[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

Rod Smith 1865515 at bugs.launchpad.net
Wed Jun 3 16:24:46 UTC 2020 

I've managed to create a procedure that duplicates this problem without
the involvement of MAAS, except for one file pulled from MAAS. The
procedure is awkward, but it reproduces the problem. Here's the
procedure:

1) Ensure that Secure Boot is enabled.
2) Install Ubuntu. (I used 20.04 LTS server.)
3) Retrieve shimx64.efi from a MAAS server
   (/var/lib/maas/boot-resources/current/grubx64.efi). I'm appending
   a copy of the file I used to this bug report.
4) sudo mkdir /boot/efi/EFI/foo
5) sudo cp /boot/efi/EFI/ubuntu/shimx64.efi /boot/efi/EFI/foo/
6) Copy the grubx64.efi retrieved from step #3 to /boot/efi/EFI/foo.
7) sudo efibootmgr -c -l \\EFI\\foo\\shimx64.efi -L "Secondary GRUB"
8) Reboot. A grub> prompt should appear, from shimx64.efi in the EFI/foo
   directory on the ESP.
9) Type "set root='(hd0,gpt1)'"
10) Type "chainloader /EFI/ubuntu/shimx64.efi"
11) Type "boot". The messages noted in the initial bug report should
    appear and the system should halt.

Note that some disk references may need to be adjusted on some systems
-- (hd0,gpt1) is the ESP, and the efibootmgr command assumes the ESP is
/dev/sda1 from within Ubuntu.

Interestingly, substituting grubx64.efi for shimx64.efi in step #10
results in a successful boot, which may be a simple workaround from
within MAAS -- if MAAS's configuration is changed to bypass the second
shimx64.efi, it may work better.

** Attachment added: "grubx64.efi from a MAAS server"
   https://bugs.launchpad.net/maas/+bug/1865515/+attachment/5380059/+files/grubx64.efi

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub in Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

Status in MAAS:
  Confirmed
Status in grub package in Ubuntu:
  Incomplete
Status in shim-signed package in Ubuntu:
  Incomplete

Bug description:
  MAAS (2.4.2 and 2.6.2) cannot deploy to a server with Secure Boot
  active. This appears to be a regression of bug #1711203; the symptoms
  are identical. Namely:

  1) The system can begin deployment fine.
  2) After deployment is complete except for the final reboot, the
     system will reboot.
  3) GRUB appears briefly on the screen.
  4) The system console briefly displays the message:
     Bootloader has not verified loaded image
     System is compromised.  halting.
  5) The node powers off.
  6) Eventually MAAS times out on the deployment and declares
     that it's failed.

  I've verified this on three MAAS servers and one node each (jehan, a
  Quanta QuantaGrid D52B-1U in 18T; capella, a Supermicro SYS-6028U-TR4+
  in 1SS, and brennan, an Intel NUC DC53427HYE on my home network).

  Two of the MAAS servers are running MAAS
  2.6.2-7841-ga10625be3-0ubuntu1~18.04.1; the third is on
  2.4.2-7034-g2f5deb8b8-0ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

More information about the foundations-bugs mailing list