StarlingX

pxeboot_setup.sh copies wrong grubx64.efi

Bug #1933263 reported by Don Penney
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Don Penney

Bug Description

Description
-----------
Secure boot fails for load setup with pxeboot_setup.sh.

umount /media/iso
mount -o loop bootimage.iso /media/iso
mount -o remount,exec,dev /media/iso
/media/iso/pxeboot_setup.sh -u http://147.11.88.7/tftp -t /srv/tftp/

Resulted in:

error: vmlinuz has invalid signature.
error: you need to load the kernel first.

Press any key to continue...

Severity
--------
Minor

Steps to Reproduce
------------------
PXE boot controller-0 with secure boot enabled from a PXE server by running the pxeboot_setup.sh from the ISO.

Expected Behavior
-----------------
PXE boot completes when using the pxeboot_setup.sh script when secure boot is enabled.

Actual Behavior
---------------
Signature failure.

Reproducibility
---------------
Reproducible.

System Configuration
--------------------
PXE boot a controller-0, single node.

Branch/Pull Time/Commit
-----------------------
starlingx/master

Workaround
----------
pxeboot_setup.sh is copying grubx64.efi from /media/iso/pxeboot/EFI/grubx64.efi instead of /media/iso/EFI/BOOT/grubx64.efi. Manually fixing the copy after running the script allowed PXE boot with secure boot enabled.

CVE References

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to metal (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/metal/+/797527

Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Don Penney (dpenney)
tags: added: stx.metal
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.6.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to metal (master)

Reviewed: https://review.opendev.org/c/starlingx/metal/+/797527
Committed: https://opendev.org/starlingx/metal/commit/f7c738234397472f78886a672e6687bf4213b338
Submitter: "Zuul (22348)"
Branch: master

commit f7c738234397472f78886a672e6687bf4213b338
Author: Don Penney <email address hidden>
Date: Tue Jun 22 14:00:51 2021 -0400

    Update pxeboot_setup.sh to use stock grubx64.efi

    Secure boot fails for load setup with pxeboot_setup.sh, as the kernel
    signature check fails validation due to the recent grub2 update for
    CVE-2020-15705. This commit updates pxeboot_setup.sh to use the older
    stock grubx64.efi, which will postpone the kernel validation until the
    load is installed.

    Change-Id: Ic6bfd236b076fc9023a77b1c2d8b9d4f8feee8b8
    Closes-Bug: 1933263
    Signed-off-by: Don Penney <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.