal; urgency=medium
* Unset `initrdless_boot_fallback_triggered` in /boot/grub/grubenv instead
of setting it to 0 when the fallback is not triggered to prevent integrity
monitoring errors on GCE. (LP: #1960564)
-- Ivan Kapelyukhin <ivan.kapelyukhin at canonical.com> Mon, 14 Feb 2022
21:32:01 +0100
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1960564
Title:
GCE shielded VM integrity monitoring reports errors
Status in livecd-rootfs package in Ubuntu:
Fix Released
Status in livecd-rootfs source package in Focal:
Fix Released
Status in livecd-rootfs source package in Impish:
Fix Released
Status in livecd-rootfs source package in Jammy:
Fix Released
Bug description:
[Impact]
* GCE shielded VM instances created from official Ubuntu images
starting with focal get integrity monitoring errors after second
reboot without any actions or changes by the user.
* This is due to `initrdless_boot_fallback_triggered` variable in
/boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
is empty in the image prior to boot.
[Test Plan]
* To reproduce the bug:
1. Create a GCE shielded VM instance with integrity monitoring enabled:
a) focal:
gcloud compute instances create \
integrity-test-focal \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2004-lts \
--image-project=ubuntu-os-cloud \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
b) impish:
gcloud compute instances create \
integrity-test-impish \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2110 \
--image-project=ubuntu-os-cloud \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
c) jammy:
gcloud compute instances create \
integrity-test-jammy \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2204-lts \
--image-project=ubuntu-os-cloud-devel \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
2. SSH into the instance and reboot it: `sudo reboot`
3. After the instance is rebooted, check integrity monitoring logs:
a) The easy way -- SSH into the instance and run:
curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash
b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query
* To verify the fix:
1. Build a custom image with the fixed version of `livecd-rootfs`
2. Upload it to GCE
3. Register it in GCE with the same secureboot DBX as the official images
4. Create an instance
5. Reboot it
6. Check integrity logs
[Where problems could occur]
* Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
would break.
[Other Info]
* I will build and register custom images the same way official images are built and registered by CPC.
* I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1960564/+subscriptions
More information about the foundations-bugs
mailing list