Here is the result of a similar bisect on the bionic kernel :
https://kernel.ubuntu.com/git/ubuntu/ubuntu-
bionic.git/commit/?id=091554e4a5b2a7647830a1c7beea781148b51509
091554e4a5b2a7647830a1c7beea781148b51509 is the first bad commit
commit 091554e4a5b2a7647830a1c7beea781148b51509
Author: Lenny Szubowicz <lszub...@redhat.com>
Date: Tue Nov 30 12:04:00 2021 +0100
efi: Support for MOK variable config table
BugLink: https://bugs.launchpad.net/bugs/1928679
Because of system-specific EFI firmware limitations, EFI volatile
variables may not be capable of holding the required contents of
the Machine Owner Key (MOK) certificate store when the certificate
list grows above some size. Therefore, an EFI boot loader may pass
the MOK certs via a EFI configuration table created specifically for
this purpose to avoid this firmware limitation.
An EFI configuration table is a much more primitive mechanism
compared to EFI variables and is well suited for one-way passage
of static information from a pre-OS environment to the kernel.
This patch adds initial kernel support to recognize, parse,
and validate the EFI MOK configuration table, where named
entries contain the same data that would otherwise be provided
in similarly named EFI variables.
Additionally, this patch creates a sysfs binary file for each
EFI MOK configuration table entry found. These files are read-only
to root and are provided for use by user space utilities such as
mokutil.
A subsequent patch will load MOK certs into the trusted platform
key ring using this infrastructure.
Signed-off-by: Lenny Szubowicz <lszub...@redhat.com>
Link: https://lore.kernel.org/r/20200905013107.10457-2-lszub...@redhat.com
Signed-off-by: Ard Biesheuvel <a...@kernel.org>
(cherry picked from commit 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5)
Signed-off-by: Dimitri John Ledkov <dimitri.led...@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <casca...@canonical.com>
Acked-by: Tim Gardner <tim.gard...@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.so...@canonical.com>
arch/x86/kernel/setup.c | 1 +
drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/arm-init.c | 1 +
drivers/firmware/efi/efi.c | 9 +
drivers/firmware/efi/mokvar-table.c | 360 ++++++++++++++++++++++++++++++++++++
include/linux/efi.h | 34 ++++
6 files changed, 406 insertions(+)
create mode 100644 drivers/firmware/efi/mokvar-table.c
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1956575
Title:
[Regression] Focal kernel 5.4.0-92.103 fails to boot when Secure
Encrypted Virtualization(SEV) is enabled
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Xenial:
Invalid
Status in linux source package in Bionic:
Confirmed
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Hirsute:
Invalid
Bug description:
[Impact]
The latest Focal kernel (linux-image-5.4.0-92-generic) fails to boot
when SEV is enabled.
The kernel panics with the following backtrace :
[ 1.531125] ledtrig-cpu: registered to indicate activity on CPUs
[ 1.531760] EFI Variables Facility v0.08 2004-May-17
[ 1.532575] general protection fault: 0000 [#1] SMP NOPTI
[ 1.533116] CPU: 11 PID: 1 Comm: swapper/0 Not tainted 5.4.157-debug6 #15
[ 1.533788] Hardware name: Scaleway SCW-ENT1-L, BIOS 0.0.0 02/06/2015
[ 1.534429] RIP: 0010:efi_mokvar_sysfs_init+0x9d/0x184
[ 1.534949] Code: 00 48 85 c0 0f 85 b3 00 00 00 48 c7 c7 b0 db e2 a1 41 bd
f4 ff ff ff e8 98 90 16 ff e9 e6 00 00 00 48 85 d2 0f 85 a5 00 00 00 <80> 3b 00
0f 84 b5 00 00 00 48 85 db 0f 84 ac 00 00 00 48 8b 3d 85
[ 1.535120] RSP: 0018:ffffb96e4001bdf8 EFLAGS: 00010202
[ 1.535120] RAX: b6262a23e510e179 RBX: b625e392251db281 RCX:
0000000000000000
[ 1.535120] RDX: ffffb96e400cd000 RSI: ffff978437e5dc38 RDI:
ffffffffa2121860
[ 1.535120] RBP: ffffb96e4001be10 R08: 0000000000000000 R09:
0000000000000228
[ 1.538947] R10: 0000000000000001 R11: 0000000000000000 R12:
ffff978437e555a0
[ 1.538947] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[ 1.538947] FS: 0000000000000000(0000) GS:ffff97843f6c0000(0000)
knlGS:0000000000000000
[ 1.538947] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.538947] CR2: 00000000ffffffff CR3: 00080011a060a001 CR4:
0000000000360ee0
[ 1.538947] Call Trace:
[ 1.538947] ? efi_rci2_sysfs_init+0x29a/0x29a
[ 1.538947] do_one_initcall+0x4a/0x200
[ 1.538947] kernel_init_freeable+0x1c0/0x263
[ 1.538947] ? rest_init+0xb0/0xb0
[ 1.538947] kernel_init+0xe/0x110
[ 1.538947] ret_from_fork+0x22/0x40
[ 1.538947] Modules linked in:
[ 1.545871] ---[ end trace 815dc8177e65da02 ]---
[ 1.546328] RIP: 0010:efi_mokvar_sysfs_init+0x9d/0x184
[ 1.546872] Code: 00 48 85 c0 0f 85 b3 00 00 00 48 c7 c7 b0 db e2 a1 41 bd
f4 ff ff ff e8 98 90 16 ff e9 e6 00 00 00 48 85 d2 0f 85 a5 00 00 00 <80> 3b 00
0f 84 b5 00 00 00 48 85 db 0f 84 ac 00 00 00 48 8b 3d 85
[ 1.548703] RSP: 0018:ffffb96e4001bdf8 EFLAGS: 00010202
[ 1.549218] RAX: b6262a23e510e179 RBX: b625e392251db281 RCX:
0000000000000000
[ 1.549916] RDX: ffffb96e400cd000 RSI: ffff978437e5dc38 RDI:
ffffffffa2121860
[ 1.550617] RBP: ffffb96e4001be10 R08: 0000000000000000 R09:
0000000000000228
[ 1.551337] R10: 0000000000000001 R11: 0000000000000000 R12:
ffff978437e555a0
[ 1.552036] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000000000
[ 1.552737] FS: 0000000000000000(0000) GS:ffff97843f6c0000(0000)
knlGS:0000000000000000
[ 1.553529] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.554093] CR2: 00000000ffffffff CR3: 00080011a060a001 CR4:
0000000000360ee0
[ 1.554818] Kernel panic - not syncing: Attempted to kill init!
exitcode=0x0000000b
[ 1.555335] Kernel Offset: 0x1fa00000 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1.555335] ---[ end Kernel panic - not syncing: Attempted to kill init!
exitcode=0x0000000b ]---
-
The previous kernel (linux-image-5.4.0-91-generic) boots correctly
with SEV.
Bisection of the kernels b/w 5.4.0-91 and 5.4.0-92 identified the
following commit as the source of regresssion :
# git bisect good
7ca05228f713c24eb55574b36e32d9b54c5a1b76 is the first bad commit
commit 7ca05228f713c24eb55574b36e32d9b54c5a1b76
Author: Lenny Szubowicz <lszub...@redhat.com>
Date: Fri Sep 4 21:31:05 2020 -0400
efi: Support for MOK variable config table
BugLink: https://bugs.launchpad.net/bugs/1928679
...
Since the panic happens in very early stages of boot, no trace of the
panic is present in the log files and apparently it is not possible to
collect a kernel crash dump, the crashkernel has not been enabled yet.
[Test case]
The kernel need to boot properly with SEV enabled.
[Potential regression]
The fix is very specific and restricted and should cause regressions,
however it touches ioremap that is widely used.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1956575/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
