[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-07-02 Thread Brian Murray
** Also affects: grub2 (Ubuntu Groovy) Importance: Undecided Status: Triaged ** Also affects: shim-signed (Ubuntu Groovy) Importance: Undecided Status: Triaged ** Also affects: grub2 (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: shim-signed

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-30 Thread Adam Collard
** Tags added: maas-grub -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To manage notifications about

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-23 Thread Alberto Donato
** Changed in: maas Milestone: 2.8.0 => 2.9.0b1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-12 Thread Lee Trager
By default an LXD VM boots from the disk first. However you can change the boot order by adding "boot.priority" to your devices. The device with the highest number boots first. LXD devices config for booting off the boot disk. devices: eth0: name: eth0 nictype: bridged parent: br0

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-12 Thread Francis Ginther
** Tags added: id-5ee24d297b5c2a5aa43fda04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To manage

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-11 Thread Brian Murray
Can you elaborate on this step? "6. Modify LXD VM to boot from over the network" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-11 Thread Steve Langasek
** Package changed: grub (Ubuntu) => grub2 (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-11 Thread Alberto Donato
** Changed in: maas Milestone: 2.8.0rc3 => 2.8.0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-04 Thread Alberto Donato
** Changed in: maas Milestone: 2.8.0rc1 => 2.8.0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Lee Trager
All bootloader files are pulled from the archive and provided on images.maas.io by lp:maas-images. bootloaders.yaml describes what files are pulled from what packages. https://git.launchpad.net/maas-images/tree/conf/bootloaders.yaml -- You received this bug notification because you are a member

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Lee Trager
The MAAS environment I've been using to reproduce this is virtual. I have MAAS running in an LXD container connected to an LXD Pod. To recreate this environment you'll have to install MAAS 2.8, python-pylxd from github(if using the Debian packages), and apply this[1] patch to reenable secure boot.

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
I'm just wondering where Maas is getting the grubx64.efi from, I assume/hope it's the grubnetx64.efi binary built by the grub package. Because the bug might be in there. Anyway, this should be enough to investigate further and sounds somewhat familiar too ** Changed in: shim-signed (Ubuntu)

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Rod Smith
As I said, the EFI/foo/grubx64.efi is taken from MAAS. It's presumably netboot-enabled, but can't seem to find its config file, hence the need for the manual entry in steps 9-11. Note that I'm not a MAAS developer, so my understanding of its internals is limited. -- You received this bug

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
I don't see a netboot in there, am I missing something? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
The grubx64.efi from #3 is probably a grubnetx64.efi? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Rod Smith
I've managed to create a procedure that duplicates this problem without the involvement of MAAS, except for one file pulled from MAAS. The procedure is awkward, but it reproduces the problem. Here's the procedure: 1) Ensure that Secure Boot is enabled. 2) Install Ubuntu. (I used 20.04 LTS

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
Consider that we might need to upgrade grub on the MAAS server, and need to test this on bionic, focal, groovy on both maas server and deployed server sides. e.g. we might need to test deploying a groovy server from a bionic MAAS, and vice versa, and other combinations of this. -- You received

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
Well, quite simply we'd like a minimal test case without involving maas, so that we can test this in a sensible way. This is also important for SRUs, as we need to test them before releasing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Rod Smith
Unfortunately, capella in 1SS is not currently accessible by our team. You can test on jehan in 18T, though; I'm sending you an e-mail with details. I don't know what you mean by "remote artifacts" and "local artifacts." The steps to reproduce the problem is simply to enable Secure Boot and

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Dimitri John Ledkov
Please provide remote artifacts Please provide local artifacts Please provide reproducer steps Please provide details how local artifacts were installed Please provide list of certs trusted by the node's firmware Please provide access to MAAS with a secureboot on & off target nodes ** Changed in:

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Dimitri John Ledkov
Can I have access to said MAAS environment and those machines? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Lee Trager
I tried modifying the MAAS local boot grub.cfg to directly chainboot \efi\ubuntu\shimx64.efi. This gets rid of the failed to open/failed to load errors. Local grub appears to load but halts saying the system is compromised when it tries to boot the local kernel. -- You received this bug

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Lee Trager
MAAS doesn't know for sure what operating system is deployed locally. When booting locally MAAS sends a grub.cfg[1] which searches for the shim or local bootloader. MAAS first tries \efi\boot\bootx64.efi as that is the default location as per the UEFI spec. Most operating systems including Ubuntu

Re: [Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Steve Langasek
On Tue, May 19, 2020 at 08:59:46PM -, Lee Trager wrote: > Based on the MAAS logs the halt happens after the remote shim, grub, and > grub.cfg have been loaded. I didn't see anything in the console to show > grub running but it may have been cleared before I could see it. > Console output: >

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Lee Trager
Based on the MAAS logs the halt happens after the remote shim, grub, and grub.cfg have been loaded. I didn't see anything in the console to show grub running but it may have been cleared before I could see it. Console output: Booting local disk... Failed to open \efi\boot\grubx64.efi - Not Found

Re: [Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Steve Langasek
On Tue, May 19, 2020 at 04:15:47PM -, Lee Trager wrote: > I suspect but haven't verified that this may be due to the shim > not being signed with a key GRUB has. GRUB embeds no keys, it calls out to shim for verification of signatures. It would be helpful if someone could verify whether the

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Lee Trager
@Jeff MAAS uses the same bits as what the ISO uses. What is different is how local booting happens with MAAS vs with the ISO. When installed with the ISO the local boot process is UEFI Firmware -> Shim(from disk) -> GRUB(from disk) -> Boot local kernel. When installed with MAAS the local boot

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Brian Murray
** Tags added: rls-ff-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To manage notifications

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Jeff Lane
FWIW, a partner is also hitting this in the field when trying to do Secure Boot installs which break 100% of the time for them. They have noted, however, that installing from ISO works and can successfully install and boot on a secure boot enabled server. They've only tested Focal ISOs at this

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Ɓukasz Zemczak
** Tags added: rls-bb-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To manage notifications

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-15 Thread Lee Trager
For LXD Pods[1] we had to disable secure boot to get around this issue. When this bug is fixed we should reenable secure boot for LXD Pods. [1] https://git.launchpad.net/maas/tree/src/provisioningserver/drivers/pod/lxd.py#n515 -- You received this bug notification because you are a member of