[Bug 1862279] Re: arm64 Secure Boot fails w/ "error: cannot load image."

Alfonso Sanchez-Beato 1862279 at bugs.launchpad.net
Fri Aug 28 16:32:42 UTC 2020 

After working on LP: #1892770, I think that this is the same problem.
grub in focal/arm64 is trying to use EFI boot services to start the
kernel, after having verified the kernel with the shim. EFI does not
have access to the cert in the shim so it refuses to load the kernel.
There is a workaround which is adding Canonical Master key to the EFI
DB, so EFI can actually verify the kernel.

Looking at "loader/arm64/linux.c" in the sources seems to validate this.
In focal [1], grub_arch_efi_linux_boot_image() calls EFI boot services
b->load_image() and b->start_image() which is the same in upstream code.

However, in disco [2] the EFI boot services are not used - the sequence
is grub_armxx_efi_linux_boot_image() -> grub_efi_linux_boot() -> calls
directly an address in the loaded kernel.

The patch that makes the change in disco is
debian/patches/linuxefi_load_arm_with_sb.patch
(https://github.com/rhboot/grub2/commit/2786ab864cf00c15123320671f653e9a36ba12b4).

[1] https://git.launchpad.net/ubuntu/+source/grub2/tree/grub-core/loader/arm64/linux.c?h=applied/ubuntu/focal-updates#n122
[2] https://git.launchpad.net/ubuntu/+source/grub2/tree/grub-core/loader/arm64/linux.c?h=applied/ubuntu/disco-updates#n157

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1862279

Title:
  arm64 Secure Boot fails w/ "error: cannot load image."

Status in grub2 package in Ubuntu:
  Confirmed
Status in grub2-signed package in Ubuntu:
  Confirmed
Status in shim package in Ubuntu:
  Invalid

Bug description:
  I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1)
  on arm64 today. Unfortunately, I was unable to boot a kernel. I tried
  manually running commands in the GRUB shell to try and get more info,
  and here's the error I get:

  grub> insmod gzio
  grub> linux (hd0,gpt1)/boot/vmlinuz-5.4.0-13-generic
  grub> boot
  error: cannot load image.

  This is better then it was previously - shim used to crash before
  starting GRUB (bug 1811901 and bug 1811722). But obviously there are
  still issues somewhere. Prior to this shim binary being signed, I
  believe I had tested the unsigned binary in a VM using a custom
  signing certificate. I think I still have that VM around, so I maybe
  able to use it for comparison.

  = My setup =
  I tried to make this test simulate a real setup as much as possible. Here's roughly what I did:

  Installed an arm64 server w/ bionic
  # need a new QEMU for EnrollDefaultKeys.efi
  sudo apt-add-repository cloud-archive:train
  sudo apt update
  sudo apt install uvtool
  sudo gpasswd -a ubuntu libvirt
  # log out/back in
  # no focal images yet
  uvt-simplestreams-libvirt -v sync release=eoan
  uvt-kvm create focal arch=arm64 release=eoan
  uvt-kvm wait focal
  uvt-kvm ssh focal
  guest> sudo sed -i 's/eoan/focal/' /etc/apt/sources.list
  guest> # Also enabled focal-proposed to get latest shim-signed
  guest> sudo apt update
  guest> sudo apt dist-upgrade
  guest> sudo apt install shim-signed
  guest> sudo grub-install
  # On an x86 host, I built the latest edk2 package and copied out the AARCH64 build of
  # EnrollDefaultKeys.efi. I scp'd this over to the focal guest, and put it in the EFI
  # system partition
  guest> sudo poweroff
  virsh edit focal
  # Add the following to inject the Pk/KEK keys:
  #  <qemu:commandline>
  #    <qemu:arg value='-smbios'/>
  #    <qemu:arg value='type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRVYnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxAbGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TBxYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCToVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxstlzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpiCKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VMcPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7fnf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYYeWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwYvctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr1DKaD4x9JD3yKQ=='/>
  #  </qemu:commandline>
  #
  virsh start focal; virsh console focal
  # Interrupt focal boot, drop to an EFI shell, then ran the following
  # which will load the PK/Kek1 and Microsoft keys and enable SecureBoot
  Shell> fs0:
  FS0:\> EnrollDefaultKeys.efi
  info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
  info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
  info: success
  FS0:\> reset -s
  # Then, finally, try and boot in SB mode:
  virsh start focal; virsh console focal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1862279/+subscriptions

More information about the foundations-bugs mailing list