I reviewed stubble 2-1 as checked into questing. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
stubble is a UEFI kernel boot stub based off of systemd-stub aimed to
provide a minimal boot stub supporting the loading of device-specific
devicetrees embedded in the kernel image. This is necessary in order to
support UEFI secure boot on devices whose firmware does not provide a
devicetree.
- CVE History
- None for stubble, as it is a very young package.
- Much of its code was taken from systemd, no CVEs issues to systemd were of
concern for stubble.
- As the upstream author for stubble is a member of Canonical, it is safe to
expect timely responses and fixes for issued CVEs.
- Build-Depends
- All build-depends expected and included in main.
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- None
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- As this is a UEFI kernel stub, it is not testable through traditional
means.
- In the MIR request, a viable testing strategy is proposed and seemingly in
the process of being implemented. This plans to provide a testing suite that
will be automatically run through autopkgtests. Security team ACK is
conditional upon this testing plan coming to fruition. See Myles' comment above
for further details and links.
- cron jobs
- None
- Build logs
- Builds successfully for Questing. Nothing concerning spotted.
- Processes spawned
- None
- Memory management
- Most memory management is performed in util functions copied over from
systemd.
- Outside of those, management is seemingly defensively written.
- File IO
- None
- Logging
- None
- Environment variable usage
- None
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- SHA-1 is used to generate unique Image Bases to prevent runtime
reallocation. It is also used to generate CHIDs, an expected usage.
- While chance of collision is very small, no harm will be done if one
occurs.
- The implementation in the file sha1.c seems to be the standard
implementation, copied from the one in systemd, with a small, relevant
optimization.
- Use of temp files
- None
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant shellcheck results
- None
- Any significant bandit results
- None
- Any significant govulncheck results
- None
- Any significant Semgrep results
- None
As this is a UEFI boot stub, many of the categories above simply do not
apply. It is important to note that much of the implementation of
stubble is copied directly from systemd, and therefore might need to be
considered vendored code by the security team in order to ensure no CVEs
issued against the relevant systemd components are missed. This
additionally implies that much of the codebase can be treated with the
same level of trust as systemd, and it benefits from much of its
maturity.
Overall, this package seems to be a good solution for supporting UEFI
secure boot on arm64 devices and only improves the security posture of
Ubuntu on such devices. Users are allowed to submit requests for
additional device CHIDs to be supported by stubble, these requests go
through the upstream github and require review before merging. As
mentioned in the MIR request, stubble does allow unsigned initrds loaded
by grub. However, as also mentioned in the MIR request, this is already
allowed by the current default boot structure, which is not ideal, but
is not introducing any new attack surfaces and therefore is not
considered a hurdle for accepting stubble into main. Additionally,
Stubble is a TPM-aware stub, including support for TPM PCR measurements,
enabling kernel-level boot attestation.
Security team ACK for promoting stubble to main. It is important to note
that completing the autopkgtest implementation should be a high priority
before the 25.10 release.
** Changed in: stubble (Ubuntu Questing)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: stubble (Ubuntu Questing)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2120322
Title:
[MIR] stubble
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/stubble/+bug/2120322/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
