Merge ~igor-brovtsin/maas:lp2022084-grub-template into maas:master
Status: | Merged |
---|---|
Approved by: | Igor Brovtsin |
Approved revision: | f1b9085690bd76cdd998fb8e90e354b8f4272543 |
Merge reported by: | MAAS Lander |
Merged at revision: | not available |
Proposed branch: | ~igor-brovtsin/maas:lp2022084-grub-template |
Merge into: | maas:master |
Diff against target: |
54 lines (+23/-10) 1 file modified
src/provisioningserver/templates/uefi/config.local.amd64.template (+23/-10) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
MAAS Lander | Approve | ||
Ghadi Rahme (community) | Approve | ||
Adam Collard (community) | Approve | ||
Review via email:
|
Commit message
Disable chainloading for third-party distros to fix secure boot
The usual MAAS local boot chain for well-known distros looks like this:
PXE -> MAAS shim -> MAAS GRUB2 -> Distro shim (if any) -> Distro loader
MAAS GRUB chainloads the distro to save time that otherwise the system
would spend trying to netboot with all capable NICs.
Investigating LP:2022084, we discovered that with this chain, RHEL GRUB2
tries to validate the kernel using MAAS shim, causing the secure boot
process to fail. Given the nature of shim and secure boot process in
general, there's not much we can do on MAAS side to fix this behaviour.
As a hotfix, we temporarily drop the chainloading for other distros so
that they could boot securely (even though with some extra wait time).
Ubuntu will still be chainloaded because the MAAS shim trusts the certs
our kernels/bootloaders are signed with. I also don't think Windows
boot loader can be affected by any shims whatsoever, so MAAS will still
try to chainload it.
Description of the change
An accompanying change would be to implement some mechanism that bumps the local boot option to the second place in boot order, with the first one being a MAAS-connected NIC. This will require further investigation though, since even for the virtual machine I used for my tests that had one NIC, there were four ways to netboot it (PXEv4, PXEv6, HTTPv4, HTTPv6). We could bump all four, but ideally there will be a way to pick a suitable one somehow.
There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.
UNIT TESTS grub-template lp:~igor-brovtsin/maas/+git/maas into -b master lp:~maas-committers/maas
-b lp2022084-
STATUS: SUCCESS 0f0293007805f69 3a279a9a4e
COMMIT: 28839e8b1ae75cc