shim crashes on Mellanox BF1 SmartNIC

Bug #1934780 reported by Alfonso Sanchez-Beato
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned
Hirsute
Undecided
Unassigned
shim-signed (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned

Bug Description

[Impact]
Systems that do not support QueryVariableInfo() EFI function fail to boot.

[Test plan]
Would be good to get this checked on the Mellanox BF1 SmartNIC on one release (shim is binary copied)

[Where problems could occur]
it might still fail to mirror variables on those platforms. Code looks like the variable could be uninitialized on error case, but it's actually set inside the call to 0 so that's good.

[Original bug report]

shim in focal-proposed (shim-signed 1.40.5) is crashing on Mellanox BF1 SmartNIC, showing this trace:

>>Start PXE over IPv4.
  Station IP address is 192.168.100.2

  Server IP address is 192.168.100.1
  NBP filename is shimaa64.efi.signed
  NBP filesize is 840024 Bytes
 Downloading NBP file...

  NBP file downloaded successfully.
Could not get variable storage info: Unsupported
Could not create MokListRT: Unsupported
Could not get variable storage info: Unsupported
Could not create MokListXRT: Unsupported
Could not get variable storage info: Unsupported
Could not create MokListRT: Unsupported
Could not get variable storage info: Unsupported
Could not create MokListXRT: Unsupported
Something has gone seriously wrong: import_mok_state() failed: Unsupported
ERROR: System Off: operation not handled.
PANIC at PC : 0x000000000045c488

Some EFI related kernel output:

[ 0.000000] efi: EFI v2.70 by EDK II
[ 0.000000] efi: SMBIOS=0xfafb0000 SMBIOS 3.0=0xf5b70000 ACPI=0xf5c10000 ACPI 2.0=0xf5c10014 MEMATTR=0xf769e018 ESRT=0xf7593098 MEMRESERVE=0xf49e9018
[ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[ 0.000000] Kernel command line: BOOT_IMAGE=/vmlinuz console=hvc0 console=ttyAMA0 earlycon=pl011,0x01000000 fixrtc ip=:::::tmfifo_net0:dhcp url=http://192.168.100.1/tftp/bluefield.iso cloud-config-url=/dev/null nopersistent
[ 0.085871] Remapping and enabling EFI services.
[ 0.377821] DMI: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.6.0-24-gd4db9c4 Apr 6 2021
[ 1.028977] Registered efivars operations
[ 2.481241] rtc-efi rtc-efi: registered as rtc0
[ 2.593647] EFI Variables Facility v0.08 2004-May-17

Revision history for this message
Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote :

See attached kernel log.

description: updated
Revision history for this message
Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote :
Revision history for this message
Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote (last edit ):

Attached logs after "mokutil --set-verbosity true" and resetting state with "mokutil --reset". In this case the shim was able to load grub, but then grub failed to verify the kernel:

error: /vmlinuz has invalid signature.
Loading Ram Disk...
error: you need to load the kernel first.

Revision history for this message
Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote :

Logs with https://github.com/rhboot/shim/pull/369 (certificate from PPA added to DB).

Changed in shim (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu):
status: Fix Committed → Fix Released
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Alfonso, or anyone else affected,

Accepted shim into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Hirsute):
status: New → Fix Committed
tags: added: verification-needed verification-needed-hirsute
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Alfonso, or anyone else affected,

Accepted shim into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Alfonso, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote :

Things look good after updating:

u@nic:~$ apt policy shim-signed
shim-signed:
  Installed: 1.40.6+15.4-0ubuntu7
  Candidate: 1.40.6+15.4-0ubuntu7
  Version table:
 *** 1.40.6+15.4-0ubuntu7 500
        500 http://tw.ports.ubuntu.com/ubuntu-ports focal-proposed/main arm64 Packages
        100 /var/lib/dpkg/status
     1.40.4+15+1552672080.a4a1fbe-0ubuntu2 500
        500 http://tw.ports.ubuntu.com/ubuntu-ports focal-updates/main arm64 Packages
     1.40.3+15+1533136590.3beb971-0ubuntu1 500
        500 http://tw.ports.ubuntu.com/ubuntu-ports focal/main arm64 Packages

I get these messages when booting, but I think that is expected (booting goes on just fine):

Could not get variable storage info: Unsupported
Could not get variable storage info: Unsupported
Could not get variable storage info: Unsupported
Could not get variable storage info: Unsupported

I cannot test on hirsute as there is no hirsute image for this device. Considering the validation done there anyway (same binary).

tags: added: verification-done-focal verification-done-hirsute
removed: verification-needed-focal verification-needed-hirsute
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Alfonso, or anyone else affected,

Accepted shim into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Alfonso, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Bionic):
status: New → Fix Committed
Changed in shim (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Alfonso, or anyone else affected,

Accepted shim into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Alfonso, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Alfonso, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu):
status: New → Fix Released
Revision history for this message
Julian Andres Klode (juliank) wrote :

Marking as verified for all releases, since bianry is the same.

tags: added: verification-done verification-done-bionic verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for shim has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.40.6

---------------
shim-signed (1.40.6) focal; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)
  * download-signed: Fetch signed artefacts from versioned URL instead
    of current/ symlink to work around caching (LP: #1936640)

shim-signed (1.40.5) focal; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.48, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes and Protected: yes on shim-signed package
      so that it cannot be removed by accident (LP: #1898729)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:33:00 +0200

Changed in shim (Ubuntu Focal):
status: Fix Committed → Fix Released
Changed in shim-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~16.04.10

---------------
shim-signed (1.33.1~16.04.10) xenial; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

shim-signed (1.33.1~16.04.9) xenial; urgency=medium

  * Do not build a dual-signed shim (fixing regression from ~16.04.7), and
    disable verifying fbx64.efi and mmx64.efi certificates as xenial's
    sbverify is unable to (impish works fine)
  * Clean up debhelper log file accidentally imported into git during 16.04.7
    import.

shim-signed (1.33.1~16.04.8) xenial; urgency=medium

  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

shim-signed (1.33.1~16.04.7) xenial; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Update packaging to pull fb and mm from shim-signed package as in
    later releases, dropping the runtime dependency on shim.
  * Add download-signed script from linux-signed package
  * Add a versioned dependency on the mokutil that introduces --timeout, and
    call mokutil --timeout -1 so that users don't end up with broken systems
    by missing MokManager on reboot after install. LP: #1856422.
  * Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
    to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
    grub-install present when we are installing new shim to the ESP.
  * Include reworked Makefile from devel to better assert the integrity of
    the executables.

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:04:57 +0200

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.10

---------------
shim-signed (1.37~18.04.10) bionic; urgency=medium

  * Remove unnecessary efitools dependency that prevented build on arm64

shim-signed (1.37~18.04.9) bionic; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.50, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes on shim-signed package so that it cannot be
      removed by accident (LP: #1898729)
    - download-signed: Fetch signed artefacts from versioned URL instead
      of current/ symlink to work around caching (LP: #1936640)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)
  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Mon, 19 Jul 2021 17:01:19 +0200

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers