[Bug 1862279] Re: arm64 Secure Boot fails w/ "error: cannot load image."

Matthieu Clemenceau 1862279 at bugs.launchpad.net
Wed Oct 14 15:48:46 UTC 2020 

** Tags added: fr-23

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1862279

Title:
  arm64 Secure Boot fails w/ "error: cannot load image."

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Committed
Status in grub2 source package in Focal:
  Fix Committed
Status in grub2-signed source package in Focal:
  In Progress
Status in grub2 source package in Groovy:
  Fix Released
Status in grub2-signed source package in Groovy:
  Fix Committed

Bug description:
  [Impact]
  Kernels are not loaded on arm64 since grub2 2.04 rebase

  [Test case]

  1. Boot qemu

  qemu-system-aarch64 -m 1024 -cpu cortex-a53 -M virt -pflash
  ~/AAVMF_CODE.fd -pflash ~/AAVMF_VARS.fd -drive
  if=none,file=/home/jak/Downloads/focal-server-cloudimg-
  arm64.img,id=hd0,format=qcow2 -device virtio-blk-device,drive=hd0 -net
  user,hostfwd=tcp::10022-:22 -net nic -smp 8 -device ramfb -device nec-
  usb-xhci -device usb-tablet -device usb-kbd

  2. Run sb-setup enroll microsoft from https://git.launchpad.net/qa-
  regression-testing/tree/notes_testing/secure-boot after sed
  s#x86_64#arm64#g s#x64#aa64#g to enroll the keys and put machine into
  secure boot mode

  3. Verify that new grub works

  4. Parallel tests (take snapshot after 3)
  4a) Reinstall old grub and check that it fails
  4b) Remove kernel signature and check that kernel loading fails

  [Regression potential]
  The changes are limited to grub-core/loader/arm64/linux.c, hence we can only break booting on non-secureboot arm64 (where it worked before) or introduce a security regression on secure boot systems (in case there's a bug). I've checked the code against fedora-34 patches, and did not see anything that looks like trouble, though, also we had it in bionic.

  [Original bug report]
  I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1) on arm64 today. Unfortunately, I was unable to boot a kernel. I tried manually running commands in the GRUB shell to try and get more info, and here's the error I get:

  grub> insmod gzio
  grub> linux (hd0,gpt1)/boot/vmlinuz-5.4.0-13-generic
  grub> boot
  error: cannot load image.

  This is better then it was previously - shim used to crash before
  starting GRUB (bug 1811901 and bug 1811722). But obviously there are
  still issues somewhere. Prior to this shim binary being signed, I
  believe I had tested the unsigned binary in a VM using a custom
  signing certificate. I think I still have that VM around, so I maybe
  able to use it for comparison.

  = My setup =
  I tried to make this test simulate a real setup as much as possible. Here's roughly what I did:

  Installed an arm64 server w/ bionic
  # need a new QEMU for EnrollDefaultKeys.efi
  sudo apt-add-repository cloud-archive:train
  sudo apt update
  sudo apt install uvtool
  sudo gpasswd -a ubuntu libvirt
  # log out/back in
  # no focal images yet
  uvt-simplestreams-libvirt -v sync release=eoan
  uvt-kvm create focal arch=arm64 release=eoan
  uvt-kvm wait focal
  uvt-kvm ssh focal
  guest> sudo sed -i 's/eoan/focal/' /etc/apt/sources.list
  guest> # Also enabled focal-proposed to get latest shim-signed
  guest> sudo apt update
  guest> sudo apt dist-upgrade
  guest> sudo apt install shim-signed
  guest> sudo grub-install
  # On an x86 host, I built the latest edk2 package and copied out the AARCH64 build of
  # EnrollDefaultKeys.efi. I scp'd this over to the focal guest, and put it in the EFI
  # system partition
  guest> sudo poweroff
  virsh edit focal
  # Add the following to inject the Pk/KEK keys:
  #  <qemu:commandline>
  #    <qemu:arg value='-smbios'/>
  #    <qemu:arg value='type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRVYnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxAbGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TBxYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCToVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxstlzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpiCKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VMcPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7fnf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYYeWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwYvctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr1DKaD4x9JD3yKQ=='/>
  #  </qemu:commandline>
  #
  virsh start focal; virsh console focal
  # Interrupt focal boot, drop to an EFI shell, then ran the following
  # which will load the PK/Kek1 and Microsoft keys and enable SecureBoot
  Shell> fs0:
  FS0:\> EnrollDefaultKeys.efi
  info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
  info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
  info: success
  FS0:\> reset -s
  # Then, finally, try and boot in SB mode:
  virsh start focal; virsh console focal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1862279/+subscriptions

More information about the foundations-bugs mailing list