[Bug 1960564] [NEW] GCE shielded VM integrity monitoring reports errors

Thu, 10 Feb 2022 14:41:06 -0800 

Public bug reported:

[Impact]

 * GCE shielded VM instances created from official Ubuntu images
starting with focal get integrity monitoring errors after second reboot
without any actions or changes by the user.

 * This is due to `initrdless_boot_fallback_triggered` variable in
/boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
is empty in the image prior to boot.

[Test Plan]

 * To reproduce the bug:
   1. Create a GCE shielded VM instance with integrity monitoring enabled:
     a) focal:
       gcloud compute instances create \
         integrity-test-focal \
         --machine-type "n2d-standard-2" \
         --zone "europe-west1-d" \
         --maintenance-policy=TERMINATE \
         --image-family=ubuntu-2004-lts \
         --image-project=ubuntu-os-cloud \
         --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
         --scopes https://www.googleapis.com/auth/logging.read \
         --shielded-integrity-monitoring \
         --shielded-secure-boot
      b) impish:
        gcloud compute instances create \
          integrity-test-impish \
          --machine-type "n2d-standard-2" \
          --zone "europe-west1-d" \
          --maintenance-policy=TERMINATE \
          --image-family=ubuntu-2110 \
          --image-project=ubuntu-os-cloud \
          --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
          --scopes https://www.googleapis.com/auth/logging.read \
          --shielded-integrity-monitoring \
          --shielded-secure-boot
      c) jammy:
        gcloud compute instances create \
          integrity-test-jammy \
          --machine-type "n2d-standard-2" \
          --zone "europe-west1-d" \
          --maintenance-policy=TERMINATE \
          --image-family=ubuntu-2204-lts \
          --image-project=ubuntu-os-cloud-devel \
          --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
          --scopes https://www.googleapis.com/auth/logging.read \
          --shielded-integrity-monitoring \
          --shielded-secure-boot
   2. SSH into the instance and reboot it: `sudo reboot`
   3. After the instance is rebooted, check integrity monitoring logs:
     a) The easy way -- SSH into the instance and run:
       curl -sSf 
https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh
 | bash
     b) Alternatively, see the logs in the web console: 
https://console.cloud.google.com/logs/query

 * To verify the fix:
   1. Build a custom image with the fixed version of `livecd-rootfs`
   2. Upload it to GCE
   3. Register it in GCE with the same secureboot DBX as the official images
   4. Create an instance
   5. Reboot it
   6. Check integrity logs

[Where problems could occur]

 * Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0
 would break.

[Other Info]

 * I will build and register custom images the same way official images are  
built and registered by CPC.
 * I can also spin up instances created from official/custom images and provide 
SSH access to them on request for bug reproduction/fix verification.

** Affects: livecd-rootfs (Ubuntu)
     Importance: Undecided
     Assignee: Ivan Kapelyukhin (ikapelyukhin)
         Status: New

** Description changed:

  [Impact]
  
-  * GCE shielded VM instances created from official Ubuntu images starting with
-  focal get integrity monitoring errors after second reboot without any actions
-  or changes by the user.
+  * GCE shielded VM instances created from official Ubuntu images
+ starting with focal get integrity monitoring errors after second reboot
+ without any actions or changes by the user.
  
-  * This is due to `initrdless_boot_fallback_triggered` variable in
-  /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv is 
empty
-  in the image prior to boot.
+  * This is due to `initrdless_boot_fallback_triggered` variable in
+ /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv
+ is empty in the image prior to boot.
  
  [Test Plan]
  
-  * To reproduce the bug:
-    1. Create a GCE shielded VM instance with integrity monitoring enabled:
-      a) focal:
-        gcloud compute instances create \
-          integrity-test-focal \
-          --machine-type "n2d-standard-2" \
-          --zone "europe-west1-d" \
-          --maintenance-policy=TERMINATE \
-          --image-family=ubuntu-2004-lts \
-          --image-project=ubuntu-os-cloud \
-          --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
-          --scopes https://www.googleapis.com/auth/logging.read \
-          --shielded-integrity-monitoring \
-          --shielded-secure-boot
-       b) impish:
-         gcloud compute instances create \
-           integrity-test-impish \
-           --machine-type "n2d-standard-2" \
-           --zone "europe-west1-d" \
-           --maintenance-policy=TERMINATE \
-           --image-family=ubuntu-2110 \
-           --image-project=ubuntu-os-cloud \
-           --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
-           --scopes https://www.googleapis.com/auth/logging.read \
-           --shielded-integrity-monitoring \
-           --shielded-secure-boot
-       c) jammy:
-         gcloud compute instances create \
-           integrity-test-jammy \
-           --machine-type "n2d-standard-2" \
-           --zone "europe-west1-d" \
-           --maintenance-policy=TERMINATE \
-           --image-family=ubuntu-2204-lts \
-           --image-project=ubuntu-os-cloud-devel \
-           --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
-           --scopes https://www.googleapis.com/auth/logging.read \
-           --shielded-integrity-monitoring \
-           --shielded-secure-boot
-    2. SSH into the instance and reboot it: `sudo reboot`
-    3. After the instance is rebooted, check integrity monitoring logs:
-      a) The easy way -- SSH into the instance and run:
-        curl -sSf 
https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh
 | bash
-      b) Alternatively, see the logs in the web console: 
https://console.cloud.google.com/logs/query
+  * To reproduce the bug:
+    1. Create a GCE shielded VM instance with integrity monitoring enabled:
+      a) focal:
+        gcloud compute instances create \
+          integrity-test-focal \
+          --machine-type "n2d-standard-2" \
+          --zone "europe-west1-d" \
+          --maintenance-policy=TERMINATE \
+          --image-family=ubuntu-2004-lts \
+          --image-project=ubuntu-os-cloud \
+          --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
+          --scopes https://www.googleapis.com/auth/logging.read \
+          --shielded-integrity-monitoring \
+          --shielded-secure-boot
+       b) impish:
+         gcloud compute instances create \
+           integrity-test-impish \
+           --machine-type "n2d-standard-2" \
+           --zone "europe-west1-d" \
+           --maintenance-policy=TERMINATE \
+           --image-family=ubuntu-2110 \
+           --image-project=ubuntu-os-cloud \
+           --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
+           --scopes https://www.googleapis.com/auth/logging.read \
+           --shielded-integrity-monitoring \
+           --shielded-secure-boot
+       c) jammy:
+         gcloud compute instances create \
+           integrity-test-jammy \
+           --machine-type "n2d-standard-2" \
+           --zone "europe-west1-d" \
+           --maintenance-policy=TERMINATE \
+           --image-family=ubuntu-2204-lts \
+           --image-project=ubuntu-os-cloud-devel \
+           --service-account YOUR_SERVICE_ACCOUNT_EMAIL \
+           --scopes https://www.googleapis.com/auth/logging.read \
+           --shielded-integrity-monitoring \
+           --shielded-secure-boot
+    2. SSH into the instance and reboot it: `sudo reboot`
+    3. After the instance is rebooted, check integrity monitoring logs:
+      a) The easy way -- SSH into the instance and run:
+        curl -sSf 
https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh
 | bash
+      b) Alternatively, see the logs in the web console: 
https://console.cloud.google.com/logs/query
  
-  * To verify the fix:
-    1. Build a custom image with the fixed version of `livecd-rootfs`
-    2. Upload it to GCE
-    3. Register it in GCE with the same secureboot DBX as the official images
-    4. Create an instance
-    5. Reboot it
-    6. Check integrity logs
+  * To verify the fix:
+    1. Build a custom image with the fixed version of `livecd-rootfs`
+    2. Upload it to GCE
+    3. Register it in GCE with the same secureboot DBX as the official images
+    4. Create an instance
+    5. Reboot it
+    6. Check integrity logs
  
  [Where problems could occur]
  
-  * Any code that expects `initrdless_boot_fallback_triggered` to be 
explicitly 0
-  would break.
+  * Any code that expects `initrdless_boot_fallback_triggered` to be 
explicitly 0
+  would break.
  
  [Other Info]
  
-  * I will build and register custom images the same way official images are
-  built and registered by CPC.
-  * I can also spin up instances created from official/custom images and 
provide
-  SSH access to them on request for bug reproduction/fix verification.
+  * I will build and register custom images the same way official images are  
built and registered by CPC.
+  * I can also spin up instances created from official/custom images and 
provide SSH access to them on request for bug reproduction/fix verification.

** Changed in: livecd-rootfs (Ubuntu)
     Assignee: (unassigned) => Ivan Kapelyukhin (ikapelyukhin)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1960564

Title:
  GCE shielded VM integrity monitoring reports errors

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1960564/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to