System Z {kernel} UBUNTU18.04 wrong kernel config

Bug #1762719 reported by bugproxy on 2018-04-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Critical
Canonical Kernel Team
linux (Ubuntu)
Critical
Seth Forshee

Bug Description

Kernel config 4.15.0-13-generic #14 (and same for 4.15.0-15-generic) is not OK, because both security mechanisms nobp AND expoline are enabled:

CONFIG_KERNEL_NOBP=y
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
# CONFIG_EXPOLINE_MEDIUM is not set
CONFIG_EXPOLINE_FULL=y

If the kernel is compiled with a gcc that can generate expoline thunks the correct config is as follows:

# CONFIG_KERNEL_NOBP is not set
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
# CONFIG_EXPOLINE_MEDIUM is not set
CONFIG_EXPOLINE_FULL=y

Alternatively the auto-detection patch can be used which is upstream as of today:

commit 6e179d64126b909f0b288fa63cdbf07c531e9b1d

    s390: add automatic detection of the spectre defense

    Automatically decide between nobp vs. expolines if the spectre_v2=auto
    kernel parameter is specified or CONFIG_EXPOLINE_AUTO=y is set.

    The decision made at boot time due to CONFIG_EXPOLINE_AUTO=y being set
    can be overruled with the nobp, nospec and spectre_v2 kernel parameters.

If this patch is used, then the correct config is

# CONFIG_KERNEL_NOBP is not set
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
CONFIG_EXPOLINE_AUTO=y
# CONFIG_EXPOLINE_FULL is not set

This patch goes together with three others, so a total of four patches would be needed for the latest-and-greated solution:

b2e2f43a01bace1a25bdbae04c9f9846882b727a
6e179d64126b909f0b288fa63cdbf07c531e9b1d
bc035599718412cfba9249aa713f90ef13f13ee9
d424986f1d6b16079b3231db0314923f4f8deed1

CVE References

bugproxy (bugproxy) on 2018-04-10
tags: added: architecture-s39064 bugnameltc-166584 severity-critical targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Changed in ubuntu-z-systems:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
bugproxy (bugproxy) on 2018-04-10
tags: added: targetmilestone-inin1804
removed: targetmilestone-inin---
Seth Forshee (sforshee) on 2018-04-10
Changed in linux (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → Seth Forshee (sforshee)
status: New → In Progress
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Seth Forshee (sforshee) wrote :

Cherry picked the auto-detection patches into bionic, set CONFIG_EXPOLINE_AUTO=y and CONFIG_KERNEL_NOBP=n.

Changed in linux (Ubuntu):
status: In Progress → Fix Committed
importance: Undecided → Critical
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed

------- Comment From <email address hidden> 2018-04-11 12:11 EDT-------
> Cherry picked the auto-detection patches into bionic, set
> CONFIG_EXPOLINE_AUTO=y and CONFIG_KERNEL_NOBP=n.

You sure are quick.. Unfortunately there is a bug in the auto-detection
which is solved by a patch I created today. It can be found on the
s390/linux:features branch on kernel.org:

https://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git/commit/?h=features&id=6a3d1e81a434fc311f224b8be77258bafc18ccc6

I plan to send a please-pull for this by the end of the week.

Seth Forshee (sforshee) wrote :

I've applied the additional fix to bionic/master-next, thanks!

Launchpad Janitor (janitor) wrote :
Download full text (35.7 KiB)

This bug was fixed in the package linux - 4.15.0-19.20

---------------
linux (4.15.0-19.20) bionic; urgency=medium

  * linux: 4.15.0-19.20 -proposed tracker (LP: #1766021)

  * Kernel 4.15.0-15 breaks Dell PowerEdge 12th Gen servers (LP: #1765232)
    - Revert "blk-mq: simplify queue mapping & schedule with each possisble CPU"
    - Revert "genirq/affinity: assign vectors to all possible CPUs"

linux (4.15.0-18.19) bionic; urgency=medium

  * linux: 4.15.0-18.19 -proposed tracker (LP: #1765490)

  * [regression] Ubuntu 18.04:[4.15.0-17-generic #18] KVM Guest Kernel:
    meltdown: rfi/fallback displacement flush not enabled bydefault (kvm)
    (LP: #1765429)
    - powerpc/pseries: Fix clearing of security feature flags

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Config] signing -- enable Opal signing for ppc64el
    - [Packaging] printenv -- add signing options

  * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
    - [Packaging] signing -- add support for signing Opal kernel binaries

  * Please cherrypick s390 unwind fix (LP: #1765083)
    - s390/compat: fix setup_frame32

  * Ubuntu 18.04 installer does not detect any IPR based HDD/RAID array [S822L]
    [ipr] (LP: #1751813)
    - d-i: move ipr to storage-core-modules on ppc64el

  * drivers/gpu/drm/bridge/adv7511/adv7511.ko missing (LP: #1764816)
    - SAUCE: (no-up) rename the adv7511 drm driver to adv7511_drm

  * Miscellaneous Ubuntu changes
    - [Packaging] Add linux-oem to rebuild test blacklist.

linux (4.15.0-17.18) bionic; urgency=medium

  * linux: 4.15.0-17.18 -proposed tracker (LP: #1764498)

  * Eventual OOM with profile reloads (LP: #1750594)
    - SAUCE: apparmor: fix memory leak when duplicate profile load

linux (4.15.0-16.17) bionic; urgency=medium

  * linux: 4.15.0-16.17 -proposed tracker (LP: #1763785)

  * [18.04] [bug] CFL-S(CNP)/CNL GPIO testing failed (LP: #1757346)
    - [Config]: Set CONFIG_PINCTRL_CANNONLAKE=y

  * [Ubuntu 18.04] USB Type-C test failed on GLK (LP: #1758797)
    - SAUCE: usb: typec: ucsi: Increase command completion timeout value

  * Fix trying to "push" an already active pool VP (LP: #1763386)
    - SAUCE: powerpc/xive: Fix trying to "push" an already active pool VP

  * hisi_sas: Revert and replace SAUCE patches w/ upstream (LP: #1762824)
    - Revert "UBUNTU: SAUCE: scsi: hisi_sas: export device table of v3 hw to
      userspace"
    - Revert "UBUNTU: SAUCE: scsi: hisi_sas: config for hip08 ES"
    - scsi: hisi_sas: modify some register config for hip08
    - scsi: hisi_sas: add v3 hw MODULE_DEVICE_TABLE()

  * Realtek card reader - RTS5243 [VEN_10EC&DEV_5260] (LP: #1737673)
    - misc: rtsx: Move Realtek Card Reader Driver to misc
    - updateconfigs for Realtek Card Reader Driver
    - misc: rtsx: Add support for RTS5260
    - misc: rtsx: Fix symbol clashes

  * Mellanox [mlx5] [bionic] UBSAN: Undefined behaviour in
    ./include/linux/net_dim.h (LP: #1...

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-04-24 03:56 EDT-------
Fixed with kernel 4.15.0-17 and newer. Now 4.15.0-19 has been released for bionic. Kernel config fixes this issue. Closing this bug.

Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Frank Heimes (frank-heimes) wrote :

Since this bug was already successfully verified, I'm adjusting the tags accordingly ...

tags: added: verification-done-bionic
removed: verification-needed-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers