[Bug 1905393] Re: Ubuntu 20.04: opal-prd fails to start on 20.04
Matthieu Clemenceau
1905393 at bugs.launchpad.net
Wed Dec 16 14:52:53 UTC 2020
** Description changed:
+ [Impact]
+
+ This impacts the opal-prd userspace command from the skiboot package
+
+ On systems using recent versions of systemd /dev (devtmpfs) is mounted
+ with noexec option. Such mount prevents mapping HBRT image code region
+ as RWX from /dev. This commit, as suggested in github PR linked below,
+ attempts to work around the situation by copying HBRT image to anon
+ mmaped memory region and sets mprotect rwx on it, allowing opal-prd to
+ successfully execute the code region.
+
+ The direct Impact is that the opal-prd command will not start on groovy
+ and focal
+
+ [Test Case]
+
+ Unfortunately due to the specific hardware requirement I wasn't able to
+ reproduce this problem and provide a test case for it. However I was
+ able to build this package into a ppa and got the IBM team to confirm
+ this problem was resolved for groovy focal, bionic, xenial see comment
+ #4
+
+ I would anticipate this test should work based on the description
+ $> opal-prd
+ contemplate crash
+ $> sudo apt update skiboot
+ $> opal-prd
+ no crash with the updated package
+
+ [What could go wrong]
+
+ Hopefully not much. The initial fix was prepared back in October and I
+ would think regression could have been discovered by now. The change is
+ also limited to single user space command that IBM is closely using and
+ maintaining. I anticipate regression to be reported to us promptly.
+
+ [Original Description]
+
== Comment: #0 - VASANT HEGDE <hegdevasant at in.ibm.com> - 2020-11-23 23:23:22 ==
---Problem Description---
opal-prd fails to start on 20.04
-
+
Contact Information = Vasant hegde <hegdevasant at linux.vnet.ibm.com>
-
+
---uname output---
Ubuntu 20.04
-
- Machine Type = All Power System
-
+
+ Machine Type = All Power System
+
---Steps to Reproduce---
- opal-prd fails to start on 20.04
-
- Userspace tool common name: opal-prd
-
- The userspace tool has the following bit modes: 64bit
+ opal-prd fails to start on 20.04
+
+ Userspace tool common name: opal-prd
+
+ The userspace tool has the following bit modes: 64bit
Userspace rpm: opal-prd
This is fixed in upstream by below commit. Please backport this patch to
20.04 LTS release. Also applicable for 20.10.
commit 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de
Author: Georgy Yakovlev <gyakovlev at gentoo.org>
Date: Mon Oct 12 14:29:17 2020 -0700
- opal-prd: handle devtmpfs mounted with noexec
-
- On systems using recent versions of systemd /dev (devtmpfs) is mounted with
- noexec option. Such mount prevents mapping HBRT image code region as RWX
- from /dev. This commit, as suggested in github PR linked below, attempts to
- work around the situation by copying HBRT image to anon mmaped memory
- region and sets mprotect rwx on it, allowing opal-prd to sucessfully
- execute the code region.
-
- Having memory region set as RWX is not ideal for security, but fixing that
- is a separate and hard to solve problem. Original code also mmaped region
- as RWX, so this PR does not make things worse at least.
-
- Closes: https://github.com/open-power/skiboot/issues/258
- Signed-off-by: Georgy Yakovlev <gyakovlev at gentoo.org>
- Reviewed-by: Vasant Hegde <hegdevasant at linux.vnet.ibm.com>
- [oliver: whitespace fix, add a comment, reflow commit message]
- Signed-off-by: Oliver O'Halloran <oohall at gmail.com>
+ opal-prd: handle devtmpfs mounted with noexec
+
+ On systems using recent versions of systemd /dev (devtmpfs) is mounted with
+ noexec option. Such mount prevents mapping HBRT image code region as RWX
+ from /dev. This commit, as suggested in github PR linked below, attempts to
+ work around the situation by copying HBRT image to anon mmaped memory
+ region and sets mprotect rwx on it, allowing opal-prd to sucessfully
+ execute the code region.
+
+ Having memory region set as RWX is not ideal for security, but fixing that
+ is a separate and hard to solve problem. Original code also mmaped region
+ as RWX, so this PR does not make things worse at least.
+
+ Closes: https://github.com/open-power/skiboot/issues/258
+ Signed-off-by: Georgy Yakovlev <gyakovlev at gentoo.org>
+ Reviewed-by: Vasant Hegde <hegdevasant at linux.vnet.ibm.com>
+ [oliver: whitespace fix, add a comment, reflow commit message]
+ Signed-off-by: Oliver O'Halloran <oohall at gmail.com>
-Vasant
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1905393
Title:
Ubuntu 20.04: opal-prd fails to start on 20.04
Status in The Ubuntu-power-systems project:
In Progress
Status in skiboot package in Ubuntu:
Fix Released
Status in skiboot source package in Focal:
In Progress
Status in skiboot source package in Groovy:
In Progress
Status in skiboot source package in Hirsute:
Fix Released
Bug description:
[Impact]
This impacts the opal-prd userspace command from the skiboot package
On systems using recent versions of systemd /dev (devtmpfs) is mounted
with noexec option. Such mount prevents mapping HBRT image code region
as RWX from /dev. This commit, as suggested in github PR linked below,
attempts to work around the situation by copying HBRT image to anon
mmaped memory region and sets mprotect rwx on it, allowing opal-prd to
successfully execute the code region.
The direct Impact is that the opal-prd command will not start on
groovy and focal
[Test Case]
Unfortunately due to the specific hardware requirement I wasn't able
to reproduce this problem and provide a test case for it. However I
was able to build this package into a ppa and got the IBM team to
confirm this problem was resolved for groovy focal, bionic, xenial see
comment #4
I would anticipate this test should work based on the description
$> opal-prd
contemplate crash
$> sudo apt update skiboot
$> opal-prd
no crash with the updated package
[What could go wrong]
Hopefully not much. The initial fix was prepared back in October and I
would think regression could have been discovered by now. The change
is also limited to single user space command that IBM is closely using
and maintaining. I anticipate regression to be reported to us
promptly.
[Original Description]
== Comment: #0 - VASANT HEGDE <hegdevasant at in.ibm.com> - 2020-11-23 23:23:22 ==
---Problem Description---
opal-prd fails to start on 20.04
Contact Information = Vasant hegde <hegdevasant at linux.vnet.ibm.com>
---uname output---
Ubuntu 20.04
Machine Type = All Power System
---Steps to Reproduce---
opal-prd fails to start on 20.04
Userspace tool common name: opal-prd
The userspace tool has the following bit modes: 64bit
Userspace rpm: opal-prd
This is fixed in upstream by below commit. Please backport this patch
to 20.04 LTS release. Also applicable for 20.10.
commit 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de
Author: Georgy Yakovlev <gyakovlev at gentoo.org>
Date: Mon Oct 12 14:29:17 2020 -0700
opal-prd: handle devtmpfs mounted with noexec
On systems using recent versions of systemd /dev (devtmpfs) is mounted with
noexec option. Such mount prevents mapping HBRT image code region as RWX
from /dev. This commit, as suggested in github PR linked below, attempts to
work around the situation by copying HBRT image to anon mmaped memory
region and sets mprotect rwx on it, allowing opal-prd to sucessfully
execute the code region.
Having memory region set as RWX is not ideal for security, but fixing that
is a separate and hard to solve problem. Original code also mmaped region
as RWX, so this PR does not make things worse at least.
Closes: https://github.com/open-power/skiboot/issues/258
Signed-off-by: Georgy Yakovlev <gyakovlev at gentoo.org>
Reviewed-by: Vasant Hegde <hegdevasant at linux.vnet.ibm.com>
[oliver: whitespace fix, add a comment, reflow commit message]
Signed-off-by: Oliver O'Halloran <oohall at gmail.com>
-Vasant
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1905393/+subscriptions
More information about the Ubuntu-sponsors
mailing list