Ubuntu
u-boot package

[MIR] u-boot-rpi

Bug #1869792 reported by Dave Jones
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
u-boot (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Availability]
The package is already in universe.

[Rationale]
The package is in use in the boot sequence on all supported Raspberry Pi images, both classic and core.

[Security]
While there are (recent) open CVEs against u-boot, none appear relevant to the RPi port specifically. Notably:

* CVE-2020-8432 deals with a double-free in cmd/gpt.c; GPT_CMD is not enabled in our rpi related u-boot configuration (because the pi does not support GUID partition tables).

* CVE-2020-10648 deals with bypassing verified boot restrictions on FIT images; we don't use FIT u-boot images on our pi builds.

* CVE-2019-16258 deals with attackers gaining root access by manipulating the u-boot console via UART; there's no expectation of boot security against physical access to a pi so this is irrelevant.

* CVE-2019-14192..14204 deal with stack-based overflows against NFS and RPC commands. While our u-boot-rpi build does include NFS commands, they are not used in our boot scripts.

All further CVEs deal with versions prior to 2019.07 (the current version in focal). Although it is clear vulnerabilities are reported with some regularity against the package, it is also evident that upstream responds rapidly to such reports and that many don't apply to our usage of the package on the pi. Furthermore, the pi is a relatively "open" platform with little expectation of security against direct physical access (after all, the storage is removable and unencrypted) which negates several of the reported vulnerabilities.

[Quality assurance]
As mentioned above, the package is already in active use in the Pi boot sequence. There are no outstanding bugs which significantly affect the usability (i.e. our images boot successfully on all supported pi models) and no important bugs open.

There is no meaningful test suite included in the package, but then for a bootloader dealing with a novel platform the ultimate test is "does it boot?", and each update of the package is extensively (manually) tested against the supported models.

The current version of the package does build-depend against python2. This is an issue noted in an upstream report (Debian: #943273), corrected in the current version in sid (https://salsa.debian.org/debian/u-boot/-/commit/f8a0fc63adbe13e0a3365af9b03e8315f1328913), and hence will be corrected next time our package is synced with upstream.

[UI standards]
The sole interactive element is the u-boot console which is only expected to be used in the circumstance that the system is un-bootable. This is (hopefully!) a sufficiently rare circumstance that the lack of localization does not pose an issue (further, it's hard to see how a bootloader could be localized given it is running prior to the OS starting and thus without knowledge of user configuration).

[Dependencies]
The sole runtime dependency is "awk", the installation candidates for which (gawk or mawk) are already present in main.

[Standards compliance]
The package installs its binaries under /usr/lib which may seem odd for something essential to booting the system but this is merely a "storage location". These binaries are then copied (via postinst currently, hopefully in future via flash-kernel) to the more appropriate /boot hierarchy.

[Maintenance]
The package is maintained by the Ubuntu Foundations team.

[Background information]
As mentioned above the package is already in active use on all our Raspberry Pi images (both classic and core). It's only recently that it was brought to my attention that the package isn't in main already. The package is essential to both the classic and core boot experiences: in the classic case for providing unpacking duties for compressed kernels, and in the core case for handling A/B boot states (neither of these facilities is currently supported by the pi's own firmware bootloader).

This package is currently pulled into the images via the "pi-gadget" (https://github.com/snapcore/pi-gadget) snap which forms the basis of both the classic and core pi images.

Christian Ehrhardt  (paelzer)
Changed in u-boot (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Usually we are not doing per-arch decisions, MIR reviews are based on a source package.
But there were excuses in the past - and in this case it is not that much "per arch" even though u-boot-rpi sounds that way.

u-boot-rpi is one of multiple binary packages produced by src:u-boot.

Also these are only built on arm*
 u-boot | 2019.07+dfsg-1ubuntu6 | focal | source
 u-boot | 2019.07+dfsg-1ubuntu6 | focal/universe | armhf
 u-boot-rpi | 2019.07+dfsg-1ubuntu6 | focal/universe | arm64, armhf

And in fact src:u-boot already has an approved MIR at https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/692613.

So we are essentially re-reviewing just the sub-portion of u-boot that is responsible for u-boot-rpi.

Also foundations is already subscribed and maintains this (the changelog history is frequent)
$ ./get-packages-subscribed.py --team foundations-bugs -p | grep -- u-boot
u-boot

So it is actually already as close to main as it can be in terms of:
- maintenance
- src:pkg in main
- usage in RPI boot path

I agree that we should promote the package as well.

d/rules isn't the cleanest I've ever seen, but I'm still waiting to see the rom/bootloader that would be that way.

It has build-time tests and while autopkgtests are hard it is essentially used all over the place on any RPi testing.

The build log looks

None of the typical other checks (python, go, linking, ... apply to this package)

So the addition of u-boot-rpi looks mostly good from a MIR POV.

@David:
- the package appears to get regular updates/fixes by the foundations team
- upstream releases ~quarterly
- it might be too late for the brand new 2020.04~rc4, but what is the reason to not update to 19.10 or 20.01?
- Debian has 20.01 in testing and 20.04 in testing, so their speed is fast
- Is there an active maintenance and update policy in place or is it randomly updated as needed?
- sometimes packages tend to be outdated by accruing to much delta that is hard to rebase&maintain; It seems the packaging was split mid last year on 2019.04+dfsg-2ubuntu1 and not rebase d since then. Might I ask about how well upstreaming to Debian works (links to some examples would be nice). I'd wan't to avoid that this package seems to be "ok now" but we can expect it to rot away for the reasons that inhibit regular maintenance mentioned above.

To be clear I don't request to do these updates for Focal (it is too late), but I'd want to see some reassurance that this is under control and e.g. will get a rebase soon once 20.10 opens.

Marking incomplete until this is clarified.

Note:
If the above is ok (I assume it will be) we can hand over to security since the old bug had no explicit security check as far as I can see and as you outlined other binary packages of the same source have known CVEs I'd want security to:
a) review for u-boot-rpi
b) state that it is ok to add this to main with known CVEs in other binaries of the package (not that this might e.g. break their CVE tracking)

Changed in u-boot (Ubuntu):
status: New → Incomplete
Revision history for this message
Dave Jones (waveform) wrote : Re: [Bug 1869792] Re: [MIR] u-boot-rpi
Download full text (3.8 KiB)

On Wed, Apr 1, 2020 at 2:05 PM Christian Ehrhardt  <
<email address hidden>> wrote:
<snip>

> I agree that we should promote the package as well.
>

Excellent!

<snip>

> @David:
> - the package appears to get regular updates/fixes by the foundations team
> - upstream releases ~quarterly
> - it might be too late for the brand new 2020.04~rc4, but what is the
> reason to not update to 19.10 or 20.01?
> - Debian has 20.01 in testing and 20.04 in testing, so their speed is fast
> - Is there an active maintenance and update policy in place or is it
> randomly updated as needed?
>

This also ties in to why we haven't (yet) updated to 19.10: at present,
most of the effort in Eoan and Focal regarding the Pi platform has been
around the boot sequence (and in particular, ensuring compatibility of the
hardware with it). Testing is at least partially manual (as the Pi 4 has
proved incompatible with the hardware used in the lab to provide SD images
automatically, leading to a labor-intensive process of flashing and
changing cards for testing). Until the testing process can be automated,
we're extremely reticent to change major components (due to the effort
involved in re-testing) unless there's some tangible benefit in the new
version.

I'm not aware of an official update policy for the package, but I do keep
track of the upstream releases and check the changelog on (non-rc-)
releases (though unfortunately upstream's attitude to changelogs is "our
changelog can be generated from our git log" ... which largely explains why
I don't bother with the rc- releases; it usually takes a full day to trawl
through the generated thing!)

> - sometimes packages tend to be outdated by accruing to much delta that is
> hard to rebase&maintain; It seems the packaging was split mid last year on
> 2019.04+dfsg-2ubuntu1 and not rebase d since then. Might I ask about how
> well upstreaming to Debian works (links to some examples would be nice).
> I'd wan't to avoid that this package seems to be "ok now" but we can expect
> it to rot away for the reasons that inhibit regular maintenance mentioned
> above.
>

The bulk of our (and indeed Debian's own) delta appears to be for specific
hardware support (e.g. pi4 in our case), or for customizing the
configuration of u-boot to a particular distro (our other pi patches, and
the nitrogen6x patch). The latter style of patches (configuration
customization) I wouldn't expect to migrate because they'll be specific to
Ubuntu (or to Debian as the case may be).

The Pi4 code patches we apply to 2019.07 (d/p/rpi4.patch) have already made
it upstream to the u-boot project (in 2019.10) so those should disappear on
the next rebase. The rest of the Pi patches (d/p/rpi-board-dt.patch and
d/p/rpi2-rpi3-config-tweaks.patch) have to do with customizing the default
configuration for Ubuntu (the second style of patches that I wouldn't
expect to migrate), as are the nitrogen patches. In other words, I don't
think there's any delta we currently carry that a) hasn't already made it
upstream or b) wouldn't be relevant to upstream.

> To be clear I don't request to do these updates for Focal (it is too
> late), but I'd want to see some reassurance t...

Read more...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the explanation Dave (and sorry for calling you David before - I should know better)!
That makes me feel confident that this is under control - which is the last element I needed as it was good otherwise.

MIR team ACK, but security needed to re-eval (as outlined above) - so I'm assigning to security.

Changed in u-boot (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → Ubuntu Security Team (ubuntu-security)
status: Incomplete → New
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This is an awkward case, I'm not sure we've got a perfect plan here.

u-boot has been in main for a while; a previous release did need to go through -security but it appears it wasn't for security reasons:

https://launchpad.net/ubuntu/+source/u-boot/2016.01+dfsg1-2ubuntu3

The rpi family does not have any secure boot mechanism. Most of these machines are hobbiest machines, quite often the storage is accessible without even undoing any screws, so it's easy to say the boot process is unlikely to be a security boundary.

So, with that in mind, I looked at only what's new, here:

$ tar tf data.tar.xz
./
./usr/
./usr/lib/
./usr/lib/u-boot/
./usr/lib/u-boot/rpi_3/
./usr/lib/u-boot/rpi_3/u-boot.bin
./usr/lib/u-boot/rpi_3/uboot.elf
./usr/lib/u-boot/rpi_4/
./usr/lib/u-boot/rpi_4/u-boot.bin
./usr/lib/u-boot/rpi_4/uboot.elf
./usr/share/
./usr/share/doc/
./usr/share/doc/u-boot-rpi/
./usr/share/doc/u-boot-rpi/README.Debian
./usr/share/doc/u-boot-rpi/changelog.Debian.gz
./usr/share/doc/u-boot-rpi/configs/
./usr/share/doc/u-boot-rpi/configs/config.rpi_3.gz
./usr/share/doc/u-boot-rpi/configs/config.rpi_4.gz
./usr/share/doc/u-boot-rpi/copyright
./usr/share/lintian/
./usr/share/lintian/overrides/
./usr/share/lintian/overrides/u-boot-rpi
./usr/share/u-boot/
./usr/share/u-boot/rpi-config-migration

$ tar tf control.tar.xz
./
./control
./md5sums
./postinst

The .bin and .elf files are probably safe to treat as binary blobs from rpi and not worry about their maintenance.

The postinst and rpi-config-migration are a bit interesting. I don't understand why they are split apart. I'd feel better if the rpi-config-migration were run rather than sourced, just out of a sense of trying to reduce coupling between parts that are not obviously connected.

There's no shbang line for rpi-config-migration, no set -e directly in that file, and since it uses pipelines heavily, set -o pipefail would probably also be useful.

Security team ACK for promoting u-boot-rpi.

If u-boot deserves a deeper look from the security team, we can arrange that. Giving it a deeper look before 20.04 release feels infeasible, and anyway this has been de-facto 'main' in all but process for a while anyway, right?

Thanks

Changed in u-boot (Ubuntu):
status: New → In Progress
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Dave Jones (waveform) wrote :
Download full text (4.3 KiB)

Thanks for the quick response, Seth!

On Sat, Apr 11, 2020 at 12:30 AM Seth Arnold <email address hidden>
wrote:

> This is an awkward case, I'm not sure we've got a perfect plan here.
>
> u-boot has been in main for a while; a previous release did need to go
> through -security but it appears it wasn't for security reasons:
>
> https://launchpad.net/ubuntu/+source/u-boot/2016.01+dfsg1-2ubuntu3
>
> The rpi family does not have any secure boot mechanism. Most of these
> machines are hobbiest machines, quite often the storage is accessible
> without even undoing any screws, so it's easy to say the boot process is
> unlikely to be a security boundary.
>

Indeed - I'm operating on the assumption that we have no expectation of
security in the face of physical access to the device seeing as (as you've
noted) there's no secure boot, the storage is trivially removable, and
there's no encrypted file-system. The only issue I can envisage is whether
it opens the system to remote compromise (which *might* be feasible given
we do compile in the networking sub-system and TFTP / PXE-ish options,
though these are not (currently) used in our boot sequence).

So, with that in mind, I looked at only what's new, here:
>
> $ tar tf data.tar.xz
> ./
> ./usr/
> ./usr/lib/
> ./usr/lib/u-boot/
> ./usr/lib/u-boot/rpi_3/
> ./usr/lib/u-boot/rpi_3/u-boot.bin
> ./usr/lib/u-boot/rpi_3/uboot.elf
> ./usr/lib/u-boot/rpi_4/
> ./usr/lib/u-boot/rpi_4/u-boot.bin
> ./usr/lib/u-boot/rpi_4/uboot.elf
> ./usr/share/
> ./usr/share/doc/
> ./usr/share/doc/u-boot-rpi/
> ./usr/share/doc/u-boot-rpi/README.Debian
> ./usr/share/doc/u-boot-rpi/changelog.Debian.gz
> ./usr/share/doc/u-boot-rpi/configs/
> ./usr/share/doc/u-boot-rpi/configs/config.rpi_3.gz
> ./usr/share/doc/u-boot-rpi/configs/config.rpi_4.gz
> ./usr/share/doc/u-boot-rpi/copyright
> ./usr/share/lintian/
> ./usr/share/lintian/overrides/
> ./usr/share/lintian/overrides/u-boot-rpi
> ./usr/share/u-boot/
> ./usr/share/u-boot/rpi-config-migration
>
> $ tar tf control.tar.xz
> ./
> ./control
> ./md5sums
> ./postinst
>
> The .bin and .elf files are probably safe to treat as binary blobs from
> rpi and not worry about their maintenance.
>

Sorry - I may be a little unclear on your statement here? The .bin and .elf
files are from our build of u-boot - they're not provided by the rpi
foundation (the foundation don't use u-boot at all - only their own
bootloader firmware, which we also use, and which is a binary blob, but
that's in the linux-firmware-raspi2 package). In other words, we do have
the source for the u-boot.bin files (I'm not entirely clear why we include
the .elf files - they're not used for anything).

> The postinst and rpi-config-migration are a bit interesting. I don't
> understand why they are split apart. I'd feel better if the rpi-config-
> migration were run rather than sourced, just out of a sense of trying to
> reduce coupling between parts that are not obviously connected.
>

The split was made on the advice of the initial reviewer of those changes
in order to keep the postinst changes minimal (presumably so the top-level
logic made for a cleaner review). My hope is that, post-focal, the
rpi-config-migration stuf...

Read more...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This seems ready, thanks everyone for the checks and discussions.

@Ubuntu Archive team, please promote the binary "u-boot-rpi" to main
Currently:
 u-boot-rpi | 2019.07+dfsg-1ubuntu6 | focal/universe | arm64, armhf

Francis Ginther (fginther)
tags: added: id-5e8ddba5c9cc7f7376c539d2
Steve Langasek (vorlon)
Changed in u-boot (Ubuntu):
status: In Progress → Fix Committed
Dave Jones (waveform)
Changed in u-boot (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.