fwts securebootcert test would cause server would hang if disable secureboot in bios

Bug #1950956 reported by Zhanglei Mao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Firmware Test Suite
Invalid
Undecided
Ivan Hu

Bug Description

It can pass after enable secureboot in BIOS.

Revision history for this message
Zhanglei Mao (zhanglei-mao) wrote :

strace output like below the case of being hanged

ioctl(2, TIOCGWINSZ, {ws_row=49, ws_col=189, ws_xpixel=0, ws_ypixel=0}) = 0
write(2, " UEFI secure boot test. "..., 189 UEFI secure boot test. ) = 189 : 50.0% \
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(2, TIOCGWINSZ, {ws_row=49, ws_col=189, ws_xpixel=0, ws_ypixel=0}) = 0
write(2, " "..., 189 ) = 189
write(2, " UEFI secure boot test. "..., 80 UEFI secure boot test. 5 passed, 1 info only
) = 80
write(3, "\n", 1) = 1
write(3, "Test 2 of 2: UEFI secure boot va"..., 45) = 45
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(2, TIOCGWINSZ, {ws_row=49, ws_col=189, ws_xpixel=0, ws_ypixel=0}) = 0
write(2, " UEFI secure boot variable test"..., 189 UEFI secure boot variable test. ) = 189 : 50.0% |
write(3, "AuditMode variable read-only tes"..., 45) = 45
ioctl(4, _IOC(_IOC_WRITE, 0x70, 0x2, 0x2c), 0x7ffe4dc3c3c0

summary: - fwts securebootcert test would cause server hange after disable
+ fwts securebootcert test would cause server hang after disable
secureboot in bios
summary: - fwts securebootcert test would cause server hang after disable
+ fwts securebootcert test would cause server would hang if disable
secureboot in bios
description: updated
Revision history for this message
Zhanglei Mao (zhanglei-mao) wrote (last edit ):

The working ( not hang) test seems just show "Kenrel is in lockdown mode and Test aborted from strace. So we wander the normal logic for fwtest should ignore when secure boot is disabled in bios.

Revision history for this message
Zhanglei Mao (zhanglei-mao) wrote :

We got this issue on a partner's server.

Revision history for this message
Zhanglei Mao (zhanglei-mao) wrote :

The below line in the function of static int securebootcert_test2(fwts_framework *fw) make the test hung.

(gdb) b 572

Breakpoint 2 at 0x5555555cc207: file uefi/securebootcert/securebootcert.c, line 572.
(gdb) c
Continuing.

Breakpoint 2, securebootcert_test2 (fw=0x5555556515e0) at uefi/securebootcert/securebootcert.c:572
572 ret = securebootcert_setvar(fw, attributes, varauditmode, &global_guid, &data);
(gdb) print fw
$1 = (fwts_framework *) 0x5555556515e0
(gdb) print attributes
$2 = 7
(gdb) print varauditmode
$3 = {65, 117, 100, 105, 116, 77, 111, 100, 101, 0}
(gdb) print global_guid
$4 = {Data1 = 2347032417, Data2 = 37834, Data3 = 4562, Data4 = "\252\r\000\340\230\003+\214"}
(gdb) print data
$5 = 0 '\000'
(gdb) n

Revision history for this message
Zhanglei Mao (zhanglei-mao) wrote (last edit ):

More exactly seems when ioctl write /dev/uef_test, it hang system at below:

inside the funciton of "static int securebootcert_test2(fwts_framework *fw)"

        fwts_log_info(fw, "AuditMode variable read-only test, set to 0.");
        ret = securebootcert_setvar(fw, attributes, varauditmode, &global_guid, &data);

Breakpoint 2, securebootcert_setvar (fw=0x5555556515e0, attributes=7, varname=0x55555563b780 <varauditmode>, data=0x7fffffffe227 "", guid=0x55555563b7a0 <global_guid>)
    at uefi/securebootcert/securebootcert.c:530
530 ioret = ioctl(fd, EFI_RUNTIME_SET_VARIABLE, &setvariable);
(gdb) print fd
$1 = 4
(gdb) print EFI_RUNTIME_SET_VARIABLE,
No symbol "EFI_RUNTIME_SET_VARIABLE" in current context.
(gdb) print &setvariable
$2 = (struct efi_setvariable *) 0x7fffffffe1c0
(gdb) print setvariable
$2 = {VariableName = 0x55555563b780 <varauditmode>, VendorGuid = 0x55555563b7a0 <global_guid>, Attributes = 7, DataSize = 1, Data = 0x7fffffffe227, status = 0x7fffffffe1b8}
(gdb) x guid
0x55555563b7a0 <global_guid>: 0x8be4df61
(gdb) n
( would hang and have to reset server )

Revision history for this message
Zhanglei Mao (zhanglei-mao) wrote :

Inside uef_test module, the ioctl seems call be:

status = efi.set_variable(name, &vendor_guid,
                                setvariable.attributes,
                                setvariable.data_size, data);

Revision history for this message
Zhanglei Mao (zhanglei-mao) wrote :

The customer's engineer have below test on shell
Shell> dmpstore -d auditmode
Delete variable '8BE4DF61-93CA-11D2-AA0D-00E098032BBC:AuditMode': Invalid Parameter
Shell> dmpstore auditmode
Variable RT+BS 'EFIGlobaVariable:AuditMode' DataSize = 0x01
 00000000: 00
Shell>

The shell is opensource it is seems to call EFI runtime services too like:

// we only need to delete to
SetStatus = gRT->SetVariable ( FonndVarName, &FoundVarGuid, Atts, 0, NULL):

So from the shell, the server will not hang or dead.

Alex Hung (alexhung)
Changed in fwts:
assignee: nobody → Ivan Hu (ivan.hu)
Revision history for this message
Ivan Hu (ivan.hu) wrote :

From the comment#7,
It seems the Bios issue that cannot set AuditMode variable value with UEFI runtime service "SetVariable", you should check with the OEM/ODMs bios team for the issue.

From the comment#8,
What I saw it deleted the AuditMode variable, but still got the AuditMode variable on UEFI shell.
It seems not delete the AuditMode variable successfully,
Delete variable '8BE4DF61-93CA-11D2-AA0D-00E098032BBC:AuditMode': Invalid Parameter.
Dosen't provide Bios works on SetVariable for AuditMode variable.

Changed in fwts:
status: New → Confirmed
Revision history for this message
Zhanglei Mao (zhanglei-mao) wrote :

I tested my Lenovo and AMD (Ryzen 5 PRO) Laptop with https://fwts.ubuntu.com/fwts-live/fwts-live-21.11.00-x86_64.img.xz; The "fwts securebootcert" can be pass (no hang or dead) whether bios secure boot is enabled or disabled.

Ivan Hu (ivan.hu)
Changed in fwts:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.