[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust
Steve Langasek
steve.langasek at canonical.com
Tue May 19 17:57:10 UTC 2020
On Tue, May 19, 2020 at 04:15:47PM -0000, Lee Trager wrote:
> I suspect but haven't verified that this may be due to the shim
> not being signed with a key GRUB has.
GRUB embeds no keys, it calls out to shim for verification of
signatures.
It would be helpful if someone could verify whether the boot chain is
stopping at the second shim, or at the second grub.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub in Ubuntu.
https://bugs.launchpad.net/bugs/1865515
Title:
Chainbooting from grub over the network to local shim breaks chain of
trust
Status in MAAS:
Confirmed
Status in grub package in Ubuntu:
Confirmed
Status in shim-signed package in Ubuntu:
Confirmed
Bug description:
MAAS (2.4.2 and 2.6.2) cannot deploy to a server with Secure Boot
active. This appears to be a regression of bug #1711203; the symptoms
are identical. Namely:
1) The system can begin deployment fine.
2) After deployment is complete except for the final reboot, the
system will reboot.
3) GRUB appears briefly on the screen.
4) The system console briefly displays the message:
Bootloader has not verified loaded image
System is compromised. halting.
5) The node powers off.
6) Eventually MAAS times out on the deployment and declares
that it's failed.
I've verified this on three MAAS servers and one node each (jehan, a
Quanta QuantaGrid D52B-1U in 18T; capella, a Supermicro SYS-6028U-TR4+
in 1SS, and brennan, an Intel NUC DC53427HYE on my home network).
Two of the MAAS servers are running MAAS
2.6.2-7841-ga10625be3-0ubuntu1~18.04.1; the third is on
2.4.2-7034-g2f5deb8b8-0ubuntu1.
To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions
More information about the foundations-bugs
mailing list