gce/ERR/2021_004

Serial logs don’t contain Secure Boot error messages.

Product: Compute Engine
Rule class: ERR - Something that is very likely to be wrong

Description

The messages: “Security Violation” / “Binary is blacklisted” / “UEFI: Failed to start image” / “UEFI: Failed to load image” in serial output usually indicate that the Secure Boot doesn’t pass its pre-checks.

Google Security team may update the UEFI default dbx to implement blacklists based on UEFI revocation list files in response to published CVEs.

Remediation

Make sure that you don’t use outdated images or images with known security issues.

Further information

Secure Boot
Default EUFI certificates
UEFI revocation list file
Security bulletins