This is core specific, and at this time we will only be targeting noble
for core24 purposes.
** Changed in: systemd (Ubuntu Oracular)
Status: Confirmed => Won't Fix
** Changed in: systemd (Ubuntu)
Status: Confirmed => Won't Fix
** Changed in: systemd (Ubuntu Noble)
Importance: Undecided => Medium
** Changed in: systemd (Ubuntu Noble)
Assignee: (unassigned) => Nick Rosbrook (enr0n)
** Changed in: systemd (Ubuntu Noble)
Status: Confirmed => Triaged
** Description changed:
+ [Original description/Impact]
+
Since systemd 252, systemd-stub does LoadImage/StartImage to executed
the kernel in the .linux section.
See origin PR: https://github.com/systemd/systemd/pull/24777
Before, it was using the "EFI handover protocol". Unfortunately kernel
handover is now deprecated. Also it was only for x86, and missing some
features. So upstream decided to use LoadImage/StartImage.
In order to use LoadImage, it needs to be able to prevent signature
verification and measurement. Because the .linux section is part of the
UKI that is already signed and measured. Do that that, it overrides the
functions in security architectural protocols.
Security architectural protocols are part of the platform initialization
specifications. They are optional in these specifications, and the
platform initialization specifications are optional by themselves. So
some UEFI firmware will not support systemd-stub.
For upstream this is not really an issue. UKIs are still something new
that has not been used by many distributions yet. And there is probably
not that many firmware that does not support the needed features.
However, Ubuntu Core has been shipping UKIs since Ubuntu Core 20. And
kernel handover has been in use by users that have firmware that do not
support the needed features.
The bugs that can be caused are:
- * If EFI_SECURITY2_ARCH_PROTOCOL is not implemented, there will be a
spurious measurement of the .linux section on PCR 4. We have observed this
behavior in the wild.
- * If EFI_SECURITY_ARCH_PROTOCOL is not implemented, this should generate a
"security violation" error. This is hypothetical. We have not yet observed this.
+ * If EFI_SECURITY2_ARCH_PROTOCOL is not implemented, there will be a
spurious measurement of the .linux section on PCR 4. We have observed this
behavior in the wild.
+ * If EFI_SECURITY_ARCH_PROTOCOL is not implemented, this should generate a
"security violation" error. This is hypothetical. We have not yet observed this.
Ubuntu Core 24 uses systemd-stub with LoadImage/StartImage. That means
some users cannot upgrade from Ubuntu Core 22 to Ubuntu Core 24.
systemd-stub still has a fallback to handover entry point if the
embedded kernel is too old to support the PE/COFF entry point. The
kernel from 24.04 does support both LoadImage/StartImage and handover.
That means systemd-stub will always use LoadImage, and never the
handover.
We need to be able to force systemd-stub to use handover for some of our
users.
Ubuntu Core supports kernel command line changes from the gadget (since
we use PCR12 as part of the PCR policies to unseal storage keys, it is
safe). So it is easy to pass the information to enable handover that
way. So I propose we look for the "signal" there and force handover.
Here is my proposed patch:
https://gist.github.com/valentindavid/7ab6247c8fe0d3a91d089d201e160ba4
+
+ [Test plan]
+
+ TODO
+
+ [Where problems could occur]
+
+ This patch adds logic to systemd-stub to obey a magic kernel command
+ line. It is limited to systemd-stub, which currently is only used in
+ Ubuntu core, so this should not have any impact on classic systems
+ whatsoever.
+
+ By default, when the command line option is not set, no behavior should
+ change. However, if there are problems with the command line parsing
+ that would potentially cause problems for Ubuntu core users.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2088069
Title:
systemd-stub should provide a way to be forced to use handover
Status in systemd package in Ubuntu:
Won't Fix
Status in systemd source package in Noble:
Triaged
Status in systemd source package in Oracular:
Won't Fix
Bug description:
[Original description/Impact]
Since systemd 252, systemd-stub does LoadImage/StartImage to executed
the kernel in the .linux section.
See origin PR: https://github.com/systemd/systemd/pull/24777
Before, it was using the "EFI handover protocol". Unfortunately kernel
handover is now deprecated. Also it was only for x86, and missing some
features. So upstream decided to use LoadImage/StartImage.
In order to use LoadImage, it needs to be able to prevent signature
verification and measurement. Because the .linux section is part of
the UKI that is already signed and measured. Do that that, it
overrides the functions in security architectural protocols.
Security architectural protocols are part of the platform
initialization specifications. They are optional in these
specifications, and the platform initialization specifications are
optional by themselves. So some UEFI firmware will not support
systemd-stub.
For upstream this is not really an issue. UKIs are still something new
that has not been used by many distributions yet. And there is
probably not that many firmware that does not support the needed
features.
However, Ubuntu Core has been shipping UKIs since Ubuntu Core 20. And
kernel handover has been in use by users that have firmware that do
not support the needed features.
The bugs that can be caused are:
* If EFI_SECURITY2_ARCH_PROTOCOL is not implemented, there will be a
spurious measurement of the .linux section on PCR 4. We have observed this
behavior in the wild.
* If EFI_SECURITY_ARCH_PROTOCOL is not implemented, this should generate a
"security violation" error. This is hypothetical. We have not yet observed this.
Ubuntu Core 24 uses systemd-stub with LoadImage/StartImage. That means
some users cannot upgrade from Ubuntu Core 22 to Ubuntu Core 24.
systemd-stub still has a fallback to handover entry point if the
embedded kernel is too old to support the PE/COFF entry point. The
kernel from 24.04 does support both LoadImage/StartImage and handover.
That means systemd-stub will always use LoadImage, and never the
handover.
We need to be able to force systemd-stub to use handover for some of
our users.
Ubuntu Core supports kernel command line changes from the gadget
(since we use PCR12 as part of the PCR policies to unseal storage
keys, it is safe). So it is easy to pass the information to enable
handover that way. So I propose we look for the "signal" there and
force handover.
Here is my proposed patch:
https://gist.github.com/valentindavid/7ab6247c8fe0d3a91d089d201e160ba4
[Test plan]
TODO
[Where problems could occur]
This patch adds logic to systemd-stub to obey a magic kernel command
line. It is limited to systemd-stub, which currently is only used in
Ubuntu core, so this should not have any impact on classic systems
whatsoever.
By default, when the command line option is not set, no behavior
should change. However, if there are problems with the command line
parsing that would potentially cause problems for Ubuntu core users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2088069/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
