[Bug 1578837] Re: Secure Boot failure on Lenovo x3550 M5
Rod Smith
rod.smith at canonical.com
Fri May 6 13:02:01 UTC 2016
I'm attaching the contents of the /var/lib/maas/boot-
resources/snapshot-20160426-183112 directory on the MAAS server (minus
the ubuntu and custom directories, which contain OS images and are
therefore huge). This tarball includes the shim and GRUB images used in
this process. I'm also including an excerpt from the clusterd.log file
from the MAAS server, which shows the TFTP requests.
You're correct that the system boots in two stages: When a node PXE-
boots, it requests a boot loader from the MAAS server, which delivers an
image that then kicks the boot process to the local disk. Thus, the boot
process should be:
PXE request -> TFTP-delivered Shim -> TFTP-delivered GRUB -> local Shim
-> local GRUB -> local kernel
At least, that's my understanding; I'm not involved in MAAS development
in any significant way, so I could be misunderstanding something.
The symptoms look like the handoff from the TFTP-delivered GRUB to the
local Shim is failing when Secure Boot is active. The file is definitely
present because it DOES work when Secure Boot is inactive.
** Attachment added: "Contents of MAAS directory holding shim, GRUB, etc."
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1578837/+attachment/4657251/+files/snapshot-20160426-183112.tgz
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1578837
Title:
Secure Boot failure on Lenovo x3550 M5
Status in shim package in Ubuntu:
New
Bug description:
When doing certification testing of Ubuntu 16.04 on a Lenovo x3550 M5,
we've found a Secure Boot failure. After installing via MAAS with
Secure Boot DISABLED, we've enabled Secure Boot. The following appears
on the screen (SOL session):
No key pressed. Preparing to boot normally...
>>Start PXE over IPv4.
Station IP address is 10.1.10.17
Server IP address is 10.1.10.1
NBP filename is bootx64.efi
NBP filesize is 1289424 Bytes
Downloading NBP file...
Succeed to download NBP file.
Downloading NBP file...
Succeed to download NBP file.
Fetching Netboot Image
Booting local disk...
/EndEntire
file path: /ACPI(a0341d0,0)/PCI(0,1)/PCI(0,0)/Ctrl(0)/SCSI(0,0)
/HD(15,800,100000,ae01bc523f0af546,2,2)/File(\efi\ubuntu)/File(shimx64.efi)/EndEntire
error: cannot load image.
Press any key to continue...
Pressing a key at this point produces a GRUB menu containing nothing
but a "Local" option. Selecting that option causes a return of the
"Booting local disk..." message and failure.
Disabling Secure Boot produces the same sequence, except that "error:
cannot load image" does NOT appear, a GRUB menu with an "Ubuntu"
option appears briefly, and the system boots normally.
Note that Secure Boot DOES work normally in a MAAS environment on
other computers, such as Cisco C220 M4 and C240 M4 and an Intel NUC
DC53427HYE. (The NUC, however, required a firmware update to work with
Secure Boot active.)
This may well be a firmware bug, but I'm reporting it against Shim
because it could be it's a Shim bug that's interacting with the
firmware or there may be something Shim can do to work around the
problem.
Version information:
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy shim
shim:
Installed: 0.8-0ubuntu2
Candidate: 0.8-0ubuntu2
Version table:
*** 0.8-0ubuntu2 500
500 http://us.archive.ubuntu.com//ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
ubuntu at oil-jolteon:~$ apt-cache policy shim-signed
shim-signed:
Installed: 1.12+0.8-0ubuntu2
Candidate: 1.12+0.8-0ubuntu2
Version table:
*** 1.12+0.8-0ubuntu2 500
500 http://us.archive.ubuntu.com//ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1578837/+subscriptions
More information about the foundations-bugs
mailing list