This isn't a bug with MAAS, it's a bug with shim/grub. MAAS gets its bootloaders from the public stream at images.maas.io which is generated by lp:maas-images. lp:maas-images pulls the bootloaders out of the archive, its currently set to pull them from bionic.
Secure boot is working in the ephemeral environment it's failing when trying to local boot into the deployed environment. When an x86_64 UEFI machine local boots with MAAS it boots over the network, downloads bootx64.efi(shim) which downloads grubx64.efi and this grub.cfg[1]. The grub from over the network finds /boot/efi/ubuntu/shimx64.efi on the local filesystem and chainboots to it. Somehow the chain of trust breaks here causing the system to halt. Booting local disk... Failed to open \efi\boot\grubx64.efi - Not Found Failed to load image \efi\boot\grubx64.efi: Not Found start_image() returned Not Found EFI stub: UEFI Secure Boot is enabled. Bootloader has not verified loaded image. System is compromised. halting. I tried using the shim and grub from Focal but I still get the same problem. [1] https://git.launchpad.net/maas/tree/src/provisioningserver/templates/uefi/config.local.amd64.template ** Also affects: shim-signed (Ubuntu) Importance: Undecided Status: New ** Also affects: grub (Ubuntu) Importance: Undecided Status: New ** Changed in: grub (Ubuntu) Status: New => Confirmed ** Changed in: shim-signed (Ubuntu) Status: New => Confirmed ** Summary changed: - MAAS can't deploy to a server with Secure Boot active + Chainbooting from grub over the network to local shim breaks chain of trust -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865515 Title: Chainbooting from grub over the network to local shim breaks chain of trust To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1865515/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
