curtin: install flash-kernel in arm64 UEFI unexpected
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-images |
Confirmed
|
Undecided
|
Unassigned | ||
curtin (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Focal |
New
|
Undecided
|
Unassigned | ||
Hirsute |
Won't Fix
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
dann frazier | ||
Focal |
Fix Released
|
Medium
|
dann frazier | ||
Hirsute |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact (linux)]
The only package that currently satisfies the bootloader Recommends relationship on ARM systems is flash-kernel. This ignores EFI-based systems, which will instead require GRUB. Our installers know to install GRUB anyway - but flash-kernel also gets installed. Normally flash-kernel realizes it is not needed and just exits - so the impact is limited to wasting space and CPU cycles on each kernel update. However, there can be cases where calling flash-kernel can cause problems. The original report here describes one where flash-kernel thinks it recognizes the system and tries to run anyway, when in fact GRUB is the correct boot loader.
[Test Case (linux)]
On an arm64 system, confirm that grub-efi-arm64 is an option in the Recommends field:
$ apt show linux-image-
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Recommends: flash-kernel | grub-efi-arm64, initramfs-tools | linux-initramfs
[What Could Go Wrong (linux)]
First let me describe the mitigations against something going wrong. The proposed patch was already in the hirsute kernel at the time of hirsute GA, so it's had some real world testing, including in our installers. In addition, the patch still leaves flash-kernel as the *default* bootloader Recommends (first in the |'d list) - it only adds grub-efi-arm64 as a secondary option, preventing the installation of flash-kernel if GRUB is already there.
So, the only scenario where I can see a problem might be if something depends on flash-kernel getting installed due to a Recommends even though GRUB is already present.
= Original Report Follows =
I used APM Mustang which flash-kernel supported in u-boot mode.
But I used it with UEFI environment.
It will cause fatal error when I used ARM64 ubuntu live server ISO to install system.
In code[1], this will not install `flash-kernel` for APM Mustang because of UEFI.
So that means code[2] will not disable `flash-kernel` in target system, only disable `update-initramfs`.
When curtin execute to `install_kernel` stage, code[3,4] will not install `flash-kernel` either.
But in code[5], it will install `linux-generic`.
`linux-generic` has a long dependency tree and it will get `flash-kernel` in Recommended field.
Apt by default will install Recommended package before kernel is installed.[6]
So it will still execute `zz-flash-kernel` and `flash-kernel` when installing kernel.
But system didn't create any `initrd.img` ever because curtin disable `update-initramfs` in code[2].
This will cause that `flash-kernel` cannot find `initrd.
This issue didn't effect all ARM64 UEFI platform because `flash-kernel` didn't support them and skip.[7]
I'm not sure which is best solution for this.
But I think we should apply PR-27 in `flash-kernel`[8] for enhancement and fix curtin process with this patch both.
If we only apply PR-27, it should work fine as well because it will be skipped when detecting UEFI
and install `flash-kernel` before `disable_
[Patch-1,2,3] might have side effect.
Picking one patch for curtin should be enough.
But I need your advice for this to determine which one is better for curtin.
There are two categories
1. avoid installing flash-kernel if no need, [Patch1,2]
2. always install flash-kernel in arm/arm64 and make sure it be installed before code[2] [Patch3]
(I will attach patch in reply.)
Thanks a lot
Regards,
Date
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
[6] https:/
[7] https:/
[8] https:/
[9] curtin will insert `flash-kernel` into `REQUIRED_
CVE References
Changed in linux (Ubuntu Hirsute): | |
status: | New → Fix Released |
description: | updated |
Changed in linux (Ubuntu Focal): | |
status: | New → In Progress |
assignee: | nobody → dann frazier (dannf) |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
Patch-1