LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key

Bug #1918134 reported by Andy Whitcroft
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Andy Whitcroft
Bionic
Medium
Andy Whitcroft
Focal
Medium
Andy Whitcroft
Groovy
Medium
Andy Whitcroft
Hirsute
Medium
Andy Whitcroft
linux-restricted-modules (Ubuntu)
Medium
Andy Whitcroft
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned
Groovy
Undecided
Unassigned
Hirsute
Medium
Andy Whitcroft

Bug Description

To allow decoupling of nvidia-graphics-drivers-<version> streams and versions from the underlying kernel versions we wish to be able to sign new kernel modules into an existing kernel after the fact. Under bug #1898716 we added support for an Ubuntu Modules signing key certificate. Rebuild the LRM package to make use of this new signature.

This involves splitting the LRM package into three. linux-restricted-modules first builds the nvidia-graphics-drivers-* we require signed. linux-restricted-generate then consumes the .o's produced in that build and forms a signing custom binary upload for this. linux-restricted-signatures then consumes the signing result from the LRG upload and expresses clean redistributible signatures which are consumed by LRM at installation time. LRG must be embargoed as it (necessarily) generates fully formed .ko files for signing.

Additional process is added to the kernel build life-cycle to handle the privacy requirements of the LRG/LRS interaction.

Revision history for this message
Andy Whitcroft (apw) wrote :

We will also need to ensure master kernels have updated dkms-build and dkms-build--nvidia-N as we will sync those into the new linux-restricted-modules packages and break them.

Changed in linux-restricted-modules (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Changed in linux (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-restricted-modules - 5.11.0-11.12+1

---------------
linux-restricted-modules (5.11.0-11.12+1) hirsute; urgency=medium

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] convert to v4 autogen form

 -- Andy Whitcroft <email address hidden> Mon, 08 Mar 2021 15:14:35 +0000

Changed in linux-restricted-modules (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.11.0-13.14

---------------
linux (5.11.0-13.14) hirsute; urgency=medium

  * CVE-2020-27170
    - bpf: Prohibit alu ops for pointer types not defining ptr_limit
    - bpf, selftests: Fix up some test_verifier cases for unprivileged

  * CVE-2020-27171
    - bpf: Fix off-by-one for area size in creating mask to left

 -- Andrea Righi <email address hidden> Fri, 19 Mar 2021 16:49:32 +0100

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Andy Whitcroft (apw)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Focal):
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Groovy):
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Andy Whitcroft (apw) wrote :

I have tested installing linux-modules-nvidia-460 on each of groovy:linux, focal:linux, and bionic:linux, confirming that each assembles (passing the sha256 checks) and inserts (failing to find hardware).

@tseliot has tested this also on his Nvidia hardware with good results.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-restricted-modules - 5.4.0-71.79+1

---------------
linux-restricted-modules (5.4.0-71.79+1) focal; urgency=medium

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] convert to v4 autogen form

linux-restricted-modules (5.4.0-71.79) focal; urgency=medium

  * Master version: 5.4.0-71.79

  * Miscellaneous Ubuntu changes
    - debian/dkms-versions -- update from master

 -- Stefan Bader <email address hidden> Wed, 07 Apr 2021 16:06:26 +0200

Changed in linux-restricted-modules (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-restricted-modules - 5.8.0-49.55+1

---------------
linux-restricted-modules (5.8.0-49.55+1) groovy; urgency=medium

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] convert to v4 autogen form

linux-restricted-modules (5.8.0-49.55) groovy; urgency=medium

  * Master version: 5.8.0-49.55

  * Miscellaneous Ubuntu changes
    - debian/dkms-versions -- update from master

 -- Stefan Bader <email address hidden> Wed, 07 Apr 2021 15:53:36 +0200

Changed in linux-restricted-modules (Ubuntu Groovy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-restricted-modules - 4.15.0-141.145+1

---------------
linux-restricted-modules (4.15.0-141.145+1) bionic; urgency=medium

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] convert to v4 autogen form

linux-restricted-modules (4.15.0-141.145) bionic; urgency=medium

  * Master version: 4.15.0-141.145

  * Packaging resync (LP: #1786013)
    - [Packaging] resync dkms-build and family

  * Miscellaneous Ubuntu changes
    - debian/dkms-versions -- update from master

 -- Stefan Bader <email address hidden> Wed, 07 Apr 2021 16:13:40 +0200

Changed in linux-restricted-modules (Ubuntu Bionic):
status: New → Fix Released
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Stefan Bader (smb)
Changed in linux (Ubuntu Groovy):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-groovy' to 'verification-done-groovy'. If the problem still exists, change the tag 'verification-needed-groovy' to 'verification-failed-groovy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-groovy
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

I confirm that with the recent changes synced back to groovy linux packaging the installation of linux-modules-nvidia-460-generic can be performed successfully. The driver is built and the module fails to load due to lack of hardware as expected.

Tested with:

$ uname -r
5.8.0-51-generic

tags: added: verification-done-groovy
removed: verification-needed-groovy
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

Also verified with focal/linux:

$ uname -r
5.4.0-73-generic

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (20.1 KiB)

This bug was fixed in the package linux - 4.15.0-143.147

---------------
linux (4.15.0-143.147) bionic; urgency=medium

  * bionic/linux: 4.15.0-143.147 -proposed tracker (LP: #1923811)

  * CVE-2021-29650
    - netfilter: x_tables: Use correct memory barriers.

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] dkms-build{,--nvidia-N} sync back from LRMv4

  * Security-Fix Xen XSA 371 for Kernel 5.4.0-71 (LP: #1921902) //
    CVE-2021-28688
    - xen-blkback: don't leak persistent grants from xen_blkbk_map()

  * CVE-2021-20292
    - drm/ttm/nouveau: don't call tt destroy callback on alloc failure.

  * CVE-2021-29264
    - gianfar: fix jumbo packets+napi+rx overrun crash

  * CVE-2021-29265
    - usbip: fix stub_dev usbip_sockfd_store() races leading to gpf

  * Bcache bypasse writeback on caching device with fragmentation (LP: #1900438)
    - bcache: consider the fragmentation when update the writeback rate

  * Bionic update: upstream stable patchset 2021-03-31 (LP: #1922124)
    - net: usb: qmi_wwan: support ZTE P685M modem
    - scripts: use pkg-config to locate libcrypto
    - scripts: set proper OpenSSL include dir also for sign-file
    - hugetlb: fix update_and_free_page contig page struct assumption
    - drm/virtio: use kvmalloc for large allocations
    - virtio/s390: implement virtio-ccw revision 2 correctly
    - arm64 module: set plt* section addresses to 0x0
    - arm64: Avoid redundant type conversions in xchg() and cmpxchg()
    - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint
    - arm64: Use correct ll/sc atomic constraints
    - JFS: more checks for invalid superblock
    - media: mceusb: sanity check for prescaler value
    - xfs: Fix assert failure in xfs_setattr_size()
    - smackfs: restrict bytes count in smackfs write functions
    - net: fix up truesize of cloned skb in skb_prepare_for_shift()
    - mm/hugetlb.c: fix unnecessary address expansion of pmd sharing
    - net: bridge: use switchdev for port flags set through sysfs too
    - dt-bindings: net: btusb: DT fix s/interrupt-name/interrupt-names/
    - staging: fwserial: Fix error handling in fwserial_create
    - x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk
    - vt/consolemap: do font sum unsigned
    - wlcore: Fix command execute failure 19 for wl12xx
    - pktgen: fix misuse of BUG_ON() in pktgen_thread_worker()
    - ath10k: fix wmi mgmt tx queue full due to race condition
    - x86/build: Treat R_386_PLT32 relocation as R_386_PC32
    - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
    - staging: most: sound: add sanity check for function argument
    - media: uvcvideo: Allow entities with no pads
    - f2fs: handle unallocated section and zone on pinned/atgc
    - parisc: Bump 64-bit IRQ stack size to 64 KB
    - Xen/gnttab: handle p2m update errors on a per-slot basis
    - xen-netback: respect gnttab_map_refs()'s return value
    - zsmalloc: account the number of compacted pages correctly
    - swap: fix swapfile read/write offset
    - media: v4l: ioctl: Fix memory leak in video_usercopy
    - PCI: Add a REBAR size quirk for S...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (40.7 KiB)

This bug was fixed in the package linux - 5.4.0-73.82

---------------
linux (5.4.0-73.82) focal; urgency=medium

  * focal/linux: 5.4.0-73.82 -proposed tracker (LP: #1923781)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * CIFS DFS entries not accessible with 5.4.0-71.74-generic (LP: #1923670)
    - Revert "cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting
      cifs_sb->prepath."

  * CVE-2021-29650
    - Revert "netfilter: x_tables: Update remaining dereference to RCU"
    - Revert "netfilter: x_tables: Switch synchronization to RCU"
    - netfilter: x_tables: Use correct memory barriers.

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] dkms-build{,--nvidia-N} sync back from LRMv4

  * 5.4 kernel: when iommu is on crashdump fails (LP: #1922738)
    - iommu/vt-d: Refactor find_domain() helper
    - iommu/vt-d: Add attach_deferred() helper
    - iommu/vt-d: Move deferred device attachment into helper function
    - iommu/vt-d: Do deferred attachment in iommu_need_mapping()
    - iommu/vt-d: Remove deferred_attach_domain()
    - iommu/vt-d: Simplify check in identity_mapping()

  * Backport mlx5e fix for tunnel offload (LP: #1921769)
    - net/mlx5e: Check tunnel offload is required before setting SWP

  * Bcache bypasse writeback on caching device with fragmentation (LP: #1900438)
    - bcache: consider the fragmentation when update the writeback rate

  * Fix implicit declaration warnings for kselftests/memfd test on newer
    releases (LP: #1910323)
    - selftests/memfd: Fix implicit declaration warnings

  * net/mlx5e: Add missing capability check for uplink follow (LP: #1921104)
    - net/mlx5e: Add missing capability check for uplink follow

  * [UBUNUT 21.04] s390/vtime: fix increased steal time accounting
    (LP: #1921498)
    - s390/vtime: fix increased steal time accounting

  * Mute/Mic-mute LEDs are not work on HP 850/840/440 G8 Laptops (LP: #1920030)
    - ALSA: hda/realtek: fix mute/micmute LEDs for HP 840 G8
    - ALSA: hda/realtek: fix mute/micmute LEDs for HP 440 G8
    - ALSA: hda/realtek: fix mute/micmute LEDs for HP 850 G8

  * Focal update: v5.4.106 upstream stable release (LP: #1920246)
    - uapi: nfnetlink_cthelper.h: fix userspace compilation error
    - powerpc/pseries: Don't enforce MSI affinity with kdump
    - ath9k: fix transmitting to stations in dynamic SMPS mode
    - net: Fix gro aggregation for udp encaps with zero csum
    - net: check if protocol extracted by virtio_net_hdr_set_proto is correct
    - net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
    - sh_eth: fix TRSCER mask for SH771x
    - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before
      setting skb ownership
    - can: flexcan: assert FRZ bit in flexcan_chip_freeze()
    - can: flexcan: enable RX FIFO after FRZ/HALT valid
    - can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode
    - can: tcan4x5x: tcan4x5x_init(): fix initialization - clear MRAM before
      entering Normal Mode
    - tcp: add sanity tests to TCP_QUEUE_SEQ
    - netfilter: nf_nat: undo erroneous tcp edemux lookup
    - ne...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.8.0-53.60

---------------
linux (5.8.0-53.60) groovy; urgency=medium

  * CVE-2021-3491
    - io_uring: fix provide_buffers sign extension
    - io_uring: fix overflows checks in provide buffers
    - SAUCE: proc: Avoid mixing integer types in mem_rw()
    - SAUCE: io_uring: truncate lengths larger than MAX_RW_COUNT on provide
      buffers

  * CVE-2021-3490
    - bpf: Fix a verifier failure with xor
    - SAUCE: bpf: verifier: fix ALU32 bounds tracking with bitwise ops

  * CVE-2021-3489
    - SAUCE: bpf: ringbuf: deny reserve of buffers larger than ringbuf
    - SAUCE: bpf: prevent writable memory-mapping of read-only ringbuf pages

 -- Stefan Bader <email address hidden> Thu, 06 May 2021 07:43:20 +0200

Changed in linux (Ubuntu Groovy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers