MAAS

Merge ~igor-brovtsin/maas:lp2022084-grub-template into maas:master

Proposed by Igor Brovtsin on 2023-08-17

Status:

Merged

Approved by:

Igor Brovtsin on 2023-08-25

Approved revision:

f1b9085690bd76cdd998fb8e90e354b8f4272543

Merge reported by:

MAAS Lander

Merged at revision:

not available

Proposed branch:

~igor-brovtsin/maas:lp2022084-grub-template

Merge into:

maas:master

Diff against target:

54 lines (+23/-10)

1 file modified

src/provisioningserver/templates/uefi/config.local.amd64.template (+23/-10)

Related bugs:

Bug #1865515: Chainbooting from grub over the network to local shim breaks chain of trust	High	Fix Released
Bug #2022084: secure boot enabled on RHEL image fails to boot local on 2nd reboot after deploy	High	Fix Released

Link a bug report

Reviewer	Date Requested	Status
MAAS Lander		Approve on 2023-08-22
Ghadi Rahme (community)		Approve on 2023-08-22
Adam Collard (community)	2023-08-17	Approve on 2023-08-17
Review via email: mp+449355@code.launchpad.net

Commit message

Disable chainloading for third-party distros to fix secure boot

The usual MAAS local boot chain for well-known distros looks like this:

PXE -> MAAS shim -> MAAS GRUB2 -> Distro shim (if any) -> Distro loader

MAAS GRUB chainloads the distro to save time that otherwise the system
would spend trying to netboot with all capable NICs.

Investigating LP:2022084, we discovered that with this chain, RHEL GRUB2
tries to validate the kernel using MAAS shim, causing the secure boot
process to fail. Given the nature of shim and secure boot process in
general, there's not much we can do on MAAS side to fix this behaviour.
As a hotfix, we temporarily drop the chainloading for other distros so
that they could boot securely (even though with some extra wait time).

Ubuntu will still be chainloaded because the MAAS shim trusts the certs
our kernels/bootloaders are signed with. I also don't think Windows
boot loader can be affected by any shims whatsoever, so MAAS will still
try to chainload it.

Description of the change

An accompanying change would be to implement some mechanism that bumps the local boot option to the second place in boot order, with the first one being a MAAS-connected NIC. This will require further investigation though, since even for the virtual machine I used for my tests that had one NIC, there were four ways to netboot it (PXEv4, PXEv6, HTTPv4, HTTPv6). We could bump all four, but ideally there will be a way to pick a suitable one somehow.

Revision history for this message

MAAS Lander (maas-lander) wrote on 2023-08-17:

UNIT TESTS
-b lp2022084-grub-template lp:~igor-brovtsin/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: 28839e8b1ae75cc0f0293007805f693a279a9a4e

review: Approve

~igor-brovtsin/maas:lp2022084-grub-template updated on 2023-08-17

750905c... by Igor Brovtsin on 2023-08-17: Return exit code 1 when resorting to boot from next device

Revision history for this message

MAAS Lander (maas-lander) wrote on 2023-08-17:

UNIT TESTS
-b lp2022084-grub-template lp:~igor-brovtsin/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: 750905c674af9b094f1da3183b10966be6d7bcae

review: Approve

Revision history for this message

Adam Collard (adam-collard) wrote on 2023-08-17:

Have set off a test run for this branch in the lab - let's check if e.g. Windows can deploy

Revision history for this message

Adam Collard (adam-collard) wrote on 2023-08-17:

LGTM

review: Approve

Revision history for this message

Julian Andres Klode (juliank) wrote on 2023-08-17:

One could conditionalize the fallback for foreign shims to secure boot only be checking a variable, I think it's $shim_lock but not 100% sure, and might not matter.

Revision history for this message

Julian Andres Klode (juliank) wrote on 2023-08-18:

Ah I double checked and yes, shim_lock=y is set, so one could duplicate the for loop with the bootloaders being removed and

if [ $shim_lock != "y" ]; then
...
fi

just in case we want to reduce regression potential for existing users.

Revision history for this message

Igor Brovtsin (igor-brovtsin) wrote on 2023-08-21:

Thanks Julian! I'll update the MP

~igor-brovtsin/maas:lp2022084-grub-template updated on 2023-08-21

c6c0539... by Igor Brovtsin on 2023-08-21: Try chainloading in non-secure-boot scenarios

Revision history for this message

MAAS Lander (maas-lander) wrote on 2023-08-21:

UNIT TESTS
-b lp2022084-grub-template lp:~igor-brovtsin/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: c6c05397a55a9a6790d4cfe4cd5df1bc57b85008

review: Approve

Revision history for this message

Ghadi Rahme (ghadi-rahme) on 2023-08-22:

review: Needs Fixing

~igor-brovtsin/maas:lp2022084-grub-template updated on 2023-08-22

f1b9085... by Igor Brovtsin on 2023-08-22: Enclose `shim_lock` evaluation

Revision history for this message

Igor Brovtsin (igor-brovtsin) on 2023-08-22:

Revision history for this message

Ghadi Rahme (ghadi-rahme) on 2023-08-22:

review: Approve

Revision history for this message

MAAS Lander (maas-lander) wrote on 2023-08-22:

UNIT TESTS
-b lp2022084-grub-template lp:~igor-brovtsin/maas/+git/maas into -b master lp:~maas-committers/maas

STATUS: SUCCESS
COMMIT: f1b9085690bd76cdd998fb8e90e354b8f4272543

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Igor Brovtsin

MAAS Committers

Matvej Jurbin

Shane Holloman

 diff --git a/src/provisioningserver/templates/uefi/config.local.amd64.template b/src/provisioningserver/templates/uefi/config.local.amd64.template
 index 219a2af..5898d5c 100644
 --- a/src/provisioningserver/templates/uefi/config.local.amd64.template
 +++ b/src/provisioningserver/templates/uefi/config.local.amd64.template
@@ -4,19 +4,11 @@ set timeout=0
  menuentry 'Local' {
      echo 'Booting local disk...'
++    # The bootloader paths list for secure boot is shortened because of LP:2022084
      for bootloader in \
              boot/bootx64.efi \
              ubuntu/shimx64.efi \
              ubuntu/grubx64.efi \
--            centos/shimx64.efi \
--            centos/grubx64.efi \
--            redhat/shimx64.efi \
--            redhat/grubx64.efi \
--            rhel/shimx64.efi \
--            rhel/grubx64.efi \
--            suse/shim.efi \
--            suse/grubx64.efi \
--            red/grubx64.efi \
              Microsoft/Boot/bootmgfw.efi; do
          search --set=root --file /efi/$bootloader
          if [ $? -eq 0 ]; then
@@ -24,6 +16,27 @@ menuentry 'Local' {
              boot
          fi
      done
++
++    if [ "${shim_lock}" != "y" ]; then
++        echo 'Secure boot is disabled, trying chainloader...'
++        for bootloader in \
++                centos/shimx64.efi \
++                centos/grubx64.efi \
++                redhat/shimx64.efi \
++                redhat/grubx64.efi \
++                rhel/shimx64.efi \
++                rhel/grubx64.efi \
++                suse/shim.efi \
++                suse/grubx64.efi \
++                red/grubx64.efi; do
++            search --set=root --file /efi/$bootloader
++            if [ $? -eq 0 ]; then
++                chainloader /efi/$bootloader
++                boot
++            fi
++        done
++    fi
++
      # If no bootloader is found exit and allow the next device to boot.
--    exit
++    exit 1
+ }