[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-07-02 Thread Brian Murray
** Also affects: grub2 (Ubuntu Groovy)
   Importance: Undecided
   Status: Triaged

** Also affects: shim-signed (Ubuntu Groovy)
   Importance: Undecided
   Status: Triaged

** Also affects: grub2 (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: shim-signed (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Tags removed: rls-bb-incoming rls-ff-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-30 Thread Adam Collard
** Tags added: maas-grub

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-23 Thread Alberto Donato
** Changed in: maas
Milestone: 2.8.0 => 2.9.0b1

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-12 Thread Lee Trager
By default an LXD VM boots from the disk first. However you can change
the boot order by adding "boot.priority" to your devices. The device
with the highest number boots first.

LXD devices config for booting off the boot disk.
devices:
  eth0:
name: eth0
nictype: bridged
parent: br0
type: nic
  root:
path: /
pool: default
size: "80"
type: disk

LXD devices config for booting off the network first.
devices:
  eth0:
boot.priority: "1"
name: eth0
nictype: bridged
parent: br0
type: nic
  root:
boot.priority: "0"
path: /
pool: default
size: "80"
type: disk

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-12 Thread Francis Ginther
** Tags added: id-5ee24d297b5c2a5aa43fda04

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-11 Thread Brian Murray
Can you elaborate on this step? "6. Modify LXD VM to boot from over the
network"

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-11 Thread Steve Langasek
** Package changed: grub (Ubuntu) => grub2 (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-11 Thread Alberto Donato
** Changed in: maas
Milestone: 2.8.0rc3 => 2.8.0

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-04 Thread Alberto Donato
** Changed in: maas
Milestone: 2.8.0rc1 => 2.8.0

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Lee Trager
All bootloader files are pulled from the archive and provided on
images.maas.io by lp:maas-images. bootloaders.yaml describes what files
are pulled from what packages.

https://git.launchpad.net/maas-images/tree/conf/bootloaders.yaml

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Lee Trager
The MAAS environment I've been using to reproduce this is virtual. I
have MAAS running in an LXD container connected to an LXD Pod. To
recreate this environment you'll have to install MAAS 2.8, python-pylxd
from github(if using the Debian packages), and apply this[1] patch to
reenable secure boot. After MAAS is setup you'll need to configure LXD
to accept remote connections to be able to add it as a MAAS Pod.

This bug should be reproducible using LXD

1. Download GRUB and the shim. MAAS gets both from Bionic, you can download 
them direct here[1]
2. Setup a TFTP server to provide them
3. Add grub.cfg from MAAS[3]
4. Setup DHCP - Example dhcpd.conf from MAAS[4]
5. Create LXD VM
6. Modify LXD VM to boot from over the network
7. See boot failure

[1]http://paste.ubuntu.com/p/gjXhVTDgRv/
[2] https://images.maas.io/ephemeral-v3/daily/bootloaders/uefi/amd64/
[3] 
https://git.launchpad.net/maas/tree/src/provisioningserver/templates/uefi/config.local.amd64.template
[2] http://paste.ubuntu.com/p/RMRxYkDrNG/

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
I'm just wondering where Maas is getting the grubx64.efi from, I
assume/hope it's the grubnetx64.efi binary built by the grub package.

Because the bug might be in there.

Anyway, this should be enough to investigate further and sounds somewhat
familiar too


** Changed in: shim-signed (Ubuntu)
   Status: Incomplete => Confirmed

** Changed in: grub (Ubuntu)
   Status: Incomplete => Confirmed

** Changed in: shim-signed (Ubuntu)
   Status: Confirmed => Triaged

** Changed in: grub (Ubuntu)
   Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Rod Smith
As I said, the EFI/foo/grubx64.efi is taken from MAAS. It's presumably
netboot-enabled, but can't seem to find its config file, hence the need
for the manual entry in steps 9-11. Note that I'm not a MAAS developer,
so my understanding of its internals is limited.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
I don't see a netboot in there, am I missing something?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
The grubx64.efi from #3 is probably a grubnetx64.efi?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Rod Smith
I've managed to create a procedure that duplicates this problem without
the involvement of MAAS, except for one file pulled from MAAS. The
procedure is awkward, but it reproduces the problem. Here's the
procedure:

1) Ensure that Secure Boot is enabled.
2) Install Ubuntu. (I used 20.04 LTS server.)
3) Retrieve shimx64.efi from a MAAS server
   (/var/lib/maas/boot-resources/current/grubx64.efi). I'm appending
   a copy of the file I used to this bug report.
4) sudo mkdir /boot/efi/EFI/foo
5) sudo cp /boot/efi/EFI/ubuntu/shimx64.efi /boot/efi/EFI/foo/
6) Copy the grubx64.efi retrieved from step #3 to /boot/efi/EFI/foo.
7) sudo efibootmgr -c -l \\EFI\\foo\\shimx64.efi -L "Secondary GRUB"
8) Reboot. A grub> prompt should appear, from shimx64.efi in the EFI/foo
   directory on the ESP.
9) Type "set root='(hd0,gpt1)'"
10) Type "chainloader /EFI/ubuntu/shimx64.efi"
11) Type "boot". The messages noted in the initial bug report should
appear and the system should halt.

Note that some disk references may need to be adjusted on some systems
-- (hd0,gpt1) is the ESP, and the efibootmgr command assumes the ESP is
/dev/sda1 from within Ubuntu.

Interestingly, substituting grubx64.efi for shimx64.efi in step #10
results in a successful boot, which may be a simple workaround from
within MAAS -- if MAAS's configuration is changed to bypass the second
shimx64.efi, it may work better.

** Attachment added: "grubx64.efi from a MAAS server"
   
https://bugs.launchpad.net/maas/+bug/1865515/+attachment/5380059/+files/grubx64.efi

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
Consider that we might need to upgrade grub on the MAAS server, and need
to test this on bionic, focal, groovy on both maas server and deployed
server sides.

e.g. we might need to test deploying a groovy server from a bionic MAAS,
and vice versa, and other combinations of this.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Julian Andres Klode
Well, quite simply we'd like a minimal test case without involving maas,
so that we can test this in a sensible way. This is also important for
SRUs, as we need to test them before releasing.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Rod Smith
Unfortunately, capella in 1SS is not currently accessible by our team.
You can test on jehan in 18T, though; I'm sending you an e-mail with
details.

I don't know what you mean by "remote artifacts" and "local artifacts."
The steps to reproduce the problem is simply to enable Secure Boot and
attempt to deploy the server; it will fail as described in the initial
bug report.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Dimitri John Ledkov
Please provide remote artifacts
Please provide local artifacts
Please provide reproducer steps
Please provide details how local artifacts were installed
Please provide list of certs trusted by the node's firmware
Please provide access to MAAS with a secureboot on & off target nodes

** Changed in: shim-signed (Ubuntu)
   Status: Confirmed => Incomplete

** Changed in: grub (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-06-03 Thread Dimitri John Ledkov
Can I have access to said MAAS environment and those machines?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Lee Trager
I tried modifying the MAAS local boot grub.cfg to directly chainboot
\efi\ubuntu\shimx64.efi. This gets rid of the failed to open/failed to
load errors. Local grub appears to load but halts saying the system is
compromised when it tries to boot the local kernel.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Lee Trager
MAAS doesn't know for sure what operating system is deployed locally.
When booting locally MAAS sends a grub.cfg[1] which searches for the
shim or local bootloader. MAAS first tries \efi\boot\bootx64.efi as that
is the default location as per the UEFI spec. Most operating systems
including Ubuntu put a bootloader there. The shim fails to find grub as
Ubuntu only stores grub in \efi\ubuntu\grubx64.efi. The two failure
messages are from that. The config then tries to load
\efi\ubuntu\shimx64.efi which succeeds but is unable to verify either
\efi\ubuntu\shimx64.efi or \efi\ubuntu\grubx64.efi.


[1] 
https://git.launchpad.net/maas/tree/src/provisioningserver/templates/uefi/config.local.amd64.template

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Steve Langasek
On Tue, May 19, 2020 at 08:59:46PM -, Lee Trager wrote:
> Based on the MAAS logs the halt happens after the remote shim, grub, and
> grub.cfg have been loaded. I didn't see anything in the console to show
> grub running but it may have been cleared before I could see it.

> Console output:

> Booting local disk...
> Failed to open \efi\boot\grubx64.efi - Not Found
> Failed to load image \efi\boot\grubx64.efi: Not Found
> start_image() returned Not Found


> Bootloader has not verified loaded image.
> System is compromised.  halting.

Doesn't this output show that it has successfully chained to the local shim,
since it's shim that is loading \efi\boot\grubx64.efi and those messages are
from shim?

What I don't currently understand is why this should behave any differently
with or without SecureBoot enabled; that will need digging into.  But the
specific error "Not found" certainly implies there is a difference in the
path resolution when secureboot is on.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Lee Trager
Based on the MAAS logs the halt happens after the remote shim, grub, and
grub.cfg have been loaded. I didn't see anything in the console to show
grub running but it may have been cleared before I could see it.

Console output:

Booting local disk...
Failed to open \efi\boot\grubx64.efi - Not Found
Failed to load image \efi\boot\grubx64.efi: Not Found
start_image() returned Not Found


Bootloader has not verified loaded image.
System is compromised.  halting.


rackd.log

2020-05-19 20:54:04 provisioningserver.rackdservices.tftp: [info] bootx64.efi 
requested by 10.0.0.117
2020-05-19 20:54:04 provisioningserver.rackdservices.tftp: [info] bootx64.efi 
requested by 10.0.0.117
2020-05-19 20:54:05 provisioningserver.rackdservices.tftp: [info] grubx64.efi 
requested by 10.0.0.117
2020-05-19 20:54:06 provisioningserver.rackdservices.tftp: [info] 
/grub/x86_64-efi/command.lst requested by 10.0.0.117
2020-05-19 20:54:06 provisioningserver.rackdservices.tftp: [info] 
/grub/x86_64-efi/fs.lst requested by 10.0.0.117
2020-05-19 20:54:06 provisioningserver.rackdservices.tftp: [info] 
/grub/x86_64-efi/crypto.lst requested by 10.0.0.117
2020-05-19 20:54:06 provisioningserver.rackdservices.tftp: [info] 
/grub/x86_64-efi/terminal.lst requested by 10.0.0.117
2020-05-19 20:54:06 provisioningserver.rackdservices.tftp: [info] 
/grub/grub.cfg requested by 10.0.0.117
2020-05-19 20:54:06 provisioningserver.rackdservices.tftp: [info] 
/grub/grub.cfg-00:16:3e:49:52:7b requested by 10.0.0.117


You can reproduce this pretty easily with MAAS 2.8 and LXD Pods.

1. Install MAAS 2.8
2. Add an LXD Pod
3. Compose a machine in the LXD Pod and let it commission
4. Reenable secure boot in the LXD virtual machine
   lxc config edit 
   Delete the line 'security.secureboot: "false"'
5. Attempt to deploy Ubuntu

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Steve Langasek
On Tue, May 19, 2020 at 04:15:47PM -, Lee Trager wrote:
> I suspect but haven't verified that this may be due to the shim
> not being signed with a key GRUB has.

GRUB embeds no keys, it calls out to shim for verification of
signatures.

It would be helpful if someone could verify whether the boot chain is
stopping at the second shim, or at the second grub.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Lee Trager
@Jeff MAAS uses the same bits as what the ISO uses. What is different is
how local booting happens with MAAS vs with the ISO. When installed with
the ISO the local boot process is UEFI Firmware -> Shim(from disk) ->
GRUB(from disk) -> Boot local kernel. When installed with MAAS the local
boot process is UEFI Firmware -> Shim(from network) -> GRUB(from
network) -> Shim(from disk) -> Grub(from disk) -> Boot local kernel. The
chain of trust when switching going from GRUB(from network) to Shim(from
disk). I suspect but haven't verified that this may be due to the shim
not being signed with a key GRUB has.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Brian Murray
** Tags added: rls-ff-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Jeff Lane
FWIW, a partner is also hitting this in the field when trying to do
Secure Boot installs which break 100% of the time for them.

They have noted, however, that installing from ISO works and can
successfully install and boot on a secure boot enabled server.  They've
only tested Focal ISOs at this time, but this tells me that there's some
difference between what MAAS images are getting or have gotten, and what
the ISO has or is doing during install.


** Tags added: blocks-hwcert-server

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-19 Thread Ɓukasz Zemczak
** Tags added: rls-bb-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1865515] Re: Chainbooting from grub over the network to local shim breaks chain of trust

2020-05-15 Thread Lee Trager
For LXD Pods[1] we had to disable secure boot to get around this issue.
When this bug is fixed we should reenable secure boot for LXD Pods.

[1]
https://git.launchpad.net/maas/tree/src/provisioningserver/drivers/pod/lxd.py#n515

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1865515

Title:
  Chainbooting from grub over the network to local shim breaks chain of
  trust

To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs