| 2020-11-24 10:39:31 |
bugproxy |
bug |
|
|
added bug |
| 2020-11-24 10:39:34 |
bugproxy |
tags |
|
architecture-ppc64le bugnameltc-189959 severity-critical targetmilestone-inin20041 |
|
| 2020-11-24 10:39:36 |
bugproxy |
ubuntu: assignee |
|
Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
|
| 2020-11-24 10:39:39 |
bugproxy |
affects |
ubuntu |
opal (Ubuntu) |
|
| 2020-11-24 10:42:38 |
Frank Heimes |
bug task added |
|
ubuntu-power-systems |
|
| 2020-11-24 10:47:19 |
Frank Heimes |
ubuntu-power-systems: assignee |
|
Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
|
| 2020-11-24 10:47:26 |
Frank Heimes |
ubuntu-power-systems: importance |
Undecided |
Critical |
|
| 2020-11-24 10:48:03 |
Frank Heimes |
nominated for series |
|
Ubuntu Hirsute |
|
| 2020-11-24 10:48:03 |
Frank Heimes |
bug task added |
|
opal (Ubuntu Hirsute) |
|
| 2020-11-24 10:48:03 |
Frank Heimes |
nominated for series |
|
Ubuntu Groovy |
|
| 2020-11-24 10:48:03 |
Frank Heimes |
bug task added |
|
opal (Ubuntu Groovy) |
|
| 2020-11-24 10:48:03 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
| 2020-11-24 10:48:03 |
Frank Heimes |
bug task added |
|
opal (Ubuntu Focal) |
|
| 2020-11-24 10:48:27 |
Frank Heimes |
opal (Ubuntu Hirsute): assignee |
Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
Canonical Foundations Team (canonical-foundations) |
|
| 2020-11-24 20:08:53 |
Steve Langasek |
tags |
architecture-ppc64le bugnameltc-189959 severity-critical targetmilestone-inin20041 |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 |
|
| 2020-11-25 22:16:04 |
Brian Murray |
affects |
opal (Ubuntu Focal) |
skiboot (Ubuntu Focal) |
|
| 2020-12-07 22:12:12 |
Matthieu Clemenceau |
skiboot (Ubuntu Groovy): assignee |
|
Matthieu Clemenceau (mclemenceau) |
|
| 2020-12-07 22:12:30 |
Matthieu Clemenceau |
skiboot (Ubuntu Focal): assignee |
|
Matthieu Clemenceau (mclemenceau) |
|
| 2020-12-07 22:12:41 |
Matthieu Clemenceau |
skiboot (Ubuntu Hirsute): assignee |
Canonical Foundations Team (canonical-foundations) |
Matthieu Clemenceau (mclemenceau) |
|
| 2020-12-08 06:44:55 |
Frank Heimes |
ubuntu-power-systems: status |
New |
Triaged |
|
| 2020-12-11 19:07:10 |
Matthieu Clemenceau |
skiboot (Ubuntu Hirsute): status |
New |
In Progress |
|
| 2020-12-11 21:38:02 |
Matthieu Clemenceau |
attachment added |
|
skiboot_6.6.2-1_6.6.2-1ubuntu1.diff https://bugs.launchpad.net/ubuntu-power-systems/+bug/1905393/+attachment/5442856/+files/skiboot_6.6.2-1_6.6.2-1ubuntu1.diff |
|
| 2020-12-11 21:42:03 |
Matthieu Clemenceau |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2020-12-12 01:18:14 |
Mathew Hodson |
skiboot (Ubuntu Focal): importance |
Undecided |
High |
|
| 2020-12-12 01:18:16 |
Mathew Hodson |
skiboot (Ubuntu Groovy): importance |
Undecided |
High |
|
| 2020-12-12 01:18:19 |
Mathew Hodson |
skiboot (Ubuntu Hirsute): importance |
Undecided |
High |
|
| 2020-12-14 07:34:10 |
Frank Heimes |
ubuntu-power-systems: status |
Triaged |
In Progress |
|
| 2020-12-14 14:24:52 |
Frank Heimes |
skiboot (Ubuntu Focal): milestone |
|
ubuntu-20.04.2 |
|
| 2020-12-14 21:23:54 |
Matthieu Clemenceau |
attachment added |
|
This is a debdiff for the Groovy SRU https://bugs.launchpad.net/ubuntu-power-systems/+bug/1905393/+attachment/5443551/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.10.1.diff |
|
| 2020-12-14 21:24:02 |
Matthieu Clemenceau |
skiboot (Ubuntu Groovy): status |
New |
In Progress |
|
| 2020-12-14 21:24:11 |
Matthieu Clemenceau |
skiboot (Ubuntu Focal): status |
New |
In Progress |
|
| 2020-12-14 21:24:53 |
Matthieu Clemenceau |
attachment added |
|
This is a debdiff for the Focal SRU https://bugs.launchpad.net/ubuntu-power-systems/+bug/1905393/+attachment/5443552/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.04.1.diff |
|
| 2020-12-14 21:24:56 |
Matthieu Clemenceau |
attachment added |
|
This is a debdiff for the Focal SRU https://bugs.launchpad.net/ubuntu-power-systems/+bug/1905393/+attachment/5443553/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.04.1.diff |
|
| 2020-12-14 21:25:29 |
Matthieu Clemenceau |
attachment removed |
This is a debdiff for the Focal SRU https://bugs.launchpad.net/ubuntu-power-systems/+bug/1905393/+attachment/5443553/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.04.1.diff |
|
|
| 2020-12-15 14:27:55 |
Matthieu Clemenceau |
attachment removed |
This is a debdiff for the Groovy SRU https://bugs.launchpad.net/ubuntu/+source/skiboot/+bug/1905393/+attachment/5443551/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.10.1.diff |
|
|
| 2020-12-15 14:28:08 |
Matthieu Clemenceau |
attachment removed |
This is a debdiff for the Focal SRU https://bugs.launchpad.net/ubuntu/+source/skiboot/+bug/1905393/+attachment/5443552/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.04.1.diff |
|
|
| 2020-12-15 14:29:04 |
Matthieu Clemenceau |
attachment added |
|
Groovy debdiff skiboot_6.5.2-1_6.5.2-1ubuntu0.20.10.1.diff https://bugs.launchpad.net/ubuntu/+source/skiboot/+bug/1905393/+attachment/5443855/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.10.1.diff |
|
| 2020-12-15 14:29:52 |
Matthieu Clemenceau |
attachment added |
|
Focal debdiff skiboot_6.5.2-1_6.5.2-1ubuntu0.20.04.1.diff https://bugs.launchpad.net/ubuntu/+source/skiboot/+bug/1905393/+attachment/5443856/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.04.1.diff |
|
| 2020-12-15 14:38:38 |
bugproxy |
attachment added |
|
This is a debdiff for the Groovy SRU https://bugs.launchpad.net/bugs/1905393/+attachment/5443864/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.10.1.diff |
|
| 2020-12-15 14:38:40 |
bugproxy |
attachment added |
|
This is a debdiff for the Focal SRU https://bugs.launchpad.net/bugs/1905393/+attachment/5443865/+files/skiboot_6.5.2-1_6.5.2-1ubuntu0.20.04.1.diff |
|
| 2020-12-15 15:22:53 |
Lukas Märdian |
skiboot (Ubuntu Hirsute): status |
In Progress |
Fix Committed |
|
| 2020-12-15 18:09:54 |
Launchpad Janitor |
skiboot (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
| 2020-12-16 14:52:53 |
Matthieu Clemenceau |
description |
== Comment: #0 - VASANT HEGDE <hegdevasant@in.ibm.com> - 2020-11-23 23:23:22 ==
---Problem Description---
opal-prd fails to start on 20.04
Contact Information = Vasant hegde <hegdevasant@linux.vnet.ibm.com>
---uname output---
Ubuntu 20.04
Machine Type = All Power System
---Steps to Reproduce---
opal-prd fails to start on 20.04
Userspace tool common name: opal-prd
The userspace tool has the following bit modes: 64bit
Userspace rpm: opal-prd
This is fixed in upstream by below commit. Please backport this patch to 20.04 LTS release. Also applicable for 20.10.
commit 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de
Author: Georgy Yakovlev <gyakovlev@gentoo.org>
Date: Mon Oct 12 14:29:17 2020 -0700
opal-prd: handle devtmpfs mounted with noexec
On systems using recent versions of systemd /dev (devtmpfs) is mounted with
noexec option. Such mount prevents mapping HBRT image code region as RWX
from /dev. This commit, as suggested in github PR linked below, attempts to
work around the situation by copying HBRT image to anon mmaped memory
region and sets mprotect rwx on it, allowing opal-prd to sucessfully
execute the code region.
Having memory region set as RWX is not ideal for security, but fixing that
is a separate and hard to solve problem. Original code also mmaped region
as RWX, so this PR does not make things worse at least.
Closes: https://github.com/open-power/skiboot/issues/258
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
[oliver: whitespace fix, add a comment, reflow commit message]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
-Vasant |
[Impact]
This impacts the opal-prd userspace command from the skiboot package
On systems using recent versions of systemd /dev (devtmpfs) is mounted with noexec option. Such mount prevents mapping HBRT image code region as RWX from /dev. This commit, as suggested in github PR linked below, attempts to work around the situation by copying HBRT image to anon mmaped memory region and sets mprotect rwx on it, allowing opal-prd to successfully execute the code region.
The direct Impact is that the opal-prd command will not start on groovy and focal
[Test Case]
Unfortunately due to the specific hardware requirement I wasn't able to reproduce this problem and provide a test case for it. However I was able to build this package into a ppa and got the IBM team to confirm this problem was resolved for groovy focal, bionic, xenial see comment #4
I would anticipate this test should work based on the description
$> opal-prd
contemplate crash
$> sudo apt update skiboot
$> opal-prd
no crash with the updated package
[What could go wrong]
Hopefully not much. The initial fix was prepared back in October and I would think regression could have been discovered by now. The change is also limited to single user space command that IBM is closely using and maintaining. I anticipate regression to be reported to us promptly.
[Original Description]
== Comment: #0 - VASANT HEGDE <hegdevasant@in.ibm.com> - 2020-11-23 23:23:22 ==
---Problem Description---
opal-prd fails to start on 20.04
Contact Information = Vasant hegde <hegdevasant@linux.vnet.ibm.com>
---uname output---
Ubuntu 20.04
Machine Type = All Power System
---Steps to Reproduce---
opal-prd fails to start on 20.04
Userspace tool common name: opal-prd
The userspace tool has the following bit modes: 64bit
Userspace rpm: opal-prd
This is fixed in upstream by below commit. Please backport this patch to 20.04 LTS release. Also applicable for 20.10.
commit 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de
Author: Georgy Yakovlev <gyakovlev@gentoo.org>
Date: Mon Oct 12 14:29:17 2020 -0700
opal-prd: handle devtmpfs mounted with noexec
On systems using recent versions of systemd /dev (devtmpfs) is mounted with
noexec option. Such mount prevents mapping HBRT image code region as RWX
from /dev. This commit, as suggested in github PR linked below, attempts to
work around the situation by copying HBRT image to anon mmaped memory
region and sets mprotect rwx on it, allowing opal-prd to sucessfully
execute the code region.
Having memory region set as RWX is not ideal for security, but fixing that
is a separate and hard to solve problem. Original code also mmaped region
as RWX, so this PR does not make things worse at least.
Closes: https://github.com/open-power/skiboot/issues/258
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
[oliver: whitespace fix, add a comment, reflow commit message]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
-Vasant |
|
| 2020-12-16 21:13:57 |
Matthieu Clemenceau |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2021-01-08 21:05:48 |
Brian Murray |
skiboot (Ubuntu Focal): milestone |
ubuntu-20.04.2 |
focal-updates |
|
| 2021-01-11 20:34:05 |
Frank Heimes |
description |
[Impact]
This impacts the opal-prd userspace command from the skiboot package
On systems using recent versions of systemd /dev (devtmpfs) is mounted with noexec option. Such mount prevents mapping HBRT image code region as RWX from /dev. This commit, as suggested in github PR linked below, attempts to work around the situation by copying HBRT image to anon mmaped memory region and sets mprotect rwx on it, allowing opal-prd to successfully execute the code region.
The direct Impact is that the opal-prd command will not start on groovy and focal
[Test Case]
Unfortunately due to the specific hardware requirement I wasn't able to reproduce this problem and provide a test case for it. However I was able to build this package into a ppa and got the IBM team to confirm this problem was resolved for groovy focal, bionic, xenial see comment #4
I would anticipate this test should work based on the description
$> opal-prd
contemplate crash
$> sudo apt update skiboot
$> opal-prd
no crash with the updated package
[What could go wrong]
Hopefully not much. The initial fix was prepared back in October and I would think regression could have been discovered by now. The change is also limited to single user space command that IBM is closely using and maintaining. I anticipate regression to be reported to us promptly.
[Original Description]
== Comment: #0 - VASANT HEGDE <hegdevasant@in.ibm.com> - 2020-11-23 23:23:22 ==
---Problem Description---
opal-prd fails to start on 20.04
Contact Information = Vasant hegde <hegdevasant@linux.vnet.ibm.com>
---uname output---
Ubuntu 20.04
Machine Type = All Power System
---Steps to Reproduce---
opal-prd fails to start on 20.04
Userspace tool common name: opal-prd
The userspace tool has the following bit modes: 64bit
Userspace rpm: opal-prd
This is fixed in upstream by below commit. Please backport this patch to 20.04 LTS release. Also applicable for 20.10.
commit 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de
Author: Georgy Yakovlev <gyakovlev@gentoo.org>
Date: Mon Oct 12 14:29:17 2020 -0700
opal-prd: handle devtmpfs mounted with noexec
On systems using recent versions of systemd /dev (devtmpfs) is mounted with
noexec option. Such mount prevents mapping HBRT image code region as RWX
from /dev. This commit, as suggested in github PR linked below, attempts to
work around the situation by copying HBRT image to anon mmaped memory
region and sets mprotect rwx on it, allowing opal-prd to sucessfully
execute the code region.
Having memory region set as RWX is not ideal for security, but fixing that
is a separate and hard to solve problem. Original code also mmaped region
as RWX, so this PR does not make things worse at least.
Closes: https://github.com/open-power/skiboot/issues/258
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
[oliver: whitespace fix, add a comment, reflow commit message]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
-Vasant |
[Impact]
opal-prd (the daemon on a power system that listens for hw diagnostic system events at the /dev/opal-prd device) fails to start.
The reason is that opal-prd is not able to properly handle devtmpfs, mounted with noexec in /dev, which is the case on recent versions of systemd (like used in focal or newer)..
Currently such a mount prevents mapping HBRT image code region as 'rwx' from /dev.
[Fix]
This patch/commit attempts to work around the situation by copying HBRT image to a non mmapped memory region and sets mprotect rwx on it, allowing opal-prd to successfully execute the code region (as suggested here: https://github.com/open-power/skiboot/issues/258):
47005e8d4c9aeda5826c17c4a013cfbda1a3f2de 47005e8 "opal-prd: handle devtmpfs mounted with noexec"
[Test Case]
Since the opal-prd daemon must be running in the background as a separate process, the test is to:
- install the updated package that includes the patched opal-prd daemon (e.g. from the PPA mentioned below)
- double check the installed package version (dpkg -l) and maybe the opal-pd version that's in place (opal-prd --version)
- start opal-prd as daemon: 'service opal-prd start' (if not started automatically)
- verify the opal-prd status and check if it's running or not, by for example 'service opal-prd status'
[What could go wrong]
Things can go wrong in case the HBRT image copy is done wrong; in case it's accidentally copied to a wrong memory area (e.g. to an already mapped range, or erroneously calculated address/size), a seg. fault will happen and the system would core dump.
The mprotect code is pretty straight forward, but the fact that mprotect rwx is set on it, allows opal-prd to successfully execute the code region. It's not generally a perfect approach to map memory as RWX, but HBRT requires the ability to write into the image at runtime - and it got upstream accepted that way with skiboot v6.7.
The fix was released back in October and was pre-tested by the IBM Power team.
On top a patched Ubuntu package was build and shared in a PPA (see comment #1) and again successfully validated on focal and groovy.
__________
[Original Description]
== Comment: #0 - VASANT HEGDE <hegdevasant@in.ibm.com> - 2020-11-23 23:23:22 ==
---Problem Description---
opal-prd fails to start on 20.04
Contact Information = Vasant hegde <hegdevasant@linux.vnet.ibm.com>
---uname output---
Ubuntu 20.04
Machine Type = All Power System
---Steps to Reproduce---
opal-prd fails to start on 20.04
Userspace tool common name: opal-prd
The userspace tool has the following bit modes: 64bit
Userspace rpm: opal-prd
This is fixed in upstream by below commit. Please backport this patch to 20.04 LTS release. Also applicable for 20.10.
commit 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de
Author: Georgy Yakovlev <gyakovlev@gentoo.org>
Date: Mon Oct 12 14:29:17 2020 -0700
opal-prd: handle devtmpfs mounted with noexec
On systems using recent versions of systemd /dev (devtmpfs) is mounted with
noexec option. Such mount prevents mapping HBRT image code region as RWX
from /dev. This commit, as suggested in github PR linked below, attempts to
work around the situation by copying HBRT image to anon mmaped memory
region and sets mprotect rwx on it, allowing opal-prd to sucessfully
execute the code region.
Having memory region set as RWX is not ideal for security, but fixing that
is a separate and hard to solve problem. Original code also mmaped region
as RWX, so this PR does not make things worse at least.
Closes: https://github.com/open-power/skiboot/issues/258
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
[oliver: whitespace fix, add a comment, reflow commit message]
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
-Vasant |
|
| 2021-01-11 22:52:53 |
Łukasz Zemczak |
skiboot (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
| 2021-01-11 22:52:55 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-01-11 22:52:57 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2021-01-11 22:53:00 |
Łukasz Zemczak |
tags |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 verification-needed verification-needed-groovy |
|
| 2021-01-11 22:54:02 |
Łukasz Zemczak |
skiboot (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-01-11 22:54:08 |
Łukasz Zemczak |
tags |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 verification-needed verification-needed-groovy |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 verification-needed verification-needed-focal verification-needed-groovy |
|
| 2021-01-12 06:30:06 |
bugproxy |
tags |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 verification-needed verification-needed-focal verification-needed-groovy |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 verification-done-groovy verification-needed verification-needed-focal |
|
| 2021-01-12 07:50:17 |
Andrew Cloke |
ubuntu-power-systems: status |
In Progress |
Fix Committed |
|
| 2021-01-15 06:30:30 |
bugproxy |
tags |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 verification-done-groovy verification-needed verification-needed-focal |
architecture-ppc64le bugnameltc-189959 fr-965 severity-critical targetmilestone-inin20041 verification-done verification-done-focal verification-done-groovy |
|
| 2021-01-18 09:27:37 |
Launchpad Janitor |
skiboot (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
| 2021-01-18 09:27:45 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-01-18 09:46:37 |
Launchpad Janitor |
skiboot (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-01-18 09:58:49 |
Andrew Cloke |
ubuntu-power-systems: status |
Fix Committed |
Fix Released |
|
