GCP Compute engine Shielded VM secure boot | Failure at boot | Verification failed: (0x1A) Security Violation | Works fine with Secure boot disabled

On GCP when i launch a compute engine through an instance-group/template programatically via a cicd automation script, the vm starts throwing error during boot as appearing on serial port 1 (console) output: Verification failed: (0x1A) Security Violation.

error trace on serial port 1 console :

UEFI: Attempting to start image.
Description: UEFI Google PersistentDisk
FilePath: PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x1,0x0)
OptionNumber: 1.

Verification failed: (0x1A) Security Violation.


I am using a custom image to boot the VM. and Shielded VM is enabled along with secure boot

Also if i disable secure boot, the VM boots just fine.
Also if i launch a custom VM directly from the GCP UI/console, with shielded and secure boot enabled and with the same custom image , it works just fine.

Things i have tried:
1.
checked logs in serial port 1 (console ) on VM :
got error:

error trace on serial port 1 console :
UEFI: Attempting to start image.
Description: UEFI Google PersistentDisk
FilePath: PciRoot(0x0)/Pci(0x3,0x0)/Scsi(0x1,0x0)
OptionNumber: 1.

Verification failed: (0x1A) Security Violation.

  1. Disabled Secure boot flag and restarted the above VM: gcloud compute instances update <my_instance> –shielded-secure-boot –zone <instance_zone>

The VM boot worked fine post disabling the secure boot (but i need solution with secure boot on)

  1. Manually created a VM with secure boot enabled and same custom image as used through instancegroup(cicd automation), instances boot worked fine.

Will be glad to have some leads on it.
thanks.

Leave a Comment