efivarfs built as a module in saucy, so not mounted at boot

Bug #1223195 reported by Steve Langasek on 2013-09-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Tim Gardner
Saucy
High
Tim Gardner

Bug Description

The efivarfs driver in the saucy amd64 kernel is built as a module instead of being built in. As a consequence, when mountall checks /proc/filesystems to see what optional filesystems are supported, it doesn't find efivarfs there and efivarfs is never mounted at boot. This in turn means that secureboot-db will not be able to apply secureboot database updates to firmware, potentially leaving systems vulnerable to boot exploits.

This used to all work in raring and earlier, where efivarfs was built into the kernel (which was the only option). Please fix the config to make efivarfs built-in again (CONFIG_EFIVARFS=y).

For reference, please note that any kernel filesystem that mountall has flagged as "optional" in /lib/init/fstab must be a built-in driver in order to get the correct results. In addition to efivarfs, this includes debugfs, securityfs, spufs, binfmt_misc, and fusectl.

Steve Langasek (vorlon) on 2013-09-10
Changed in linux (Ubuntu):
importance: Undecided → High
status: New → Triaged
milestone: none → ubuntu-13.10
Tim Gardner (timg-tpi) on 2013-09-10
Changed in linux (Ubuntu Saucy):
assignee: nobody → Tim Gardner (timg-tpi)
status: Triaged → In Progress
tags: added: saucy
Tim Gardner (timg-tpi) on 2013-09-10
Changed in linux (Ubuntu Saucy):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.11.0-7.13

---------------
linux (3.11.0-7.13) saucy; urgency=low

  * Release tracker
    - LP: #1223545

  [ Andy Whitcroft ]

  * SAUCE: (no-up) scsi: add scsi device flag to request VPD pages be used at SPC-2
    - LP: #1223499
  * SAUCE: (no-up) scsi: add scsi device flag to request READ CAPACITY (16) be preferred
    - LP: #1223499
  * SAUCE: (no-up) scsi: hyper-v storage -- mark as VPD capable at SPC-2
    - LP: #1223499
  * SAUCE: (no-up) scsi: hyper-v storage -- mark as preferring READ CAPACITY (16) at SPC-2
    - LP: #1223499

  [ Maximiliano Curia ]

  * SAUCE: (no-up) Only let characters through when there are active readers.
    - LP: #1208740

  [ Tim Gardner ]

  * [Debian] getabis: Commit new ABI directory, remove the old
  * [Config] CONFIG_EFIVAR_FS=y
    - LP: #1223195
  * [Config] CONFIG_EFI_VARS_PSTORE=m,
    CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=n
  * SAUCE: (no-up) USB: input: cm109.c: Convert high volume dev_err() to dev_err_ratelimited()
    - LP: #1222850

  [ Upstream Kernel Changes ]

  * Intel xhci: refactor EHCI/xHCI port switching
    - LP: #1210858
 -- Tim Gardner <email address hidden> Tue, 10 Sep 2013 09:00:19 -0600

Changed in linux (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers