Ubuntu
systemd package

systemd-stub should provide a way to be forced to use handover

Bug #2088069 reported by Valentin David
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Won't Fix
Undecided
Unassigned
Noble
Fix Released
Medium
Nick Rosbrook
Oracular
Won't Fix
Undecided
Unassigned

Bug Description

[Original description/Impact]

Since systemd 252, systemd-stub does LoadImage/StartImage to executed the kernel in the .linux section.

See origin PR: https://github.com/systemd/systemd/pull/24777

Before, it was using the "EFI handover protocol". Unfortunately kernel handover is now deprecated. Also it was only for x86, and missing some features. So upstream decided to use LoadImage/StartImage.

In order to use LoadImage, it needs to be able to prevent signature verification and measurement. Because the .linux section is part of the UKI that is already signed and measured. Do that that, it overrides the functions in security architectural protocols.

Security architectural protocols are part of the platform initialization specifications. They are optional in these specifications, and the platform initialization specifications are optional by themselves. So some UEFI firmware will not support systemd-stub.

For upstream this is not really an issue. UKIs are still something new that has not been used by many distributions yet. And there is probably not that many firmware that does not support the needed features.

However, Ubuntu Core has been shipping UKIs since Ubuntu Core 20. And kernel handover has been in use by users that have firmware that do not support the needed features.

The bugs that can be caused are:
 * If EFI_SECURITY2_ARCH_PROTOCOL is not implemented, there will be a spurious measurement of the .linux section on PCR 4. We have observed this behavior in the wild.
 * If EFI_SECURITY_ARCH_PROTOCOL is not implemented, this should generate a "security violation" error. This is hypothetical. We have not yet observed this.

Ubuntu Core 24 uses systemd-stub with LoadImage/StartImage. That means some users cannot upgrade from Ubuntu Core 22 to Ubuntu Core 24.

systemd-stub still has a fallback to handover entry point if the embedded kernel is too old to support the PE/COFF entry point. The kernel from 24.04 does support both LoadImage/StartImage and handover. That means systemd-stub will always use LoadImage, and never the handover.

We need to be able to force systemd-stub to use handover for some of our users.

Ubuntu Core supports kernel command line changes from the gadget (since we use PCR12 as part of the PCR policies to unseal storage keys, it is safe). So it is easy to pass the information to enable handover that way. So I propose we look for the "signal" there and force handover.

Here is my proposed patch: https://gist.github.com/valentindavid/7ab6247c8fe0d3a91d089d201e160ba4

[Test plan]

Unfortunately, because of the way the pc-kernel snap is built, we cannot trivially test changes once they land in -proposed. In order to test this ahead of time, we applied this patch in a PPA[1], and then rebuilt the kernel snap in a private PPA such that we could deploy something testable to the affected customer.

To get a full end-to-end test, we need to release the fix to -updates first so that a genuine pc-kernel snap can be built and tested by the customer.

[1] https://launchpad.net/~enr0n/+archive/ubuntu/systemd-stub-force-handover

[Where problems could occur]

This patch adds logic to systemd-stub to obey a magic kernel command line. It is limited to systemd-stub, which currently is only used in Ubuntu core, so this should not have any impact on classic systems whatsoever.

By default, when the command line option is not set, no behavior should change. However, if there are problems with the command line parsing that would potentially cause problems for Ubuntu core users.

See original description
Nick Rosbrook (enr0n)
tags: added: systemd-sru-next
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu Noble):
status: New → Confirmed
Changed in systemd (Ubuntu Oracular):
status: New → Confirmed
Changed in systemd (Ubuntu):
status: New → Confirmed
Revision history for this message
Nick Rosbrook (enr0n) wrote :

This is core specific, and at this time we will only be targeting noble for core24 purposes.

Changed in systemd (Ubuntu Oracular):
status: Confirmed → Won't Fix
Changed in systemd (Ubuntu):
status: Confirmed → Won't Fix
Changed in systemd (Ubuntu Noble):
importance: Undecided → Medium
assignee: nobody → Nick Rosbrook (enr0n)
status: Confirmed → Triaged
Nick Rosbrook (enr0n)
description: updated
Nick Rosbrook (enr0n)
description: updated
Revision history for this message
Nick Rosbrook (enr0n) wrote :

A patch for this is now awaiting SRU review in the noble unapproved queue.

Changed in systemd (Ubuntu Noble):
status: Triaged → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Please test proposed package

Hello Valentin, or anyone else affected,

Accepted systemd into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/255.4-1ubuntu8.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in systemd (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-noble
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (systemd/255.4-1ubuntu8.6)

All autopkgtests for the newly accepted systemd (255.4-1ubuntu8.6) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

ayatana-indicator-session/24.2.0-1build2 (arm64, ppc64el, s390x)
ceph/19.2.0-0ubuntu0.24.04.2 (ppc64el)
certspotter/unknown (armhf)
clamav/unknown (armhf)
clevis/unknown (armhf)
collectd/5.12.0-17.1build2 (s390x)
cron/3.0pl1-184ubuntu2 (ppc64el)
csync2/unknown (armhf)
cups/unknown (armhf)
dbus/unknown (armhf)
dbus-broker/35-2 (s390x)
debci/unknown (armhf)
dovecot/1:2.3.21+dfsg1-2ubuntu6 (s390x)
dpdk/23.11.2-0ubuntu0.24.04.1 (amd64, ppc64el)
exim4/4.97-4ubuntu4.2 (ppc64el)
freedom-maker/unknown (armhf)
gpsd/unknown (armhf)
haproxy/unknown (armhf)
hddemux/unknown (armhf)
hwloc/unknown (armhf)
kodi/2:20.5+dfsg-1ubuntu1 (ppc64el)
liblinux-systemd-perl/unknown (armhf)
libqb/unknown (armhf)
libvirt/unknown (armhf)
libvirt-dbus/unknown (armhf)
lighttpd/unknown (armhf)
linux-azure-6.11/6.11.0-1008.8~24.04.1 (amd64, arm64)
linux-gcp-6.11/6.11.0-1006.6~24.04.2 (arm64)
linux-gke/6.8.0-1019.23 (amd64)
linux-hwe-6.11/6.11.0-21.21~24.04.1 (amd64, arm64)
linux-hwe-6.11/unknown (armhf)
linux-lowlatency/6.8.0-56.58.1 (amd64)
linux-lowlatency-hwe-6.11/6.11.0-1010.11~24.04.1 (arm64)
linux-nvidia/6.8.0-1024.27 (arm64)
linux-nvidia-lowlatency/6.8.0-1024.27.1 (arm64)
linux-oem-6.8/6.8.0-1022.22 (amd64)
logiops/unknown (armhf)
logrotate/unknown (armhf)
mandos/unknown (armhf)
mariadb/1:10.11.8-0ubuntu0.24.04.1 (armhf)
mediawiki/1:1.39.7-1 (ppc64el)
mosquitto/2.0.18-1build3 (amd64, arm64, armhf, ppc64el, s390x)
mpd/unknown (armhf)
munin/unknown (armhf)
mutter/unknown (armhf)
netplan.io/1.1.1-1~ubuntu24.04.1 (arm64)
open-build-service/unknown (armhf)
openbsd-inetd/unknown (armhf)
openssh/1:9.6p1-3ubuntu13.8 (ppc64el)
pipewire/unknown (armhf)
policykit-1/unknown (armhf)
polkit-qt-1/unknown (armhf)
postgresql-16/unknown (armhf)
procps/unknown (armhf)
prometheus-homeplug-exporter/unknown (armhf)
prometheus-ipmi-exporter/1.8.0-1ubuntu0.24.04.2 (ppc64el)
prometheus-postfix-exporter/unknown (armhf)
prometheus-postgres-exporter/unknown (armhf)
prometheus-squid-exporter/unknown (armhf)
pulseaudio/unknown (armhf)
pystemd/unknown (armhf)
rsyslog/8.2312.0-3ubuntu9 (s390x)
rust-whoami/unknown (armhf)
rust-zram-generator/unknown (armhf)
sbws/unknown (armhf)
seatd/unknown (armhf)
shibboleth-sp/unknown (armhf)
swupdate/unknown (armhf)
systemd-cron/unknown (armhf)
systemd-hwe/unknown (armhf)
tinyssh/unknown (armhf)
tmux/unknown (armhf)
usbauth/unknown (armhf)
yder/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Diego Bruno (dbruno74) wrote :

Hi Andreas,
the fix has been tested by the affected customer as described below:
- a kernel has been build in a private PPA[1]
- a kernel snap was rebuild against PPA[1]
- kernel snap has been published in the 24/edge/nvidia-components-sdp branch.
- the affected customer has been informed on December 13, 2024 and asked to test.
- on December 19, 2024, the customer finally confirmed the fix.
- as today, the patched pc-kernel snap on 24/edge/nvidia-components-sdp branch is actively used on customer's labs for development purposes and no issues has been reported.

[1] https://private-ppa.launchpadcontent.net/canonical-kernel-private/force-handover-pc-kernel-release/ubuntu

Let me know if it is ok to change the tag to verification-done-noble

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

@enr0n is the above all the testing we can realistically do wrt this bug?

Revision history for this message
Nick Rosbrook (enr0n) wrote :

> @enr0n is the above all the testing we can realistically do wrt this bug?

Yes, unfortunately. There is no process currently where the relevant snaps for Ubuntu core can be built using -proposed, and then shipped in some edge channel. So, doing the work up front and hacking together a PPA to test is often the best approach to testing these kinds of things.

What the above forgot to mention is that I provided a PPA[1] for use in the test cycle, and I can confirm that the same patch in the PPA is what is now in -proposed.

[1] https://launchpad.net/~enr0n/+archive/ubuntu/systemd-stub-force-handover

Nick Rosbrook (enr0n)
tags: added: verification-done-noble
removed: verification-needed-noble
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 255.4-1ubuntu8.6

---------------
systemd (255.4-1ubuntu8.6) noble; urgency=medium

  * stub: add magic cmdline option to force EFI handover
    (LP: #2088069)
  * localed: use ubuntu core hack for locale.conf and vconsole.conf
    (LP: #2091657)

 -- Nick Rosbrook <email address hidden> Fri, 21 Feb 2025 16:18:31 -0500

Changed in systemd (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Update Released

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.