** Description changed: [Impact] Kernels are not loaded on arm64 since grub2 2.04 rebase [Test case] 1. Boot qemu qemu-system-aarch64 -m 1024 -cpu cortex-a53 -M virt -pflash ~/AAVMF_CODE.fd -pflash ~/AAVMF_VARS.fd -drive if=none,file=/home/jak/Downloads/focal-server-cloudimg- arm64.img,id=hd0,format=qcow2 -device virtio-blk-device,drive=hd0 -net user,hostfwd=tcp::10022-:22 -net nic -smp 8 -device ramfb -device nec- usb-xhci -device usb-tablet -device usb-kbd 2. Run sb-setup enroll microsoft from https://git.launchpad.net/qa- regression-testing/tree/notes_testing/secure-boot after sed s#x86_64#arm64#g s#x64#aa64#g to enroll the keys and put machine into secure boot mode 3. Verify that new grub works - 4. Reinstall old grub and check that it fails + 4a) Reinstall old grub and check that it fails + 4b) Remove kernel signature and check that kernel loading fails + [Regression potential] The changes are limited to grub-core/loader/arm64/linux.c, hence we can only break booting on non-secureboot arm64 (where it worked before) or introduce a security regression on secure boot systems (in case there's a bug). I've checked the code against fedora-34 patches, and did not see anything that looks like trouble, though, also we had it in bionic. [Original bug report] I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1) on arm64 today. Unfortunately, I was unable to boot a kernel. I tried manually running commands in the GRUB shell to try and get more info, and here's the error I get: grub> insmod gzio grub> linux (hd0,gpt1)/boot/vmlinuz-5.4.0-13-generic grub> boot error: cannot load image. This is better then it was previously - shim used to crash before starting GRUB (bug 1811901 and bug 1811722). But obviously there are still issues somewhere. Prior to this shim binary being signed, I believe I had tested the unsigned binary in a VM using a custom signing certificate. I think I still have that VM around, so I maybe able to use it for comparison. = My setup = I tried to make this test simulate a real setup as much as possible. Here's roughly what I did: Installed an arm64 server w/ bionic # need a new QEMU for EnrollDefaultKeys.efi sudo apt-add-repository cloud-archive:train sudo apt update sudo apt install uvtool sudo gpasswd -a ubuntu libvirt # log out/back in # no focal images yet uvt-simplestreams-libvirt -v sync release=eoan uvt-kvm create focal arch=arm64 release=eoan uvt-kvm wait focal uvt-kvm ssh focal guest> sudo sed -i 's/eoan/focal/' /etc/apt/sources.list guest> # Also enabled focal-proposed to get latest shim-signed guest> sudo apt update guest> sudo apt dist-upgrade guest> sudo apt install shim-signed guest> sudo grub-install # On an x86 host, I built the latest edk2 package and copied out the AARCH64 build of # EnrollDefaultKeys.efi. I scp'd this over to the focal guest, and put it in the EFI # system partition guest> sudo poweroff virsh edit focal # Add the following to inject the Pk/KEK keys: # <qemu:commandline> # <qemu:arg value='-smbios'/> # <qemu:arg value='type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRVYnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxAbGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TBxYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCToVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxstlzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpiCKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VMcPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7fnf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYYeWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwYvctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr1DKaD4x9JD3yKQ=='/> # </qemu:commandline> # virsh start focal; virsh console focal # Interrupt focal boot, drop to an EFI shell, then ran the following # which will load the PK/Kek1 and Microsoft keys and enable SecureBoot Shell> fs0: FS0:\> EnrollDefaultKeys.efi info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1 info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0 info: success FS0:\> reset -s # Then, finally, try and boot in SB mode: virsh start focal; virsh console focal
** Description changed: [Impact] Kernels are not loaded on arm64 since grub2 2.04 rebase [Test case] 1. Boot qemu qemu-system-aarch64 -m 1024 -cpu cortex-a53 -M virt -pflash ~/AAVMF_CODE.fd -pflash ~/AAVMF_VARS.fd -drive if=none,file=/home/jak/Downloads/focal-server-cloudimg- arm64.img,id=hd0,format=qcow2 -device virtio-blk-device,drive=hd0 -net user,hostfwd=tcp::10022-:22 -net nic -smp 8 -device ramfb -device nec- usb-xhci -device usb-tablet -device usb-kbd 2. Run sb-setup enroll microsoft from https://git.launchpad.net/qa- regression-testing/tree/notes_testing/secure-boot after sed s#x86_64#arm64#g s#x64#aa64#g to enroll the keys and put machine into secure boot mode 3. Verify that new grub works + 4. Parallel tests (take snapshot after 3) 4a) Reinstall old grub and check that it fails 4b) Remove kernel signature and check that kernel loading fails - [Regression potential] The changes are limited to grub-core/loader/arm64/linux.c, hence we can only break booting on non-secureboot arm64 (where it worked before) or introduce a security regression on secure boot systems (in case there's a bug). I've checked the code against fedora-34 patches, and did not see anything that looks like trouble, though, also we had it in bionic. [Original bug report] I tested out the new shim-signed (1.41+15+1552672080.a4a1fbe-0ubuntu1) on arm64 today. Unfortunately, I was unable to boot a kernel. I tried manually running commands in the GRUB shell to try and get more info, and here's the error I get: grub> insmod gzio grub> linux (hd0,gpt1)/boot/vmlinuz-5.4.0-13-generic grub> boot error: cannot load image. This is better then it was previously - shim used to crash before starting GRUB (bug 1811901 and bug 1811722). But obviously there are still issues somewhere. Prior to this shim binary being signed, I believe I had tested the unsigned binary in a VM using a custom signing certificate. I think I still have that VM around, so I maybe able to use it for comparison. = My setup = I tried to make this test simulate a real setup as much as possible. Here's roughly what I did: Installed an arm64 server w/ bionic # need a new QEMU for EnrollDefaultKeys.efi sudo apt-add-repository cloud-archive:train sudo apt update sudo apt install uvtool sudo gpasswd -a ubuntu libvirt # log out/back in # no focal images yet uvt-simplestreams-libvirt -v sync release=eoan uvt-kvm create focal arch=arm64 release=eoan uvt-kvm wait focal uvt-kvm ssh focal guest> sudo sed -i 's/eoan/focal/' /etc/apt/sources.list guest> # Also enabled focal-proposed to get latest shim-signed guest> sudo apt update guest> sudo apt dist-upgrade guest> sudo apt install shim-signed guest> sudo grub-install # On an x86 host, I built the latest edk2 package and copied out the AARCH64 build of # EnrollDefaultKeys.efi. I scp'd this over to the focal guest, and put it in the EFI # system partition guest> sudo poweroff virsh edit focal # Add the following to inject the Pk/KEK keys: # <qemu:commandline> # <qemu:arg value='-smbios'/> # <qemu:arg value='type=11,value=4e32566d-8e9e-4f52-81d3-5bb9715f9727:MIIDNjCCAh4CCQCUy69JzVan2DANBgkqhkiG9w0BAQsFADBdMS0wKwYDVQQDDCRVYnVudHUgT1ZNRiBTZWN1cmUgQm9vdCAoUEsvS0VLIGtleSkxLDAqBgkqhkiG9w0BCQEWHXVidW50dS1kZXZlbEBsaXN0cy51YnVudHUuY29tMB4XDTE4MDYyMDIxNDg0NloXDTI4MDYxNzIxNDg0NlowXTEtMCsGA1UEAwwkVWJ1bnR1IE9WTUYgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkpMSwwKgYJKoZIhvcNAQkBFh11YnVudHUtZGV2ZWxAbGlzdHMudWJ1bnR1LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuwK+l3nl5x6ebrHYVShs/7jPAKeTTMu4MQlTbNoOZvVQhOcedjkBNaPPdd63TBxYFAnJhUBLl9hW/GB5Fn9itT0yh5G64XCBafy3rJLF8L99VDUYEuvB+a3boYATCToVnODb8h0ImORBF8sgKZm65CJlgQ93YGZbjLePnuawhU2EVH2HFyLZEWjd3JPxstlzGj+JiwvETdFX/fHbnrW+fLCLEnLLZ/YPo6We0mtVTEqHWm6G5WUIbpzPzOOGpiCKHdI+VFsX7w1TBdMhCqnxcpLn7NRXEEgw+OQ5gnOLR9kTKI+MRkux9pDGZ5v9VMcPZi2iZTHRd9briIGOL/fo0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAGLAtUs7fnf5oKU7E7+woUrHP03WXAwhTNI9eTs7YLPgwC2qGAGkzdUZUbzc4zS4SaItITlYYeWfZ9PvPhPGyIZOeuBMoUeBknsC2daRVX11aAcgOnQhxMD0WjSRG5nQ5rXRZ/NwYvctJR81l41kDToNqjBIjJ3FThzz8hHyMv/DCh3ch/X2Hj7ib+1IPfoHFk+mD/6e+y46wHWS5u0Bol9w4VBMwa3FYniFgKrAmnoiuo2br5fBbgH/7326lJ7Qb/H4mBLKz/c3iw4PF+KQxspc04tJdvQ+pDEtTUiXVE0zcBip2EJgPVK0szO5H6gtXbfyoTqDr1DKaD4x9JD3yKQ=='/> # </qemu:commandline> # virsh start focal; virsh console focal # Interrupt focal boot, drop to an EFI shell, then ran the following # which will load the PK/Kek1 and Microsoft keys and enable SecureBoot Shell> fs0: FS0:\> EnrollDefaultKeys.efi info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1 info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0 info: success FS0:\> reset -s # Then, finally, try and boot in SB mode: virsh start focal; virsh console focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862279 Title: arm64 Secure Boot fails w/ "error: cannot load image." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1862279/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs