** Description changed:
In Ubuntu 22.04 generic kernel like 5.15.0-23, efivars file system is
mounted and is visible in the output of mount command, however in Ubuntu
22.04 real-time kernel like 5.15.0-1005-realtime or
5.15.0-1007-realtime, efivars file system is missing. Intel SGX feature
relies on efivars file system to function, could u please investigate
this issue? Thanks.
+
+ ---
+
+ In ubuntu, multiple things rely on reliable access to efivars (read-
+ only) and to have ability to manipulate them too (read-write). Thus imho
+ we should revert the v5.15 patch that turns efivars by default; and in
+ later series update annotation to keep it on, even under realtime.
+
+ Things sort of work on boot, as shim fallback app (fb*.efi) parsses,
+ loads and sets initial boot variables. However subsequent updates to our
+ bootloaders (shim, grub, nullboot, snapd) do not know if they are set,
+ if they are correct, or if they can be used. Functionality that is
+ missing on such systems is then thus inability to install fw updates
+ with fwupd, inatibility to boot into firmware setup (systemctl reboot
+ --firmware-setup), and inability to predict measurements to predict
+ sealing policies with new updates in case of TPM based sealed secrets
+ (i.e. UC based FDE, systemd based secrets, SGX, etc).
+
+ I will use this bug report to address this by default. Users that are
+ concerned about userspace/OS accessing and using efivars during
+ maintainance operations (package upgrades) or during runtime otherwise
+ (arbitrary calls to bootctl for example), should consider getting
+ hardware that has realtime aware EFI implementation, or modify their
+ classic or core systems to disable efi runtime services by opting-out of
+ efivars.
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1970077
Title:
efivars file system missing in Ubuntu 22.04 real-time kernel
Status in ubuntu-realtime:
Triaged
Status in linux package in Ubuntu:
New
Bug description:
In Ubuntu 22.04 generic kernel like 5.15.0-23, efivars file system is
mounted and is visible in the output of mount command, however in
Ubuntu 22.04 real-time kernel like 5.15.0-1005-realtime or
5.15.0-1007-realtime, efivars file system is missing. Intel SGX
feature relies on efivars file system to function, could u please
investigate this issue? Thanks.
---
In ubuntu, multiple things rely on reliable access to efivars (read-
only) and to have ability to manipulate them too (read-write). Thus
imho we should revert the v5.15 patch that turns efivars by default;
and in later series update annotation to keep it on, even under
realtime.
Things sort of work on boot, as shim fallback app (fb*.efi) parsses,
loads and sets initial boot variables. However subsequent updates to
our bootloaders (shim, grub, nullboot, snapd) do not know if they are
set, if they are correct, or if they can be used. Functionality that
is missing on such systems is then thus inability to install fw
updates with fwupd, inatibility to boot into firmware setup (systemctl
reboot --firmware-setup), and inability to predict measurements to
predict sealing policies with new updates in case of TPM based sealed
secrets (i.e. UC based FDE, systemd based secrets, SGX, etc).
I will use this bug report to address this by default. Users that are
concerned about userspace/OS accessing and using efivars during
maintainance operations (package upgrades) or during runtime otherwise
(arbitrary calls to bootctl for example), should consider getting
hardware that has realtime aware EFI implementation, or modify their
classic or core systems to disable efi runtime services by opting-out
of efivars.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-realtime/+bug/1970077/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
