[Bug 1960564] Re: GCE shielded VM integrity monitoring reports errors

Łukasz Zemczak 1960564 at bugs.launchpad.net
Mon Mar 7 14:32:33 UTC 2022 

Hello Ivan, or anyone else affected,

Accepted livecd-rootfs into impish-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/livecd-
rootfs/2.742.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
impish to verification-done-impish. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-impish. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: livecd-rootfs (Ubuntu Impish)
       Status: New => Fix Committed

** Tags added: verification-needed verification-needed-impish

** Changed in: livecd-rootfs (Ubuntu Focal)
       Status: New => Fix Committed

** Tags added: verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1960564

Title:
  GCE shielded VM integrity monitoring reports errors

Status in livecd-rootfs package in Ubuntu:
  Fix Released
Status in livecd-rootfs source package in Focal:
  Fix Committed
Status in livecd-rootfs source package in Impish:
  Fix Committed
Status in livecd-rootfs source package in Jammy:
  Fix Released

Bug description:
  [Impact]

   * GCE shielded VM instances created from official Ubuntu images
  starting with focal get integrity monitoring errors after second
  reboot without any actions or changes by the user.

   * This is due to `initrdless_boot_fallback_triggered` variable in
  /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
  is empty in the image prior to boot.

  [Test Plan]

   * To reproduce the bug:
     1. Create a GCE shielded VM instance with integrity monitoring enabled:
       a) focal:
         gcloud compute instances create \
           integrity-test-focal \
           --machine-type "n2d-standard-2" \
           --zone "europe-west1-d" \
           --maintenance-policy=TERMINATE \
           --image-family=ubuntu-2004-lts \
           --image-project=ubuntu-os-cloud \
           --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
           --scopes https://www.googleapis.com/auth/logging.read \
           --shielded-integrity-monitoring \
           --shielded-secure-boot
        b) impish:
          gcloud compute instances create \
            integrity-test-impish \
            --machine-type "n2d-standard-2" \
            --zone "europe-west1-d" \
            --maintenance-policy=TERMINATE \
            --image-family=ubuntu-2110 \
            --image-project=ubuntu-os-cloud \
            --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
            --scopes https://www.googleapis.com/auth/logging.read \
            --shielded-integrity-monitoring \
            --shielded-secure-boot
        c) jammy:
          gcloud compute instances create \
            integrity-test-jammy \
            --machine-type "n2d-standard-2" \
            --zone "europe-west1-d" \
            --maintenance-policy=TERMINATE \
            --image-family=ubuntu-2204-lts \
            --image-project=ubuntu-os-cloud-devel \
            --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
            --scopes https://www.googleapis.com/auth/logging.read \
            --shielded-integrity-monitoring \
            --shielded-secure-boot
     2. SSH into the instance and reboot it: `sudo reboot`
     3. After the instance is rebooted, check integrity monitoring logs:
       a) The easy way -- SSH into the instance and run:
         curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash
       b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query

   * To verify the fix:
     1. Build a custom image with the fixed version of `livecd-rootfs`
     2. Upload it to GCE
     3. Register it in GCE with the same secureboot DBX as the official images
     4. Create an instance
     5. Reboot it
     6. Check integrity logs

  [Where problems could occur]

   * Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
   would break.

  [Other Info]

   * I will build and register custom images the same way official images are  built and registered by CPC.
   * I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1960564/+subscriptions

More information about the foundations-bugs mailing list