Public bug reported: [Impact]
* GCE shielded VM instances created from official Ubuntu images starting with focal get integrity monitoring errors after second reboot without any actions or changes by the user. * This is due to `initrdless_boot_fallback_triggered` variable in /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv is empty in the image prior to boot. [Test Plan] * To reproduce the bug: 1. Create a GCE shielded VM instance with integrity monitoring enabled: a) focal: gcloud compute instances create \ integrity-test-focal \ --machine-type "n2d-standard-2" \ --zone "europe-west1-d" \ --maintenance-policy=TERMINATE \ --image-family=ubuntu-2004-lts \ --image-project=ubuntu-os-cloud \ --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ --scopes https://www.googleapis.com/auth/logging.read \ --shielded-integrity-monitoring \ --shielded-secure-boot b) impish: gcloud compute instances create \ integrity-test-impish \ --machine-type "n2d-standard-2" \ --zone "europe-west1-d" \ --maintenance-policy=TERMINATE \ --image-family=ubuntu-2110 \ --image-project=ubuntu-os-cloud \ --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ --scopes https://www.googleapis.com/auth/logging.read \ --shielded-integrity-monitoring \ --shielded-secure-boot c) jammy: gcloud compute instances create \ integrity-test-jammy \ --machine-type "n2d-standard-2" \ --zone "europe-west1-d" \ --maintenance-policy=TERMINATE \ --image-family=ubuntu-2204-lts \ --image-project=ubuntu-os-cloud-devel \ --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ --scopes https://www.googleapis.com/auth/logging.read \ --shielded-integrity-monitoring \ --shielded-secure-boot 2. SSH into the instance and reboot it: `sudo reboot` 3. After the instance is rebooted, check integrity monitoring logs: a) The easy way -- SSH into the instance and run: curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query * To verify the fix: 1. Build a custom image with the fixed version of `livecd-rootfs` 2. Upload it to GCE 3. Register it in GCE with the same secureboot DBX as the official images 4. Create an instance 5. Reboot it 6. Check integrity logs [Where problems could occur] * Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0 would break. [Other Info] * I will build and register custom images the same way official images are built and registered by CPC. * I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification. ** Affects: livecd-rootfs (Ubuntu) Importance: Undecided Assignee: Ivan Kapelyukhin (ikapelyukhin) Status: New ** Description changed: [Impact] - * GCE shielded VM instances created from official Ubuntu images starting with - focal get integrity monitoring errors after second reboot without any actions - or changes by the user. + * GCE shielded VM instances created from official Ubuntu images + starting with focal get integrity monitoring errors after second reboot + without any actions or changes by the user. - * This is due to `initrdless_boot_fallback_triggered` variable in - /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv is empty - in the image prior to boot. + * This is due to `initrdless_boot_fallback_triggered` variable in + /boot/grub/grubenv being set to 0 after first boot. /boot/grub/grubenv + is empty in the image prior to boot. [Test Plan] - * To reproduce the bug: - 1. Create a GCE shielded VM instance with integrity monitoring enabled: - a) focal: - gcloud compute instances create \ - integrity-test-focal \ - --machine-type "n2d-standard-2" \ - --zone "europe-west1-d" \ - --maintenance-policy=TERMINATE \ - --image-family=ubuntu-2004-lts \ - --image-project=ubuntu-os-cloud \ - --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ - --scopes https://www.googleapis.com/auth/logging.read \ - --shielded-integrity-monitoring \ - --shielded-secure-boot - b) impish: - gcloud compute instances create \ - integrity-test-impish \ - --machine-type "n2d-standard-2" \ - --zone "europe-west1-d" \ - --maintenance-policy=TERMINATE \ - --image-family=ubuntu-2110 \ - --image-project=ubuntu-os-cloud \ - --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ - --scopes https://www.googleapis.com/auth/logging.read \ - --shielded-integrity-monitoring \ - --shielded-secure-boot - c) jammy: - gcloud compute instances create \ - integrity-test-jammy \ - --machine-type "n2d-standard-2" \ - --zone "europe-west1-d" \ - --maintenance-policy=TERMINATE \ - --image-family=ubuntu-2204-lts \ - --image-project=ubuntu-os-cloud-devel \ - --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ - --scopes https://www.googleapis.com/auth/logging.read \ - --shielded-integrity-monitoring \ - --shielded-secure-boot - 2. SSH into the instance and reboot it: `sudo reboot` - 3. After the instance is rebooted, check integrity monitoring logs: - a) The easy way -- SSH into the instance and run: - curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash - b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query + * To reproduce the bug: + 1. Create a GCE shielded VM instance with integrity monitoring enabled: + a) focal: + gcloud compute instances create \ + integrity-test-focal \ + --machine-type "n2d-standard-2" \ + --zone "europe-west1-d" \ + --maintenance-policy=TERMINATE \ + --image-family=ubuntu-2004-lts \ + --image-project=ubuntu-os-cloud \ + --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ + --scopes https://www.googleapis.com/auth/logging.read \ + --shielded-integrity-monitoring \ + --shielded-secure-boot + b) impish: + gcloud compute instances create \ + integrity-test-impish \ + --machine-type "n2d-standard-2" \ + --zone "europe-west1-d" \ + --maintenance-policy=TERMINATE \ + --image-family=ubuntu-2110 \ + --image-project=ubuntu-os-cloud \ + --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ + --scopes https://www.googleapis.com/auth/logging.read \ + --shielded-integrity-monitoring \ + --shielded-secure-boot + c) jammy: + gcloud compute instances create \ + integrity-test-jammy \ + --machine-type "n2d-standard-2" \ + --zone "europe-west1-d" \ + --maintenance-policy=TERMINATE \ + --image-family=ubuntu-2204-lts \ + --image-project=ubuntu-os-cloud-devel \ + --service-account YOUR_SERVICE_ACCOUNT_EMAIL \ + --scopes https://www.googleapis.com/auth/logging.read \ + --shielded-integrity-monitoring \ + --shielded-secure-boot + 2. SSH into the instance and reboot it: `sudo reboot` + 3. After the instance is rebooted, check integrity monitoring logs: + a) The easy way -- SSH into the instance and run: + curl -sSf https://raw.githubusercontent.com/ikapelyukhin/gce-integrity-tester/master/integrity.sh | bash + b) Alternatively, see the logs in the web console: https://console.cloud.google.com/logs/query - * To verify the fix: - 1. Build a custom image with the fixed version of `livecd-rootfs` - 2. Upload it to GCE - 3. Register it in GCE with the same secureboot DBX as the official images - 4. Create an instance - 5. Reboot it - 6. Check integrity logs + * To verify the fix: + 1. Build a custom image with the fixed version of `livecd-rootfs` + 2. Upload it to GCE + 3. Register it in GCE with the same secureboot DBX as the official images + 4. Create an instance + 5. Reboot it + 6. Check integrity logs [Where problems could occur] - * Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0 - would break. + * Any code that expects `initrdless_boot_fallback_triggered` to be explicitly 0 + would break. [Other Info] - * I will build and register custom images the same way official images are - built and registered by CPC. - * I can also spin up instances created from official/custom images and provide - SSH access to them on request for bug reproduction/fix verification. + * I will build and register custom images the same way official images are built and registered by CPC. + * I can also spin up instances created from official/custom images and provide SSH access to them on request for bug reproduction/fix verification. ** Changed in: livecd-rootfs (Ubuntu) Assignee: (unassigned) => Ivan Kapelyukhin (ikapelyukhin) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1960564 Title: GCE shielded VM integrity monitoring reports errors To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/1960564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs