[Bug 1711203] Re: Deployments fail when Secure Boot enabled

Steve Langasek steve.langasek at canonical.com
Thu Nov 16 22:02:43 UTC 2017 

On Thu, Nov 16, 2017 at 09:53:18PM -0000, Ryan Harper wrote:
> No one in this thread has answered how MAAS or curtin
> knows that it should install the -signed version of linux-image.

It should *unconditionally* prefer the -signed version of linux-image.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1711203

Title:
  Deployments fail when Secure Boot enabled

Status in curtin:
  Invalid
Status in dellserver:
  New
Status in MAAS:
  Confirmed
Status in maas-images:
  Confirmed
Status in grub2 package in Ubuntu:
  Won't Fix

Bug description:
  I've recently encountered a problem with deploying nodes on which
  Secure Boot is enabled. The symptoms are:

  1. The node enlists and commissions fine
  2. The node boots and begin deploying fine
  3. After deployment completes, the node reboots
  4. When booting at this point, after showing a few routine messages,
     including a GRUB menu, the node displays the following text on its
     screen:

  error: invalid video mode specification `text'.
  Booting in blind mode
  Bootloader has not verified loaded image
  System is compromised. halting

  Disabling Secure Boot on the node enables it to boot. If this is done
  quickly enough, deployment will succeed.

  I've encountered this problem on two systems managed by two MAAS
  servers: An Intel NUC DC53247HYE and a Cisco UCS C-240 M4 (VIC). One
  MAAS server is running 2.2.2 (6099-g8751f91-0ubuntu1~16.04.1) and the
  other is running 2.2.1 (6078-g2a6d96e-0ubuntu1~16.04.1). I'm attaching
  log files from the first server to this bug report. The affected node
  is brennan on that server.

  Further observations:

  * Once booted, I see that there's no kernel with a .efi.signed extension on
    the hard disk. Installing such a kernel does NOT fix the problem;
    however, it may be necessary to install such a kernel for a proper fix.
  * If I force a boot directly through the Shim and GRUB installed on the
    hard disk, the system boots correctly, even with Secure Boot enabled.

  I found a copy of the error message in Shim source code, and reports
  of this message on Fedora as early as 2014:

  * https://github.com/rhboot/shim/blob/master/replacements.c
  * https://ask.fedoraproject.org/en/question/39126/bootloader-has-not-verified-loaded-image/

  It looks to me as if the Shim that MAAS uses for the post-deployment
  boot has been updated/changed to include this strict verification that
  the kernel is honoring Secure Boot rules; but the Shim installed to
  the hard disk, and used during enlistment and commissioning, does not
  perform this check. OTOH, I can't find any evidence of separate Shim
  binaries on the MAAS server.

  MAAS version information from one server:

  $ dpkg -l '*maas*'|cat
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name                            Version                              Architecture Description
  +++-===============================-====================================-============-==================================================
  ii  maas                            2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          "Metal as a Service" is a physical cloud and IPAM
  ii  maas-cert-server                0.2.30-0~76~ubuntu16.04.1            all          Ubuntu certification support files for MAAS server
  ii  maas-cli                        2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          MAAS client and command-line interface
  un  maas-cluster-controller         <none>                               <none>       (no description available)
  ii  maas-common                     2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          MAAS server common files
  ii  maas-dhcp                       2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          MAAS DHCP server
  ii  maas-dns                        2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          MAAS DNS server
  ii  maas-proxy                      2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          MAAS Caching Proxy
  ii  maas-rack-controller            2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          Rack Controller for MAAS
  ii  maas-region-api                 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          Region controller API service for MAAS
  ii  maas-region-controller          2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          Region Controller for MAAS
  un  maas-region-controller-min      <none>                               <none>       (no description available)
  un  python-django-maas              <none>                               <none>       (no description available)
  un  python-maas-client              <none>                               <none>       (no description available)
  un  python-maas-provisioningserver  <none>                               <none>       (no description available)
  ii  python3-django-maas             2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          MAAS server Django web framework (Python 3)
  ii  python3-maas-client             2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          MAAS python API client (Python 3)
  ii  python3-maas-provisioningserver 2.2.2-6099-g8751f91-0ubuntu1~16.04.1 all          MAAS server provisioning libraries (Python 3)

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1711203/+subscriptions

More information about the foundations-bugs mailing list