MAAS

PXE boot shows SBAT self-check failed: Security Policy Violation

Bug #2071845 reported by jewsco jacquez

This bug report will be marked for expiration in 48 days if no further activity occurs. (find out why)

6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Incomplete
Undecided
Unassigned

Bug Description

Hello,

I'm getting "SBAT self-check failed: Security Policy Violation" on all my MAAS PXE CLients.

Here is the version of Maas i'm using.
# apt list maas
Listing... Done
maas/jammy 1:3.3.7-13246-g.2341ebf5d-0ubuntu1~22.04.1 all

To reproduce, under Images, I did an update selection on 22.04 LTS and checked the amd64. I saw it got sync(1.2 GB Synced) and then Rack got updated and was also showing as synced.

But I noticed that MAAS created two amd64 bootx64.efi files with different chksum.

# ls -ld /var/lib/maas/boot-resources/snapshot-20240703-155432/bootx64.efi /var/lib/maas/boot-resources/snapshot-20240703-155432/bootloader/uefi/amd64/bootx64.efi
-rw-r--r-- 2 maas maas 960472 Jul 3 11:54 /var/lib/maas/boot-resources/snapshot-20240703-155432/bootloader/uefi/amd64/bootx64.efi
-rw-r--r-- 1 maas maas 955656 Jul 3 11:57 /var/lib/maas/boot-resources/snapshot-20240703-155432/bootx64.efi

# cksum /var/lib/maas/boot-resources/snapshot-20240703-155432/bootx64.efi /var/lib/maas/boot-resources/snapshot-20240703-155432/bootloader/uefi/amd64/bootx64.efi
2344477150 955656 /var/lib/maas/boot-resources/snapshot-20240703-155432/bootx64.efi
74947783 960472 /var/lib/maas/boot-resources/snapshot-20240703-155432/bootloader/uefi/amd64/bootx64.efi
#

At this point, PXE client is unable to boot and will get powered off automatically.

The error in the console is showing as "SBAT self-check failed: Security Policy Violation"

I tried disabling the secure boot under the Client BIOS config but didn't make any difference.

Then I tried to manually remove the bootx64.efi from snapshot-20240703-155432 folder and link it to bootloader/uefi/amd64/bootx64.efi instead.

# cd /var/lib/maas/boot-resources/snapshot-20240703-155432
# mv bootx64.efi /home/corpunix/bootx64.efi.7-3-2024-12_59; ln -s bootloader/uefi/amd64/bootx64.efi bootx64.efi
# ls -lt bootx64.efi
lrwxrwxrwx 1 root root 33 Jul 3 13:00 bootx64.efi -> bootloader/uefi/amd64/bootx64.efi

**************************************
Then the PXE boot started working
**************************************

Question: Any reason why would MAAS create two amd64 bootx64.efi files with different cksum and what is the best way to have this fix going forward without any manual intervention.

See original description
jewsco jacquez (jpjacquez)
description: updated
jewsco jacquez (jpjacquez)
description: updated
Revision history for this message
jewsco jacquez (jpjacquez) wrote :

any takers for this issue?
And what are the criteria, when and how the /var/lib/maas/boot-resources get a refresh?

Revision history for this message
Anton Troyanov (troyanov) wrote :

Hi @jpjacquez,

bootloader/uefi/amd64/bootx64.efi comes from the stream
bootx64.efi this is a copy from the host where rackd is installed
(FTR this logic was removed in 3.5)

Most likely old grub from the host required new SBAT policy.
https://discourse.ubuntu.com/t/sbat-revocations-boot-process/34996

May I ask you to try the following:
1. Disable secure boot
2. Get your system up and running
3. Execute `mokutil --set-sbat-policy delete`
4. Enabling secure boot and try to boot again

Just to confirm it's related to the automatic SBAT policy upgrade.

Changed in maas:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.