I reviewed piboot-try 1.1 as checked into resolute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
piboot-try is a binary package that has been split from flash-kernel in
an effort to separate out the Raspberry Pi-specific logic. It is a full
replacement of flash-kernel, managing boot assets for Ubuntu on
Raspberry Pi and providing services that implement the A/B boot
mechanism.
- CVE History
- None on the new package, but also none for flash-kernel
- Build-Depends
- All normal
- pre/post inst/rm scripts
- standard pre/post scripts for the systemd units auto-generated
- one custom script, piboot-try.postinst.
- runs flash-kernel on install, upgrade, or if triggered
- notably, flash-kernel defers maintainer-script invocations into a dpkg
trigger
- this script ensures multiple triggers result in only one real execution
- init scripts
- /etc/initramfs/post-update.d/flash-kernel
- verifies flash-kernel is installed in the system, runs flash-kernel script
- systemd units
- creates two oneshot systemd service units run as root
- piboot-try-reboot.service
- run early, checks if boot assets in /new are labelled as `untested`
- if so, reboots immediately into `tryboot` mode
- piboot-try-validate.service
- checks for successful full boot from `tryboot`
- marks assets as good or bad if boot reaches multi-user state
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- /usr/sbin/flash-kernel
- ./usr/sbin/piboot-try
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- Units tests run during build will fail the build if failing
- autopkgtests run the same non-trivial testing suite, currently passing for
arm64 and armhf
- Reboot needs to be tested on a Raspberry Pi, owning team has the hardware
and is committed to testing.
- cron jobs
- None
- Build logs
- No concerning warnings and no errors
- Processes spawned
- None
- Memory management
- None
- File IO
- safely reads from autoboot.txt when migrating from legacy setups
- Logging
- mostly error logging, nothing unsafe
- Environment variable usage
- Nothing concerning
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- None
- Use of temp files
- Writes to a temp file when migrating from legacy setups then renames the
temp file to replace autoboot config. This is done so there is minimal
modification of the existing file.
- name is safely generated
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- N/A
- Any significant shellcheck results
- None
- Any significant bandit results
- N/A
- Any significant govulncheck results
- N/A
- Any significant Semgrep results
- None
Overall seems like a well crafted package. As mentioned in the MIR, this
package is split off of flash-kernel, which is already in main, so it is
nice to see this feels high quality and did not present any concerning
behavior. There is quite a bit of code from flash-kernel that will be
untouched in the Raspberry Pi use case, but it is mentioned in the MIR
that there is a plan to reduce this package to only the used code, so I
am unconcerned.
Security team ACK for promoting piboot-try to main.
** Changed in: piboot-try (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142151
Title:
[MIR] piboot-try
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/piboot-try/+bug/2142151/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
