[Bug 1578837] Re: Secure Boot failure on Lenovo x3550 M5

Rod Smith rod.smith at canonical.com
Fri May 6 13:02:01 UTC 2016

I'm attaching the contents of the /var/lib/maas/boot-
resources/snapshot-20160426-183112 directory on the MAAS server (minus
the ubuntu and custom directories, which contain OS images and are
therefore huge). This tarball includes the shim and GRUB images used in
this process. I'm also including an excerpt from the clusterd.log file
from the MAAS server, which shows the TFTP requests.

You're correct that the system boots in two stages: When a node PXE-
boots, it requests a boot loader from the MAAS server, which delivers an
image that then kicks the boot process to the local disk. Thus, the boot
process should be:

PXE request -> TFTP-delivered Shim -> TFTP-delivered GRUB -> local Shim
-> local GRUB -> local kernel

At least, that's my understanding; I'm not involved in MAAS development
in any significant way, so I could be misunderstanding something.

The symptoms look like the handoff from the TFTP-delivered GRUB to the
local Shim is failing when Secure Boot is active. The file is definitely
present because it DOES work when Secure Boot is inactive.

** Attachment added: "Contents of MAAS directory holding shim, GRUB, etc."

You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.

  Secure Boot failure on Lenovo x3550 M5

Status in shim package in Ubuntu:

Bug description:
  When doing certification testing of Ubuntu 16.04 on a Lenovo x3550 M5,
  we've found a Secure Boot failure. After installing via MAAS with
  Secure Boot DISABLED, we've enabled Secure Boot. The following appears
  on the screen (SOL session):

  No key pressed. Preparing to boot normally...
  >>Start PXE over IPv4.
    Station IP address is

    Server IP address is
    NBP filename is bootx64.efi
    NBP filesize is 1289424 Bytes
   Downloading NBP file...

    Succeed to download NBP file.

   Downloading NBP file...

    Succeed to download NBP file.
  Fetching Netboot Image

  Booting local disk...
  file path: /ACPI(a0341d0,0)/PCI(0,1)/PCI(0,0)/Ctrl(0)/SCSI(0,0)
  error: cannot load image.

  Press any key to continue...

  Pressing a key at this point produces a GRUB menu containing nothing
  but a "Local" option. Selecting that option causes a return of the
  "Booting local disk..." message and failure.

  Disabling Secure Boot produces the same sequence, except that "error:
  cannot load image" does NOT appear, a GRUB menu with an "Ubuntu"
  option appears briefly, and the system boots normally.

  Note that Secure Boot DOES work normally in a MAAS environment on
  other computers, such as Cisco C220 M4 and C240 M4 and an Intel NUC
  DC53427HYE. (The NUC, however, required a firmware update to work with
  Secure Boot active.)

  This may well be a firmware bug, but I'm reporting it against Shim
  because it could be it's a Shim bug that's interacting with the
  firmware or there may be something Shim can do to work around the

  Version information:

  $ lsb_release -rd
  Description:	Ubuntu 16.04 LTS
  Release:	16.04
  $ apt-cache policy shim
    Installed: 0.8-0ubuntu2
    Candidate: 0.8-0ubuntu2
    Version table:
   *** 0.8-0ubuntu2 500
          500 http://us.archive.ubuntu.com//ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status
  ubuntu at oil-jolteon:~$ apt-cache policy shim-signed
    Installed: 1.12+0.8-0ubuntu2
    Candidate: 1.12+0.8-0ubuntu2
    Version table:
   *** 1.12+0.8-0ubuntu2 500
          500 http://us.archive.ubuntu.com//ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:

More information about the foundations-bugs mailing list