| 2020-03-02 15:13:47 |
Rod Smith |
bug |
|
|
added bug |
| 2020-03-02 16:20:29 |
Lee Trager |
maas: status |
New |
Incomplete |
|
| 2020-03-10 10:08:19 |
Adam Collard |
maas: status |
Incomplete |
Confirmed |
|
| 2020-04-20 15:50:32 |
Adam Collard |
maas: milestone |
|
2.8.0b2 |
|
| 2020-04-24 12:50:09 |
Alberto Donato |
maas: milestone |
2.8.0b2 |
2.8.0rc1 |
|
| 2020-04-29 12:36:45 |
Rex Tsai |
bug |
|
|
added subscriber Rex Tsai |
| 2020-05-01 18:48:25 |
Alberto Donato |
maas: milestone |
2.8.0b3 |
2.8.0rc1 |
|
| 2020-05-11 11:44:42 |
Alberto Donato |
maas: milestone |
2.8.0b4 |
2.8.0rc1 |
|
| 2020-05-16 00:14:36 |
Lee Trager |
bug task added |
|
shim-signed (Ubuntu) |
|
| 2020-05-16 00:14:56 |
Lee Trager |
bug task added |
|
grub (Ubuntu) |
|
| 2020-05-16 00:15:10 |
Lee Trager |
grub (Ubuntu): status |
New |
Confirmed |
|
| 2020-05-16 00:15:13 |
Lee Trager |
shim-signed (Ubuntu): status |
New |
Confirmed |
|
| 2020-05-16 00:15:46 |
Lee Trager |
summary |
MAAS can't deploy to a server with Secure Boot active |
Chainbooting from grub over the network to local shim breaks chain of trust |
|
| 2020-05-19 07:41:49 |
Łukasz Zemczak |
tags |
|
rls-bb-incoming |
|
| 2020-05-19 14:38:10 |
Brian Murray |
tags |
rls-bb-incoming |
rls-bb-incoming rls-ff-incoming |
|
| 2020-05-19 14:42:34 |
Jeff Lane |
tags |
rls-bb-incoming rls-ff-incoming |
blocks-hwcert-server rls-bb-incoming rls-ff-incoming |
|
| 2020-06-03 13:56:43 |
Dimitri John Ledkov |
shim-signed (Ubuntu): status |
Confirmed |
Incomplete |
|
| 2020-06-03 13:56:45 |
Dimitri John Ledkov |
grub (Ubuntu): status |
Confirmed |
Incomplete |
|
| 2020-06-03 16:24:46 |
Rod Smith |
attachment added |
|
grubx64.efi from a MAAS server https://bugs.launchpad.net/maas/+bug/1865515/+attachment/5380059/+files/grubx64.efi |
|
| 2020-06-03 20:39:17 |
Julian Andres Klode |
shim-signed (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2020-06-03 20:39:20 |
Julian Andres Klode |
grub (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2020-06-03 20:39:39 |
Julian Andres Klode |
shim-signed (Ubuntu): status |
Confirmed |
Triaged |
|
| 2020-06-03 20:39:42 |
Julian Andres Klode |
grub (Ubuntu): status |
Confirmed |
Triaged |
|
| 2020-06-04 12:40:28 |
Alberto Donato |
maas: milestone |
2.8.0rc1 |
2.8.0 |
|
| 2020-06-11 07:24:37 |
Alberto Donato |
maas: milestone |
2.8.0rc3 |
2.8.0 |
|
| 2020-06-11 15:06:03 |
Steve Langasek |
affects |
grub (Ubuntu) |
grub2 (Ubuntu) |
|
| 2020-06-12 12:32:35 |
Francis Ginther |
tags |
blocks-hwcert-server rls-bb-incoming rls-ff-incoming |
blocks-hwcert-server id-5ee24d297b5c2a5aa43fda04 rls-bb-incoming rls-ff-incoming |
|
| 2020-06-23 10:46:36 |
Alberto Donato |
maas: milestone |
2.8.0 |
2.9.0b1 |
|
| 2020-06-24 20:43:03 |
Paul Larson |
bug |
|
|
added subscriber Paul Larson |
| 2020-06-30 11:01:05 |
Adam Collard |
tags |
blocks-hwcert-server id-5ee24d297b5c2a5aa43fda04 rls-bb-incoming rls-ff-incoming |
blocks-hwcert-server id-5ee24d297b5c2a5aa43fda04 maas-grub rls-bb-incoming rls-ff-incoming |
|
| 2020-07-02 15:35:35 |
Brian Murray |
nominated for series |
|
Ubuntu Groovy |
|
| 2020-07-02 15:35:35 |
Brian Murray |
bug task added |
|
grub2 (Ubuntu Groovy) |
|
| 2020-07-02 15:35:35 |
Brian Murray |
bug task added |
|
shim-signed (Ubuntu Groovy) |
|
| 2020-07-02 15:35:35 |
Brian Murray |
nominated for series |
|
Ubuntu Focal |
|
| 2020-07-02 15:35:35 |
Brian Murray |
bug task added |
|
grub2 (Ubuntu Focal) |
|
| 2020-07-02 15:35:35 |
Brian Murray |
bug task added |
|
shim-signed (Ubuntu Focal) |
|
| 2020-07-02 15:37:01 |
Brian Murray |
tags |
blocks-hwcert-server id-5ee24d297b5c2a5aa43fda04 maas-grub rls-bb-incoming rls-ff-incoming |
blocks-hwcert-server id-5ee24d297b5c2a5aa43fda04 maas-grub |
|
| 2020-09-08 23:41:18 |
Lee Trager |
maas: milestone |
2.9.0b1 |
2.9.0b2 |
|
| 2020-09-14 14:05:02 |
Ian Johnson |
bug |
|
|
added subscriber Ian Johnson |
| 2020-09-17 16:13:05 |
Julian Andres Klode |
bug watch added |
|
https://github.com/rhboot/shim/issues/221 |
|
| 2020-09-17 16:13:05 |
Julian Andres Klode |
bug task added |
|
shim |
|
| 2020-09-17 22:59:18 |
Bug Watch Updater |
shim: status |
Unknown |
New |
|
| 2020-09-19 19:39:44 |
Lee Trager |
maas: milestone |
2.9.0b2 |
2.9.0b3 |
|
| 2020-09-19 19:42:05 |
Lee Trager |
maas: milestone |
2.9.0b3 |
2.9.0b4 |
|
| 2020-10-02 08:05:34 |
Björn Tillenius |
maas: status |
Confirmed |
Triaged |
|
| 2020-10-02 08:05:37 |
Björn Tillenius |
maas: importance |
Undecided |
High |
|
| 2020-10-14 15:48:45 |
Matthieu Clemenceau |
tags |
blocks-hwcert-server id-5ee24d297b5c2a5aa43fda04 maas-grub |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub |
|
| 2020-10-16 19:22:50 |
Lee Trager |
maas: milestone |
2.9.0b4 |
2.9.0b7 |
|
| 2020-10-20 16:55:06 |
Adam Collard |
maas: milestone |
2.9.0b7 |
2.9.x |
|
| 2020-12-29 08:14:15 |
Rex Tsai |
bug task added |
|
oem-priority |
|
| 2020-12-29 08:20:48 |
Rex Tsai |
oem-priority: assignee |
|
ethan.hsieh (ethan.hsieh) |
|
| 2020-12-29 08:20:50 |
Rex Tsai |
oem-priority: importance |
Undecided |
Critical |
|
| 2021-01-03 21:20:24 |
Rex Tsai |
tags |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority |
|
| 2021-01-07 12:25:02 |
Dimitri John Ledkov |
grub2 (Ubuntu): status |
Triaged |
Fix Released |
|
| 2021-01-07 12:25:08 |
Dimitri John Ledkov |
grub2 (Ubuntu Focal): status |
New |
Triaged |
|
| 2021-01-07 12:25:12 |
Dimitri John Ledkov |
shim-signed (Ubuntu): status |
Triaged |
Invalid |
|
| 2021-01-07 12:25:16 |
Dimitri John Ledkov |
shim-signed (Ubuntu Focal): status |
New |
Invalid |
|
| 2021-01-07 12:25:19 |
Dimitri John Ledkov |
shim-signed (Ubuntu Groovy): status |
Triaged |
Invalid |
|
| 2021-01-07 21:00:39 |
Yuan-Chen Cheng |
oem-priority: status |
New |
Confirmed |
|
| 2021-01-14 10:38:52 |
Dimitri John Ledkov |
description |
MAAS (2.4.2 and 2.6.2) cannot deploy to a server with Secure Boot active. This appears to be a regression of bug #1711203; the symptoms are identical. Namely:
1) The system can begin deployment fine.
2) After deployment is complete except for the final reboot, the
system will reboot.
3) GRUB appears briefly on the screen.
4) The system console briefly displays the message:
Bootloader has not verified loaded image
System is compromised. halting.
5) The node powers off.
6) Eventually MAAS times out on the deployment and declares
that it's failed.
I've verified this on three MAAS servers and one node each (jehan, a Quanta QuantaGrid D52B-1U in 18T; capella, a Supermicro SYS-6028U-TR4+ in 1SS, and brennan, an Intel NUC DC53427HYE on my home network).
Two of the MAAS servers are running MAAS 2.6.2-7841-ga10625be3-0ubuntu1~18.04.1; the third is on 2.4.2-7034-g2f5deb8b8-0ubuntu1. |
[Impact]
* UEFI Grub currently doesn't support exiting with an unsuccessful exit code. That means, a booted grub cannot determine that it should not be booting, exit, remove the installed shim protocol and ask the firmware to boot the next BootOrder BootEntry. Without this support livecd grub.cfg cannot perfrom "boot from local harddrive" or grub booted over the network cannot exit to continue regular boot off the harddrive, whilst preserving SecureBoot.
[Test Case]
* On a regular Ubuntu install, with UEFI and SecureBoot on, upgrade to new grub2 from proposed.
* Insert any Ubuntu installation CD as cdrom or usb-stick.
* Add a new UEFI boot entry for the CD or the usb-stick using efibootmgr, or by using your firmware settings (sudo systemctl reboot --firmware-setup)
* Make sure the regular Ubuntu install is the first in the BootOrder, followed by the cdrom/usb-stick.
* Start regular boot, interrupt it with Esc, and enter the grub shell by pressing 'c'
* Check that the new version of grub is running by doing
* echo "${package_version}"
* Next type `exit 1`
* The current boot should reset and the boot off the installation media should proceed
* The grub menu options will look different
* Complete the boot, observe that one ended up in the livecd / installer environment and that secureboot is on by checking the output of `bootctl`.
[Where problems could occur]
* `exit` command of grub has changed to accept optional arguments that are no-op on all platforms, but uefi as that's the only one that supports passing return status. However some might attempt to use this on non-uefi platforms in vain. Previously exit command accepted no arguments. One might start rely on this functionality whilst using mismatched grubs - for example this is not available in Debian or Upstream, but is starting to be available in Ubuntu and has been available in Fedora/CentOS for a while now. No regular boot flows use `exit` command to boot.
[Other Info]
* Original bug report:
MAAS (2.4.2 and 2.6.2) cannot deploy to a server with Secure Boot active. This appears to be a regression of bug #1711203; the symptoms are identical. Namely:
1) The system can begin deployment fine.
2) After deployment is complete except for the final reboot, the
system will reboot.
3) GRUB appears briefly on the screen.
4) The system console briefly displays the message:
Bootloader has not verified loaded image
System is compromised. halting.
5) The node powers off.
6) Eventually MAAS times out on the deployment and declares
that it's failed.
I've verified this on three MAAS servers and one node each (jehan, a Quanta QuantaGrid D52B-1U in 18T; capella, a Supermicro SYS-6028U-TR4+ in 1SS, and brennan, an Intel NUC DC53427HYE on my home network).
Two of the MAAS servers are running MAAS 2.6.2-7841-ga10625be3-0ubuntu1~18.04.1; the third is on 2.4.2-7034-g2f5deb8b8-0ubuntu1. |
|
| 2021-01-16 19:24:01 |
Alex Tu |
bug |
|
|
added subscriber Alex Tu |
| 2021-01-19 18:50:40 |
Łukasz Zemczak |
grub2 (Ubuntu Groovy): status |
Triaged |
Fix Committed |
|
| 2021-01-19 18:50:43 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-01-19 18:50:47 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2021-01-19 18:50:53 |
Łukasz Zemczak |
tags |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-needed verification-needed-groovy |
|
| 2021-01-19 18:55:46 |
Łukasz Zemczak |
grub2 (Ubuntu Focal): status |
Triaged |
Fix Committed |
|
| 2021-01-19 18:55:53 |
Łukasz Zemczak |
tags |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-needed verification-needed-groovy |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-needed verification-needed-focal verification-needed-groovy |
|
| 2021-01-20 03:49:56 |
ethan.hsieh |
bug |
|
|
added subscriber Tim Chen |
| 2021-01-21 13:43:35 |
Dimitri John Ledkov |
tags |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-needed verification-needed-focal verification-needed-groovy |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-done verification-done-focal verification-done-groovy |
|
| 2021-01-22 17:33:33 |
Rod Smith |
tags |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-done verification-done-focal verification-done-groovy |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-done verification-done-focal verification-done-groovy verification-failed-focal |
|
| 2021-01-25 10:08:15 |
Dimitri John Ledkov |
tags |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-done verification-done-focal verification-done-groovy verification-failed-focal |
blocks-hwcert-server fr-24 id-5ee24d297b5c2a5aa43fda04 maas-grub oem-priority verification-done verification-done-focal verification-done-groovy |
|
| 2021-01-25 10:10:55 |
Julian Andres Klode |
shim-signed (Ubuntu): status |
Invalid |
Triaged |
|
| 2021-01-25 10:11:01 |
Julian Andres Klode |
shim-signed (Ubuntu Focal): status |
Invalid |
Triaged |
|
| 2021-01-25 10:11:03 |
Julian Andres Klode |
shim-signed (Ubuntu Groovy): status |
Invalid |
Triaged |
|
| 2021-01-25 14:05:27 |
Launchpad Janitor |
grub2 (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
| 2021-01-25 14:05:39 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-01-25 14:06:00 |
Launchpad Janitor |
grub2 (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-02-04 11:14:44 |
Adam Collard |
maas: milestone |
2.9.2 |
2.9.x |
|
| 2021-02-08 16:18:51 |
Dimitri John Ledkov |
shim-signed (Ubuntu): status |
Triaged |
Won't Fix |
|
| 2021-02-08 16:18:56 |
Dimitri John Ledkov |
shim-signed (Ubuntu Groovy): status |
Triaged |
Won't Fix |
|
| 2021-02-08 16:18:59 |
Dimitri John Ledkov |
shim-signed (Ubuntu Focal): status |
Triaged |
Won't Fix |
|
| 2021-02-08 17:36:59 |
Steve Langasek |
shim-signed (Ubuntu): status |
Won't Fix |
Triaged |
|
| 2021-02-08 17:37:10 |
Steve Langasek |
shim-signed (Ubuntu Focal): status |
Won't Fix |
Triaged |
|
| 2021-02-08 17:37:13 |
Steve Langasek |
shim-signed (Ubuntu Groovy): status |
Won't Fix |
Triaged |
|
| 2021-02-23 09:18:46 |
hugh chao |
bug |
|
|
added subscriber hugh chao |
| 2021-04-20 00:01:36 |
Lee Trager |
attachment added |
|
secure-boot.log https://bugs.launchpad.net/maas/+bug/1865515/+attachment/5489915/+files/secure-boot.log |
|
| 2021-04-20 00:02:59 |
Lee Trager |
attachment added |
|
qemu.conf https://bugs.launchpad.net/maas/+bug/1865515/+attachment/5489916/+files/qemu.conf |
|
| 2021-05-07 01:07:00 |
Lee Trager |
attachment added |
|
lxd-vm.log.xz https://bugs.launchpad.net/maas/+bug/1865515/+attachment/5495355/+files/lxd-vm.log.xz |
|
| 2021-05-12 02:02:09 |
Lee Trager |
bug watch added |
|
https://github.com/lxc/lxd/issues/8770 |
|
| 2022-04-19 07:32:08 |
Yuan-Chen Cheng |
oem-priority: importance |
Critical |
High |
|
| 2022-08-25 08:19:47 |
Jerzy Husakowski |
maas: milestone |
2.9.x |
3.3.0 |
|
| 2022-10-06 08:15:51 |
Jerzy Husakowski |
maas: milestone |
3.3.0 |
3.4.0 |
|
| 2023-04-20 08:40:13 |
Jerzy Husakowski |
maas: milestone |
3.4.0 |
3.5.0 |
|
| 2023-08-08 15:57:17 |
Jeff Hillman |
bug |
|
|
added subscriber Canonical Field High |
| 2023-08-08 18:37:20 |
Michael Iatrou |
bug |
|
|
added subscriber Michael Iatrou |
| 2023-08-17 16:46:08 |
Adam Collard |
merge proposal linked |
|
https://code.launchpad.net/~igor-brovtsin/maas/+git/maas/+merge/449355 |
|
| 2023-08-25 08:44:37 |
MAAS Lander |
maas: status |
Triaged |
Fix Committed |
|
