Comment 2 for bug 1578837

I'm attaching the contents of the /var/lib/maas/boot-resources/snapshot-20160426-183112 directory on the MAAS server (minus the ubuntu and custom directories, which contain OS images and are therefore huge). This tarball includes the shim and GRUB images used in this process. I'm also including an excerpt from the clusterd.log file from the MAAS server, which shows the TFTP requests.

You're correct that the system boots in two stages: When a node PXE-boots, it requests a boot loader from the MAAS server, which delivers an image that then kicks the boot process to the local disk. Thus, the boot process should be:

PXE request -> TFTP-delivered Shim -> TFTP-delivered GRUB -> local Shim -> local GRUB -> local kernel

At least, that's my understanding; I'm not involved in MAAS development in any significant way, so I could be misunderstanding something.

The symptoms look like the handoff from the TFTP-delivered GRUB to the local Shim is failing when Secure Boot is active. The file is definitely present because it DOES work when Secure Boot is inactive.