[Bug 1960564] Re: GCE shielded VM integrity monitoring reports errors
Ivan Kapelyukhin
1960564 at bugs.launchpad.net
Wed Mar 9 19:49:52 UTC 2022
TEST CASE:
1. Built Focal and Impish GCE images from respective `livecd-rootfs` packages with the fix
2. Started instances from those images, rebooted, ran the `integrity-tester` script
3. Ran `basic-ubuntu` and `google-secure-boot` test suites against those images
VERIFICATION DONE
Tests are passing, integrity tester shows no errors in integrity logs after instance reboot.
** Tags removed: verification-needed verification-needed-focal verification-needed-impish
** Tags added: verification-done verification-done-focal verification-done-impish
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1960564
Title:
GCE shielded VM integrity monitoring reports errors
Status in livecd-rootfs package in Ubuntu:
Fix Released
Status in livecd-rootfs source package in Focal:
Fix Committed
Status in livecd-rootfs source package in Impish:
Fix Committed
Status in livecd-rootfs source package in Jammy:
Fix Released
Bug description:
[Impact]
* GCE shielded VM instances created from official Ubuntu images
starting with focal get integrity monitoring errors after second
reboot without any actions or changes by the user.
* This is due to `initrdless_boot_fallback_triggered` variable in
/boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
is empty in the image prior to boot.
[Test Plan]
* To reproduce the bug:
1. Create a GCE shielded VM instance with integrity monitoring enabled:
a) focal:
gcloud compute instances create \
integrity-test-focal \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2004-lts \
--image-project=ubuntu-os-cloud \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
b) impish:
gcloud compute instances create \
integrity-test-impish \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2110 \
--image-project=ubuntu-os-cloud \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
c) jammy:
gcloud compute instances create \
integrity-test-jammy \
--machine-type "n2d-standard-2" \
--zone "europe-west1-d" \
--maintenance-policy=TERMINATE \
--image-family=ubuntu-2204-lts \
--image-project=ubuntu-os-cloud-devel \
--service-account YOUR_SERVICE_ACCOUNT_EMAIL \
--scopes https://www.googleapis.com/auth/logging.read \
--shielded-integrity-monitoring \
--shielded-secure-boot
2. SSH into the instance and reboot it: `sudo reboot`
3. After the instance is rebooted, check integrity monitoring logs:
a) The easy way -- SSH into the instance and run:
curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash
b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query
* To verify the fix:
1. Build a custom image with the fixed version of `livecd-rootfs`
2. Upload it to GCE
3. Register it in GCE with the same secureboot DBX as the official images
4. Create an instance
5. Reboot it
6. Check integrity logs
[Where problems could occur]
* Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
would break.
[Other Info]
* I will build and register custom images the same way official images are built and registered by CPC.
* I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1960564/+subscriptions
More information about the foundations-bugs
mailing list