Shim uses wrong TFTP server IP in proxyDHCP mode

Bug #1813541 reported by Alkis Georgopoulos on 2019-01-28
This bug affects 2 people
Affects Status Importance Assigned to Milestone
shim (Ubuntu)

Bug Description

This works fine:
UEFI > real DHCP > shimx64.efi over TFTP > grubx64.efi over TFTP.

In the scenario above, if we change "real" with "proxy", it fails, because it's trying to download grubx64.efi from the real DHCP server instead of the proxy one.

A proxy DHCP server is one that only sends the boot filename, and leaves the IP assignments to the real DHCP server. We use that a lot in the and in other netbooting projects, as it avoids the need for a special network setup.

Sample dnsmasq.conf for proxy setup:

pxe-service=X86-64_EFI,"Boot from network",shimx64.efi

Alkis Georgopoulos (alkisg) wrote :

Specifically, I think the issue is in

memcpy(&tftp_addr.v4, pkt_v4->BootpSiAddr, 4);

There should be an "if proxy ... use that one for tftp ... else use BootpSiAddr" at that point.

Steve Langasek (vorlon) wrote :

By chance can you provide a reference to an RFC that explains the "correct" interaction between proxy DHCP servers and DHCP boot file option? Does the grub DHCP client implementation work the way you describe?

Changed in shim (Ubuntu):
status: New → Incomplete
Alkis Georgopoulos (alkisg) wrote :

The PXE specification, which also describes proxyDHCP, can be found for example at:

The "proof" that the proxyDHCP server should be used as the TFTP server, is the fact that shimx64.efi was indeed downloaded by the UEFI firmware from the proxyDHCP server. This is true for all UEFI and BIOS firmwares, and for iPXE and any other client that understands PXE services.

Shim just needs to follow suit and use the same TFTP server where it's located at.

Changed in shim (Ubuntu):
status: Incomplete → New
Alkis Georgopoulos (alkisg) wrote :

To be more clear (some times I'm not very confident about my English):

TFTP server = proxyDHCP server = where shimx64.efi is.
UEFI and BIOS and iPXE and all clients, use the proxyDHCP server as the TFTP server.

Shimx64.efi on the other hand, tries to download grubx64.efi from the real DHCP server, which usually isn't a TFTP server when proxyDHCP is used, and fails.

Alkis Georgopoulos (alkisg) wrote :

Pseudocode for UEFI/BIOS firmwares:
If the DHCP server doesn't offer a boot filename,
and a proxyDHCP server is available,
then use the boot filename from the proxyDHCP offer,
and set TFTP=proxyDHCP.

Pseudocode for shim:
If UEFI reports that it used proxyDHCP, then use that one for the TFTP server.
No decision to be done here; the decision was already done by UEFI in the previous step.
Also, note that there's no "boot filename" involved; that too, was done by UEFI in the previous step.
It's just about deciding where the TFTP server is.

Alkis Georgopoulos (alkisg) wrote :

*Actually you can use "boot filename = /path/to/shimx64.efi" just to derive the /path/to/grubx64.efi if you want; but that's not very important, just for TFTP directory organization.

Changed in shim:
status: Unknown → New
Steve Langasek (vorlon) on 2019-02-03
Changed in shim (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
RouL (roul-zett) wrote :

Over 1 year and 2 Ubuntu versions later (one of them LTS) and this problem is still not fixed. Even with googling this took me hours to figure out today. :/

Please fix this finally.

I'd submit a patch, but I didn't write any C code, since I was around 21. If anything, I'd probably make things worse. :D

Steve Langasek (vorlon) wrote :

The upstream bug is still unresolved, and shim is highly security sensitive code. So we need to wait for an agreed upstream fix.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.