I will revert the disabling of efivars in the next release of the Ubuntu
real-time kernel.
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Joseph Salisbury (jsalisbury)
** Changed in: ubuntu-realtime
Assignee: (unassigned) => Joseph Salisbury (jsalisbury)
** No longer affects: linux (Ubuntu)
** Changed in: ubuntu-realtime
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1970077
Title:
efivars file system missing in Ubuntu 22.04 real-time kernel
Status in ubuntu-realtime:
In Progress
Bug description:
In Ubuntu 22.04 generic kernel like 5.15.0-23, efivars file system is
mounted and is visible in the output of mount command, however in
Ubuntu 22.04 real-time kernel like 5.15.0-1005-realtime or
5.15.0-1007-realtime, efivars file system is missing. Intel SGX
feature relies on efivars file system to function, could u please
investigate this issue? Thanks.
---
In ubuntu, multiple things rely on reliable access to efivars (read-
only) and to have ability to manipulate them too (read-write). Thus
imho we should revert the v5.15 patch that turns efivars by default;
and in later series update annotation to keep it on, even under
realtime.
Things sort of work on boot, as shim fallback app (fb*.efi) parsses,
loads and sets initial boot variables. However subsequent updates to
our bootloaders (shim, grub, nullboot, snapd) do not know if they are
set, if they are correct, or if they can be used. Functionality that
is missing on such systems is then thus inability to install fw
updates with fwupd, inatibility to boot into firmware setup (systemctl
reboot --firmware-setup), and inability to predict measurements to
predict sealing policies with new updates in case of TPM based sealed
secrets (i.e. UC based FDE, systemd based secrets, SGX, etc).
I will use this bug report to address this by default. Users that are
concerned about userspace/OS accessing and using efivars during
maintainance operations (package upgrades) or during runtime otherwise
(arbitrary calls to bootctl for example), should consider getting
hardware that has realtime aware EFI implementation, or modify their
classic or core systems to disable efi runtime services by opting-out
of efivars.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-realtime/+bug/1970077/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
