please backport support for EFI vars > 1KB

Bug #1063061 reported by Steve Langasek
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Andy Whitcroft
Precise
Won't Fix
Medium
Unassigned
Quantal
Fix Released
Medium
Andy Whitcroft
mountall (Ubuntu)
Fix Released
Medium
Andy Whitcroft
Precise
Won't Fix
Medium
Unassigned
Quantal
Fix Released
Medium
Andy Whitcroft
sbsigntool (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Quantal
Fix Released
Medium
Unassigned

Bug Description

[Impact]
This is needed for full hardware enablement of 12.04 on SecureBoot systems. Without this change, management of the SecureBoot revocation database is not possible from Ubuntu userspace (at least, not out of the box).

[Test Case]
On EFI-enabled hardware:
1. verify that /sys/firmware/efi/efivars is not mounted at boot time.
2. install both linux-image-generic-lts-quantal and mountall from proposed.
3. reboot.
4. verify that /sys/firmware/efi/efivars is now mounted.

[Regression potential]
Minimal; as this uses mountall's notion of 'optional' filesystems, the filesystem will simply be skipped if the mountpoint does not exist or the filesystem is not supported by the running kernel.

As of Linux 3.5, it is not possible to update the SecureBoot database from userspace because the sysfs implementation only supports variable data up to 1KB in size and this is exceeded by even a minimum key database of one key.

Matt Fleming has accepted a patch from Matthew Garrett to add a new filesystem that supports larger variables. Please consider backporting this (as an SRU) to both quantal and precise.

   https://lkml.org/lkml/2012/10/5/22

Steve Langasek (vorlon)
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Jeremy Kerr (jk-ozlabs) wrote :

We'd need all three patches in that series:

 https://patchwork.kernel.org/bundle/jk/efivarfs/

Revision history for this message
Jeremy Kerr (jk-ozlabs) wrote :

Also, that original link (to lkml.org) seems to be a superseded series. The patchwork link has the most recent code.

Revision history for this message
Jeremy Kerr (jk-ozlabs) wrote :

Sorry, I stand corrected, it's the same.

tags: added: kernel-da-key quantal
tags: added: kernel-key
removed: kernel-da-key
tags: added: precise
Changed in linux (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Jeremy Kerr (jk-ozlabs) wrote :

These patches, plus a documentation patch for efivars (91a8a30), are now in Matt Fleming's "next" tree:

  git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi.git

Andy Whitcroft (apw)
Changed in linux (Ubuntu Quantal):
assignee: nobody → Andy Whitcroft (apw)
status: Triaged → In Progress
Revision history for this message
Andy Whitcroft (apw) wrote :

We need a mountall change to get this filesystem mounted at boot. See attached debdiff.

Changed in mountall (Ubuntu Quantal):
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Medium
Revision history for this message
Andy Whitcroft (apw) wrote :

I have tested this on an efi system and on systems without efi both i386 and amd64 installs with kernels with and without kernel support.

tags: removed: kernel-key
Steve Langasek (vorlon)
Changed in mountall (Ubuntu Quantal):
status: New → Fix Committed
Changed in mountall (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Jeremy Kerr (jk-ozlabs) wrote :

Just committed this to sbsigntool, to use the updated mountpoint. v0.5 has this (and only this) change.

commit ab63e31bb8ba8ef4b51b8698cc5e89466e003989
Author: Jeremy Kerr <email address hidden>
Date: Mon Oct 8 12:07:43 2012 +0800

    sbkeysync: change default efivarfs mountpoint to /sys/.../efivars/

    Proposed changes to the kernel will establish /sys/firmware/efi/efivars
    as the canonical mountpoint for the efivars filesystem.

    Signed-off-by: Jeremy Kerr <email address hidden>

diff --git a/NEWS b/NEWS
index b62c90a..786145f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,2 +1,12 @@
+v0.5:
+ sbkeysync's default efivars mountpoint has been moved to
+ /sys/firmware/efi/efivars/. This is to match the proposed Linux kernel
+ patch for efivarfs, which provides this sysfs node for the purpose of
+ mounting efivarfs, and leaving the older ../vars/ interface for legacy
+ applications.
+
+ This default can be overridden using the --efivars-path option to
+ sbkeysync.
+
 v0.1:
        Initial version
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index d68f675..011004a 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -55,7 +55,7 @@
 #include "fileio.h"
 #include "efivars.h"

-#define EFIVARS_MOUNTPOINT "/sys/firmware/efi/vars"
+#define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars"
 #define EFIVARS_FSTYPE 0x6165676C

 #define EFI_IMAGE_SECURITY_DATABASE_GUID \

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mountall - 2.42

---------------
mountall (2.42) unstable; urgency=low

  [ Andy Whitcroft ]
  * Add support for mounting the efivars filesystem onto
    /sys/firmware/efi/efivars. LP: #1063061.

  [ Steve Langasek ]
  * mount events now happen so much in parallel that /etc/mtab may not get
    updated due to races between 'mounted' events. Explicitly track the
    list of mounts that are in need of fake-remounting and make sure mount -f
    gets called for them if they missed the boat. LP: #1060296

 -- Steve Langasek <email address hidden> Tue, 09 Oct 2012 12:32:56 -0700

Changed in mountall (Ubuntu Quantal):
status: Fix Committed → Fix Released
Colin Watson (cjwatson)
Changed in sbsigntool (Ubuntu Precise):
status: New → Triaged
Changed in sbsigntool (Ubuntu Quantal):
status: New → Triaged
Changed in sbsigntool (Ubuntu Precise):
importance: Undecided → Medium
Changed in sbsigntool (Ubuntu Quantal):
importance: Undecided → Medium
Steve Langasek (vorlon)
Changed in sbsigntool (Ubuntu Precise):
status: Triaged → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu1

---------------
sbsigntool (0.6-0ubuntu1) quantal; urgency=low

  * New upstream release.
    - Uses the new mount point for the efivars directory, for compatibility
      with the pending upstream kernel patches and compatibility with what
      mountall is doing. LP: #1063061.
    - Fixes sbverify verification of the pkcs7 bundles that Microsoft-signed
      binaries deliver to us, enabling us to do build-time verification of
      shim-signed.
 -- Steve Langasek <email address hidden> Thu, 11 Oct 2012 17:24:56 -0700

Changed in sbsigntool (Ubuntu Quantal):
status: Triaged → Fix Released
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Quantal):
status: In Progress → Fix Committed
Revision history for this message
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel for Quantal in -proposed solves the problem (3.5.0-18.29). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-quantal' to 'verification-done-quantal'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-quantal
Revision history for this message
Steve Langasek (vorlon) wrote :

I've verified that the patch enables the expected interface to EFI variables. Preparing a test KEK update and PK update, I get the following output from sbkeysync --verbose:

$ sudo sbkeysync --verbose --keystore keydb
Filesystem keystore:
  keydb/KEK/test.KEK-update [3076 bytes]
  keydb/PK/test.PK-update [3076 bytes]
firmware keys:
  PK:
    /CN=DO NOT TRUST - PK
  KEK:
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation KEK CA 2011
  db:
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Testing Root Certificate Authority 2010
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows PCA 2010
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
  dbx:
    0000000000000000000000000000000000000000000000000000000000000000
filesystem keys:
  PK:
    /C=US/ST=Oregon/L=Portland/O=Canonical Ltd./OU=Ubuntu Engineering/CN=Steve's test <email address hidden>
     from keydb/PK/test.PK-update
  KEK:
    /C=US/ST=Oregon/L=Portland/O=Canonical Ltd./OU=Ubuntu Engineering/CN=Steve's test <email address hidden>
     from keydb/KEK/test.KEK-update
  db:
  dbx:
New keys in filesystem:
 keydb/KEK/test.KEK-update
 keydb/PK/test.PK-update
Inserting key update keydb/KEK/test.KEK-update into KEK
Error writing key update: Permission denied
Error syncing keystore file keydb/KEK/test.KEK-update
$

The provided interface works as expected in this test case; the write is blocked because Secure Boot is enabled and the update is not signed with the platform key, so this is the expected error. I don't have time at the moment to test that a properly-authenticated write succeeds, but I don't think testing that is required to confirm that the kernel change is correct. Marking verification-done.

tags: added: verification-done-quantal
removed: verification-needed-quantal
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (16.4 KiB)

This bug was fixed in the package linux - 3.5.0-18.29

---------------
linux (3.5.0-18.29) quantal-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1068224

  [ Andy Whitcroft ]

  * [packaging] do not fail secure copy on older kernels
  * SAUCE: efivarfs: efivarfs_file_read ensure we free data in error paths
    - LP: #1063061
  * SAUCE: efivars: efivarfs_create() ensure we drop our reference on inode
    on error
    - LP: #1063061
  * SAUCE: efivarfs: efivarfs_fill_super() fix inode reference counts
    - LP: #1063061
  * SAUCE: efivarfs: efivarfs_fill_super() ensure we free our temporary
    name
    - LP: #1063061
  * SAUCE: efivarfs: efivarfs_fill_super() ensure we clean up correctly on
    error
    - LP: #1063061
  * [Config] add fs/udf to linux-image to support DVD/CD formats in virtual
    instances
    - LP: #1066921

  [ Jeremy Kerr ]

  * SAUCE: efi: Handle deletions and size changes in efivarfs_write_file
    - LP: #1063061
  * SAUCE: efivarfs: Implement exclusive access for {get, set}_variable
    - LP: #1063061

  [ Kamal Mostafa ]

  * SAUCE: input: Cypress PS/2 Trackpad list additional contributors

  [ Kyle Fazzari ]

  * SAUCE: input: Cypress PS/2 Trackpad fix lost sync upon palm contact
    - LP: #1048258
  * SAUCE: input: Cypress PS/2 Trackpad fix taps turning into hardware
    clicks
    - LP: #1064086

  [ Leann Ogasawara ]

  * Revert "SAUCE: ext4: fix crash when accessing /proc/mounts
    concurrently"
    - LP: #1066176
  * Revert "SAUCE: ALSA: hda/realtek - Fix detection of ALC271X codec"
    - LP: #1066176

  [ Lee, Chun-Yi ]

  * SAUCE: efi: add efivars kobject to efi sysfs folder
    - LP: #1063061

  [ Matt Fleming ]

  * SAUCE: efivarfs: Add documentation for the EFI variable filesystem
    - LP: #1063061

  [ Matthew Garrett ]

  * SAUCE: efi: Add support for a UEFI variable filesystem
    - LP: #1063061

  [ Sarveshwar Bandi ]

  * SAUCE: bridge: Pull ip header into skb->data before looking into ip
    header.
    - LP: #1065150

  [ Upstream Kernel Changes ]

  * Revert "drm/i915: correctly order the ring init sequence"
    - LP: #1066176
  * vfs: dcache: fix deadlock in tree traversal
    - LP: #1063761
  * dm mpath: only retry ioctl when no paths if queue_if_no_path set
    - LP: #1063761
  * dm: handle requests beyond end of device instead of using BUG_ON
    - LP: #1063761
  * dm table: clear add_random unless all devices have it set
    - LP: #1063761
  * dm verity: fix overflow check
    - LP: #1063761
  * usb: gadget: make g_printer enumerate again
    - LP: #1063761
  * usb: gadget: initialize the strings in tcm_usb_gadget properly
    - LP: #1063761
  * USB: option: blacklist QMI interface on ZTE MF683
    - LP: #1063761
  * USB: ftdi_sio: add TIAO USB Multi-Protocol Adapter (TUMPA) support
    - LP: #1063761
  * USB: qcaux: add Pantech vendor class match
    - LP: #1063761
  * usb: host: xhci: Fix Null pointer dereferencing with 71c731a for
    non-x86 systems
    - LP: #1063761
  * USB: serial: fix up bug with missing {}
    - LP: #1063761
  * staging: speakup_soft: Fix reading of init string
    - LP: #1063761
  * tty: keyboard.c: Remove locking from vt_get_leds.
  ...

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Steve Langasek (vorlon)
description: updated
description: updated
Revision history for this message
Colin Watson (cjwatson) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted mountall into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/mountall/2.36.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in mountall (Ubuntu Precise):
status: Triaged → Fix Committed
tags: added: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.7.0-0.5

---------------
linux (3.7.0-0.5) raring; urgency=low

  [ Tim Gardner ]

  * [Config] CONFIG_AMD_IOMMU_V2=m
    - LP: #1071520
  * [Config] CONFIG_MTD_ONENAND_SIM=n for armel
    Fixes FTBS
 -- Tim Gardner <email address hidden> Thu, 08 Nov 2012 15:45:39 -0500

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Steve, or anyone else affected,

Accepted mountall into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/mountall/2.36.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in linux (Ubuntu Precise):
status: Triaged → Won't Fix
Changed in mountall (Ubuntu Precise):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.