arm64 Secure Boot fails w/ "error: cannot load image."
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
grub2-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Kernels are not loaded on arm64 since grub2 2.04 rebase
[Test case]
1. Boot qemu
qemu-system-aarch64 -m 1024 -cpu cortex-a53 -M virt -pflash ~/AAVMF_CODE.fd -pflash ~/AAVMF_VARS.fd -drive if=none,
2. Run sb-setup enroll microsoft from https:/
3. Verify that new grub works
4. Parallel tests (take snapshot after 3)
4a) Reinstall old grub and check that it fails
4b) Remove kernel signature and check that kernel loading fails
[Regression potential]
The changes are limited to grub-core/
[Original bug report]
I tested out the new shim-signed (1.41+15+
grub> insmod gzio
grub> linux (hd0,gpt1)
grub> boot
error: cannot load image.
This is better then it was previously - shim used to crash before starting GRUB (bug 1811901 and bug 1811722). But obviously there are still issues somewhere. Prior to this shim binary being signed, I believe I had tested the unsigned binary in a VM using a custom signing certificate. I think I still have that VM around, so I maybe able to use it for comparison.
= My setup =
I tried to make this test simulate a real setup as much as possible. Here's roughly what I did:
Installed an arm64 server w/ bionic
# need a new QEMU for EnrollDefaultKe
sudo apt-add-repository cloud-archive:train
sudo apt update
sudo apt install uvtool
sudo gpasswd -a ubuntu libvirt
# log out/back in
# no focal images yet
uvt-simplestrea
uvt-kvm create focal arch=arm64 release=eoan
uvt-kvm wait focal
uvt-kvm ssh focal
guest> sudo sed -i 's/eoan/focal/' /etc/apt/
guest> # Also enabled focal-proposed to get latest shim-signed
guest> sudo apt update
guest> sudo apt dist-upgrade
guest> sudo apt install shim-signed
guest> sudo grub-install
# On an x86 host, I built the latest edk2 package and copied out the AARCH64 build of
# EnrollDefaultKe
# system partition
guest> sudo poweroff
virsh edit focal
# Add the following to inject the Pk/KEK keys:
# <qemu:commandline>
# <qemu:arg value='-smbios'/>
# <qemu:arg value='
# </qemu:commandline>
#
virsh start focal; virsh console focal
# Interrupt focal boot, drop to an EFI shell, then ran the following
# which will load the PK/Kek1 and Microsoft keys and enable SecureBoot
Shell> fs0:
FS0:\> EnrollDefaultKe
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
info: success
FS0:\> reset -s
# Then, finally, try and boot in SB mode:
virsh start focal; virsh console focal
Changed in shim (Ubuntu): | |
status: | New → Invalid |
tags: | added: id-5e67b5f44d0dff7b9bbf1d1a |
description: | updated |
Changed in grub2-signed (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in grub2 (Ubuntu): | |
status: | Confirmed → Fix Committed |
no longer affects: | shim (Ubuntu) |
no longer affects: | shim (Ubuntu Focal) |
no longer affects: | shim (Ubuntu Groovy) |
Changed in grub2-signed (Ubuntu Focal): | |
status: | New → Triaged |
Changed in grub2 (Ubuntu Focal): | |
status: | New → Triaged |
description: | updated |
description: | updated |
description: | updated |
Changed in grub2-signed (Ubuntu Focal): | |
status: | Triaged → In Progress |
Changed in grub2 (Ubuntu Focal): | |
status: | Triaged → In Progress |
Changed in grub2 (Ubuntu Focal): | |
status: | Won't Fix → Triaged |
tags: | added: fr-23 |
le sigh