GCE shielded VM integrity monitoring reports errors
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
livecd-rootfs (Ubuntu) |
Fix Released
|
Undecided
|
Ivan Kapelyukhin | ||
Focal |
Fix Released
|
Undecided
|
Ivan Kapelyukhin | ||
Impish |
Fix Released
|
Undecided
|
Ivan Kapelyukhin | ||
Jammy |
Fix Released
|
Undecided
|
Ivan Kapelyukhin |
Bug Description
[Impact]
* GCE shielded VM instances created from official Ubuntu images starting with focal get integrity monitoring errors after second reboot without any actions or changes by the user.
* This is due to `initrdless_
[Test Plan]
* To reproduce the bug:
1. Create a GCE shielded VM instance with integrity monitoring enabled:
a) focal:
gcloud compute instances create \
--zone "europe-west1-d" \
--scopes https:/
b) impish:
gcloud compute instances create \
--zone "europe-west1-d" \
--scopes https:/
c) jammy:
gcloud compute instances create \
--zone "europe-west1-d" \
--scopes https:/
2. SSH into the instance and reboot it: `sudo reboot`
3. After the instance is rebooted, check integrity monitoring logs:
a) The easy way -- SSH into the instance and run:
curl -sSf https:/
b) Alternatively, see the logs in the web console: https:/
* To verify the fix:
1. Build a custom image with the fixed version of `livecd-rootfs`
2. Upload it to GCE
3. Register it in GCE with the same secureboot DBX as the official images
4. Create an instance
5. Reboot it
6. Check integrity logs
[Where problems could occur]
* Any code that expects `initrdless_
would break.
[Other Info]
* I will build and register custom images the same way official images are built and registered by CPC.
* I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification.
description: | updated |
Changed in livecd-rootfs (Ubuntu): | |
assignee: | nobody → Ivan Kapelyukhin (ikapelyukhin) |
Changed in livecd-rootfs (Ubuntu Impish): | |
assignee: | nobody → Ivan Kapelyukhin (ikapelyukhin) |
Changed in livecd-rootfs (Ubuntu Focal): | |
assignee: | nobody → Ivan Kapelyukhin (ikapelyukhin) |
This bug was fixed in the package livecd-rootfs - 2.756
---------------
livecd-rootfs (2.756) jammy; urgency=medium
* Unset `initrdless_ boot_fallback_ triggered` in /boot/grub/grubenv instead
of setting it to 0 when the fallback is not triggered to prevent integrity
monitoring errors on GCE. (LP: #1960564)
-- Ivan Kapelyukhin <email address hidden> Thu, 10 Feb 2022 23:45:57 +0100