Kernel panic in tpm_ functions when booting kernel 5.3 in Ubuntu 19.10 (but 5.2 works)

Bug #1845454 reported by Pierre Equoy on 2019-09-26
136
This bug affects 21 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Critical
Seth Forshee

Bug Description

SRU Justification

Impact: Some systems are getting kernel panics during boot while parsing tpm event logs from the firmware. This happens only when the tpm and secure boot are both enabled in the firmware.

Fix: 3 patches which are currently applied to the upstream EFI maintainer tree.

Test Case: On an affected system, booting a 5.3-based kernel will panic during boot when the tpm and secure boot are enabled. A patched kernel will boot successfully. The patches have been verified to fix the issue on a gen 6 Lenovo X1 Carbon.

Regression Potential: If the patches have bugs they could cause regressions on systems not currently experiencing issues. The patches are pretty straightforward though, so I believe the risk is minimal and (given the severity of the issue on affected hardware) acceptable.

---

Image: http://cdimage.ubuntu.com/daily-live/20190926/eoan-desktop-amd64.iso
Device: Dell XPS 13 7390 (201908-27305)

When trying to start the live session ("try Ubuntu") or trying to install the ISO ("install Ubuntu"), the boot process stops within 1 second with a kernel panic (see attached screenshot).

The system could boot with a previous version of Eoan image: 2019-09-09 09:11 (kernel 5.3.0-10)

Workaround: disable TPM2 in the BIOS.

/!\ Please note: the information below (and the attached file ProcCpuinfoMinimal.txt) come from a 18.04 live session, since I cannot boot anything with 19.10 beta image.
==============================================
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: syslinux 3:6.03+dfsg1-2
ProcVersionSignature: Ubuntu 5.0.0-23.24~18.04.1-generic 5.0.15
Uname: Linux 5.0.0-23-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
CasperVersion: 1.394
CurrentDesktop: ubuntu:GNOME
Date: Thu Sep 26 07:41:16 2019
Dependencies:
 gcc-8-base 8.3.0-6ubuntu1~18.04.1
 libc6 2.27-3ubuntu1
 libgcc1 1:8.3.0-6ubuntu1~18.04.1
 mtools 4.0.18-2ubuntu1
 syslinux-common 3:6.03+dfsg1-2
LiveMediaBuild: Ubuntu 18.04.3 LTS "Bionic Beaver" - Release amd64 (20190805)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: syslinux
UpgradeStatus: No upgrade log present (probably fresh install)

Pierre Equoy (pieq) wrote :
description: updated
tags: added: ce-qa-concern
Pierre Equoy (pieq) wrote :
description: updated
description: updated
description: updated
Pierre Equoy (pieq) on 2019-09-26
description: updated
no longer affects: syslinux (Ubuntu)

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1845454

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Sebastien Bacher (seb128) wrote :

There is a fedora bug about a similar issue on the same model which points to 3 commits fixing the issue
https://bugzilla.redhat.com/show_bug.cgi?id=1752961#c17

Changed in linux (Ubuntu):
importance: Undecided → Critical
tags: added: rls-ee-incoming
Sebastien Bacher (seb128) wrote :

(the redhat bug also state that disabling TPM in the bios is a workaround for the issue)

Pierre Equoy (pieq) on 2019-09-26
description: updated
Kai-Heng Feng (kaihengfeng) wrote :

Does this also happen under secure boot disabled? Otherwise I can build a test kernel with the EFI patches.

Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1845454

tags: added: iso-testing
Pierre Equoy (pieq) on 2019-09-26
tags: removed: bionic
summary: - Dell XPS 13 7390 - Kernel panic with 19.10 beta image
+ Kernel panic with 19.10 beta image

I agree this looks the same as the bug reported against fedora. I've started a test build with these commits. I know this was reported with the ISO image, but hopefully we can work out a way to test. I suspect disabling the tpm in the firmware settings will get the machine to boot/install, and then it could be re-enabled to confirm that the panic still happens with the kernel from -release and to check whether it is gone in the test build.

This is the same bug as bug 1844101 I think? If it is, it doesn't reproduce with secure boot off and we'll need a signed kernel to test. I'm happy to enrol whatever key in my firmware to test a self-signed kernel...

Seth Forshee (sforshee) wrote :

Provided this in irc, but posting here also. Instructions for installing a MOK that you can use to sign kernels are found here:

https://ubuntu.com/blog/how-to-sign-things-for-secure-boot

Note the comment under "Enrolling the key" about omitting OID 1.3.6.1.4.1.2312.16.1.2 if you want to use the key to sign kernels.

Seth Forshee (sforshee) wrote :

I got some positive testing on the test build off-bug, will submit these patches for eoan.

Changed in linux (Ubuntu):
assignee: nobody → Seth Forshee (sforshee)
status: Incomplete → In Progress
Seth Forshee (sforshee) on 2019-09-28
description: updated

Bug 1846542 has equivalent stack traces on 5.3.0-13. Suggested this test kernel there.

summary: - Kernel panic with 19.10 beta image
+ Kernel panic in tpm_ functions when booting kernel 5.3 in Ubuntu 19.10
+ (but 5.2 works)

Similarly for bug 1847042.

Launchpad Janitor (janitor) wrote :
Download full text (7.6 KiB)

This bug was fixed in the package linux - 5.3.0-17.18

---------------
linux (5.3.0-17.18) eoan; urgency=medium

  * eoan/linux: 5.3.0-17.18 -proposed tracker (LP: #1846641)

  * CVE-2019-17056
    - nfc: enforce CAP_NET_RAW for raw sockets

  * CVE-2019-17055
    - mISDN: enforce CAP_NET_RAW for raw sockets

  * CVE-2019-17054
    - appletalk: enforce CAP_NET_RAW for raw sockets

  * CVE-2019-17053
    - ieee802154: enforce CAP_NET_RAW for raw sockets

  * CVE-2019-17052
    - ax25: enforce CAP_NET_RAW for raw sockets

  * CVE-2019-15098
    - ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()

  * xHCI on AMD Stoney Ridge cannot detect USB 2.0 or 1.1 devices.
    (LP: #1846470)
    - x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect

  * Re-enable linux-libc-dev build on i386 (LP: #1846508)
    - [Packaging] Build only linux-libc-dev for i386
    - [Debian] final-checks -- ignore archtictures with no binaries

  * arm64: loop on boot after installing linux-generic-hwe-18.04-edge/bionic-
    proposed (LP: #1845820)
    - [Config] Disable CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT

  * Revert ESE DASD discard support (LP: #1846219)
    - SAUCE: Revert "s390/dasd: Add discard support for ESE volumes"

  * Miscellaneous Ubuntu changes
    - update dkms package versions

linux (5.3.0-16.17) eoan; urgency=medium

  * eoan/linux: 5.3.0-16.17 -proposed tracker (LP: #1846204)

  * zfs fails to build on s390x with debug symbols enabled (LP: #1846143)
    - SAUCE: s390: Mark atomic const ops always inline

linux (5.3.0-15.16) eoan; urgency=medium

  * eoan/linux: 5.3.0-15.16 -proposed tracker (LP: #1845987)

  * Drop i386 build for 19.10 (LP: #1845714)
    - [Packaging] Remove x32 arch references from control files
    - [Debian] final-checks -- Get arch list from debian/control

  * ZFS kernel modules lack debug symbols (LP: #1840704)
    - [Debian] Fix conditional for setting zfs debug package path

  * Use pyhon3-sphinx instead of python-sphinx for building html docs
    (LP: #1845808)
    - [Packaging] Update sphinx build dependencies to python3 packages

  * Kernel panic with 19.10 beta image (LP: #1845454)
    - efi/tpm: Don't access event->count when it isn't mapped.
    - efi/tpm: don't traverse an event log with no events
    - efi/tpm: only set efi_tpm_final_log_size after successful event log parsing

linux (5.3.0-14.15) eoan; urgency=medium

  * eoan/linux: 5.3.0-14.15 -proposed tracker (LP: #1845728)

  * Drop i386 build for 19.10 (LP: #1845714)
    - [Debian] Remove support for producing i386 kernels
    - [Debian] Don't use CROSS_COMPILE for i386 configs

  * udevadm trigger will fail when trying to add /sys/devices/vio/
    (LP: #1845572)
    - SAUCE: powerpc/vio: drop bus_type from parent device

  * Trying to online dasd drive results in invalid input/output from the kernel
    on z/VM (LP: #1845323)
    - SAUCE: s390/dasd: Fix error handling during online processing

  * intel-lpss driver conflicts with write-combining MTRR region (LP: #1845584)
    - SAUCE: mfd: intel-lpss: add quirk for Dell XPS 13 7390 2-in-1

  * Support Hi1620 zip hw accelerator (LP: #1845355)
    - [Config] Enable HiSilicon QM/ZIP as module...

Read more...

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Claudio Fior (caiofior) wrote :

After upgrading to Ubuntu 19.10 the boot hangs on HP EliteDesk 800 G2 SFF, previous kernel 5.0.0-31-generic works

monoi (bschofield) wrote :

Confirmed fixed for me by kernel 5.3.0-17-generic, on an HP EliteBook 840 G5. I can now boot with TPM enabled. Thank you for the work!

Works for me, too. Thanks!

Fixed on my ThinkPad T590 with the 5.3.0-17.18 kernel. Thanks.

Hamish Marson (travellingkiwi) wrote :

Fixed on my Thinkpad X1 Extreme Gen 2 with 5.3.0-18. Thanks.

Pierre Equoy (pieq) wrote :

Fixed on Dell XPS 13 7390 with 5.3.0-19.

tags: added: cqa-verified

5.3.0.19 kernel panic.
upgrade from 19.04 kernel 5.0 all works,
after upgrading boot without problem, after 10 minutes
every app is crashing, and will not boot on any kernel, even on older ones.

Joshua Powers (powersj) wrote :

@r-fabbeni, thanks for taking the time to add a comment, however it would be best if you would open a new bug for your issue please. See https://bugs.launchpad.net/ubuntu/+source/linux/+filebug

All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-1008.9~18.04.1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

linux-gcp-5.3/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-gcp-5.3

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.