Cannot boot EFI image in shielded for google compute engine

[michaelCTS]

Describe the bug

After generating an EFI image for Google Compute Engine using https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/google-compute-image.nix and creating an image with UEFI compatibility, the VM won't start.

Steps To Reproduce

Steps to reproduce the behavior:

1. Create a new configuration.nix

   { ... }:
   {
   imports = [
   <nixpkgs/nixos/modules/virtualisation/google-compute-image.nix>
   ];
   virtualisation.googleComputeImage.efi = true;
   }

2. Build the image (inspired by create-gce.sh)

   nix-build '<nixpkgs/nixos/lib/eval-config.nix>' \
   -A config.system.build.googleComputeImage \
   --arg modules "[ (import /tmp/nixos-gce/configuration.nix {})  <nixpkgs/nixos/modules/virtualisation/google-compute-image.nix> ]" \
   --argstr system x86_64-linux \
   -o gce \
   -j 10

3. Upload the resulting .raw.tar.gz to Google Cloud Storage (GCS)
4. Create a new image with UEFI compatibility

   gcloud compute images create [IMAGE_NAME] \
   --source-uri [SOURCE_DISK_STORAGE_URI] \
   --source-disk-zone [ZONE] \
   --guest-os-features="UEFI_COMPATIBLE"

5. Create a new shielded VM using the cloud console
6. Enable serial port logging if you don't have access to the serial port

   gcloud compute instances add-metadata [INSTANCE_NAME] \
   --metadata serial-port-logging-enable=true

7. start the VM

Expected behavior

The VM should boot and it should be possible to SSH into it.

Screenshots

-

Additional context

The serial console just loops with

[2J[=3h[=3hBdsDxe: loading Boot0001 "UEFI Google PersistentDisk " from PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x1,0x0)

UEFI: Failed to load image.
Description: UEFI Google PersistentDisk 
FilePath: PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x1,0x0)
OptionNumber: 1.
Status: Security Violation.

BdsDxe: failed to load Boot0001 "UEFI Google PersistentDisk " from PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x1,0x0): Security Violation

[=3h[=3hBdsDxe: loading Boot0001 "UEFI Google PersistentDisk " from PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x1,0x0)

UEFI: Failed to load image.
Description: UEFI Google PersistentDisk 
FilePath: PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x1,0x0)
OptionNumber: 1.
Status: Security Violation.

Also tried using the disk in virtualbox, to no avail.

mkdir -p ~/tmp/nixos-gce
cd ~/tmp/nixos-gce
# Extract raw disk from tar
tar xvf /nix/store/3icfh8x26ns9dcygd9x6b0b1jqw7k8nk-google-compute-image/nixos-image-23.11.4621.3cb4ae6689d2-x86_64-linux.raw.tar.gz
# Convert raw disk to VDI
VBoxManage convertfromraw disk.raw disk.vdi

The create a new machine with virtualbox, enable UEFI and secure boot, then try to boot.

Notify maintainers

@AmineChikhaoui @Atry @Mic92

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.78, NixOS, 23.11 (Tapir), 23.11.4621.3cb4ae6689d2`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - channels(root): `"nixos-23.11, nixos-unstable"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

---

Add a :+1: reaction to issues you find important.

[Atemu]

Do "shielded VM"s require secure boot? If so, that simply won't work; the image is not signed and even if you could, you'd need access to a key that Google's servers trust.

[michaelCTS]

Shielded VMs require secure boot. There is a guide on how to create custom shielded VM images. I didn't set up certificates as they were marked as "optional".

Note that pk, keks, dbxs and dbs are optional fields.

I have no real understanding of secure boot, but my assumption is that because it's possible to upload your own keys to google, it should be possible to sign the image somehow with those keys. IINM the goal is to ensure that the VM starting is the one created from your image and doesn't have something like a rootkit or was infected during a run and restarted with something like a rootkit.

But no idea...

[LuNeder]

I have the same VirtualBox problem when trying to boot any UEFI VM on a NixOS host