efivars file system missing in Ubuntu 22.04 real-time kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-realtime |
Fix Released
|
Medium
|
Joseph Salisbury |
Bug Description
In Ubuntu 22.04 generic kernel like 5.15.0-23, efivars file system is mounted and is visible in the output of mount command, however in Ubuntu 22.04 real-time kernel like 5.15.0-
---
In ubuntu, multiple things rely on reliable access to efivars (read-only) and to have ability to manipulate them too (read-write). Thus imho we should revert the v5.15 patch that turns efivars by default; and in later series update annotation to keep it on, even under realtime.
Things sort of work on boot, as shim fallback app (fb*.efi) parsses, loads and sets initial boot variables. However subsequent updates to our bootloaders (shim, grub, nullboot, snapd) do not know if they are set, if they are correct, or if they can be used. Functionality that is missing on such systems is then thus inability to install fw updates with fwupd, inatibility to boot into firmware setup (systemctl reboot --firmware-setup), and inability to predict measurements to predict sealing policies with new updates in case of TPM based sealed secrets (i.e. UC based FDE, systemd based secrets, SGX, etc).
I will use this bug report to address this by default. Users that are concerned about userspace/OS accessing and using efivars during maintainance operations (package upgrades) or during runtime otherwise (arbitrary calls to bootctl for example), should consider getting hardware that has realtime aware EFI implementation, or modify their classic or core systems to disable efi runtime services by opting-out of efivars.
affects: | ubuntu → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
status: | Incomplete → Triaged |
affects: | linux (Ubuntu) → ubuntu-realtime |
Changed in ubuntu-realtime: | |
assignee: | nobody → Joseph Salisbury (jsalisbury) |
description: | updated |
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
Changed in ubuntu-realtime: | |
assignee: | Joseph Salisbury (jsalisbury) → nobody |
Changed in linux (Ubuntu): | |
status: | Incomplete → Triaged |
Changed in ubuntu-realtime: | |
status: | Fix Committed → Fix Released |
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https:/ /wiki.ubuntu. com/Bugs/ FindRightPackag e. You might also ask for help in the #ubuntu-bugs irc channel on Libera.chat.
To change the source package that this bug is filed about visit https:/ /bugs.launchpad .net/ubuntu/ +bug/1970077/ +editstatus and add the package name in the text box next to the word Package.
[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]