** Description changed:
- I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1)
- on arm64 today. Unfortunately, I was unable to boot a kernel. I tried
- manually running commands in the GRUB shell to try and get more info,
- and here's the error I get:
+ [Impact]
+ Kernels are not loaded on arm64 since grub2 2.04 rebase
+
+ [Test case]
+
+ 1. Boot qemu
+
+ qemu-system-aarch64 -m 1024 -cpu cortex-a53 -M virt -pflash
+ ~/AAVMF_CODE.fd -pflash ~/AAVMF_VARS.fd -drive
+ if=none,file=/home/jak/Downloads/focal-server-cloudimg-
+ arm64.img,id=hd0,format=qcow2 -device virtio-blk-device,drive=hd0 -net
+ user,hostfwd=tcp::10022-:22 -net nic -smp 8 -device ramfb -device nec-
+ usb-xhci -device usb-tablet -device usb-kbd
+
+ 2. Run sb-setup enroll microsoft from https://git.launchpad.net/qa-
+ regression-testing/tree/notes_testing/secure-boot after sed
+ s#x86_64#arm64#g s#x64#aa64#g to enroll the keys and put machine into
+ secure boot mode
+
+ 3. Verify that new grub works
+
+ 4. Reinstall old grub and check that it fails
+
+ [Regression potential]
+ The changes are limited to grub-core/loader/arm64/linux.c, hence we can only
break booting on non-secureboot arm64 (where it worked before) or introduce a
security regression on secure boot systems (in case there's a bug). I've
checked the code against fedora-34 patches, and did not see anything that looks
like trouble, though.
+
+ [Original bug report]
+ I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1) on
arm64 today. Unfortunately, I was unable to boot a kernel. I tried manually
running commands in the GRUB shell to try and get more info, and here's the
error I get:
grub> insmod gzio
grub> linux (hd0,gpt1)/boot/vmlinuz-5.4.0-13-generic
grub> boot
error: cannot load image.
This is better then it was previously - shim used to crash before
starting GRUB (bug 1811901 and bug 1811722). But obviously there are
still issues somewhere. Prior to this shim binary being signed, I
believe I had tested the unsigned binary in a VM using a custom signing
certificate. I think I still have that VM around, so I maybe able to use
it for comparison.
= My setup =
I tried to make this test simulate a real setup as much as possible. Here's
roughly what I did:
Installed an arm64 server w/ bionic
# need a new QEMU for EnrollDefaultKeys.efi
sudo apt-add-repository cloud-archive:train
sudo apt update
sudo apt install uvtool
sudo gpasswd -a ubuntu libvirt
# log out/back in
# no focal images yet
uvt-simplestreams-libvirt -v sync release=eoan
uvt-kvm create focal arch=arm64 release=eoan
uvt-kvm wait focal
uvt-kvm ssh focal
guest> sudo sed -i 's/eoan/focal/' /etc/apt/sources.list
guest> # Also enabled focal-proposed to get latest shim-signed
guest> sudo apt update
guest> sudo apt dist-upgrade
guest> sudo apt install shim-signed
guest> sudo grub-install
# On an x86 host, I built the latest edk2 package and copied out the AARCH64
build of
# EnrollDefaultKeys.efi. I scp'd this over to the focal guest, and put it in
the EFI
# system partition
guest> sudo poweroff
virsh edit focal
# Add the following to inject the Pk/KEK keys:
# <qemu:commandline>
# <qemu:arg value='-smbios'/>
# <qemu:arg
value='type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRVYnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxAbGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TBxYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCToVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxstlzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpiCKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VMcPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7fnf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYYeWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwYvctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr1DKaD4x9JD3yKQ=='/>
# </qemu:commandline>
#
virsh start focal; virsh console focal
# Interrupt focal boot, drop to an EFI shell, then ran the following
# which will load the PK/Kek1 and Microsoft keys and enable SecureBoot
Shell> fs0:
FS0:\> EnrollDefaultKeys.efi
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
info: success
FS0:\> reset -s
# Then, finally, try and boot in SB mode:
virsh start focal; virsh console focal
** Changed in: grub2-signed (Ubuntu)
Status: Confirmed => Fix Committed
** Changed in: grub2 (Ubuntu)
Status: Confirmed => Fix Committed
** Also affects: grub2 (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: shim (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: grub2-signed (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: grub2 (Ubuntu Groovy)
Importance: Undecided
Status: Fix Committed
** Also affects: shim (Ubuntu Groovy)
Importance: Undecided
Status: Invalid
** Also affects: grub2-signed (Ubuntu Groovy)
Importance: Undecided
Status: Fix Committed
** No longer affects: shim (Ubuntu)
** No longer affects: shim (Ubuntu Focal)
** No longer affects: shim (Ubuntu Groovy)
** Changed in: grub2-signed (Ubuntu Focal)
Status: New => Triaged
** Changed in: grub2 (Ubuntu Focal)
Status: New => Triaged
** Description changed:
[Impact]
Kernels are not loaded on arm64 since grub2 2.04 rebase
[Test case]
1. Boot qemu
qemu-system-aarch64 -m 1024 -cpu cortex-a53 -M virt -pflash
~/AAVMF_CODE.fd -pflash ~/AAVMF_VARS.fd -drive
if=none,file=/home/jak/Downloads/focal-server-cloudimg-
arm64.img,id=hd0,format=qcow2 -device virtio-blk-device,drive=hd0 -net
user,hostfwd=tcp::10022-:22 -net nic -smp 8 -device ramfb -device nec-
usb-xhci -device usb-tablet -device usb-kbd
2. Run sb-setup enroll microsoft from https://git.launchpad.net/qa-
regression-testing/tree/notes_testing/secure-boot after sed
s#x86_64#arm64#g s#x64#aa64#g to enroll the keys and put machine into
secure boot mode
3. Verify that new grub works
4. Reinstall old grub and check that it fails
[Regression potential]
- The changes are limited to grub-core/loader/arm64/linux.c, hence we can only
break booting on non-secureboot arm64 (where it worked before) or introduce a
security regression on secure boot systems (in case there's a bug). I've
checked the code against fedora-34 patches, and did not see anything that looks
like trouble, though.
+ The changes are limited to grub-core/loader/arm64/linux.c, hence we can only
break booting on non-secureboot arm64 (where it worked before) or introduce a
security regression on secure boot systems (in case there's a bug). I've
checked the code against fedora-34 patches, and did not see anything that looks
like trouble, though, also we had it in bionic.
[Original bug report]
I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1) on
arm64 today. Unfortunately, I was unable to boot a kernel. I tried manually
running commands in the GRUB shell to try and get more info, and here's the
error I get:
grub> insmod gzio
grub> linux (hd0,gpt1)/boot/vmlinuz-5.4.0-13-generic
grub> boot
error: cannot load image.
This is better then it was previously - shim used to crash before
starting GRUB (bug 1811901 and bug 1811722). But obviously there are
still issues somewhere. Prior to this shim binary being signed, I
believe I had tested the unsigned binary in a VM using a custom signing
certificate. I think I still have that VM around, so I maybe able to use
it for comparison.
= My setup =
I tried to make this test simulate a real setup as much as possible. Here's
roughly what I did:
Installed an arm64 server w/ bionic
# need a new QEMU for EnrollDefaultKeys.efi
sudo apt-add-repository cloud-archive:train
sudo apt update
sudo apt install uvtool
sudo gpasswd -a ubuntu libvirt
# log out/back in
# no focal images yet
uvt-simplestreams-libvirt -v sync release=eoan
uvt-kvm create focal arch=arm64 release=eoan
uvt-kvm wait focal
uvt-kvm ssh focal
guest> sudo sed -i 's/eoan/focal/' /etc/apt/sources.list
guest> # Also enabled focal-proposed to get latest shim-signed
guest> sudo apt update
guest> sudo apt dist-upgrade
guest> sudo apt install shim-signed
guest> sudo grub-install
# On an x86 host, I built the latest edk2 package and copied out the AARCH64
build of
# EnrollDefaultKeys.efi. I scp'd this over to the focal guest, and put it in
the EFI
# system partition
guest> sudo poweroff
virsh edit focal
# Add the following to inject the Pk/KEK keys:
# <qemu:commandline>
# <qemu:arg value='-smbios'/>
# <qemu:arg
value='type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRVYnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxAbGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TBxYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCToVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxstlzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpiCKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VMcPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7fnf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYYeWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwYvctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr1DKaD4x9JD3yKQ=='/>
# </qemu:commandline>
#
virsh start focal; virsh console focal
# Interrupt focal boot, drop to an EFI shell, then ran the following
# which will load the PK/Kek1 and Microsoft keys and enable SecureBoot
Shell> fs0:
FS0:\> EnrollDefaultKeys.efi
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
info: success
FS0:\> reset -s
# Then, finally, try and boot in SB mode:
virsh start focal; virsh console focal
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1862279
Title:
arm64 Secure Boot fails w/ "error: cannot load image."
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1862279/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
