[Kernel-packages] [Bug 2038777] Re: UBSAN: array-index-out-of-bounds (drivers/net/hyperv/netvsc.c)
Github Actions enabled KVM for all open source repositories for free in January: https://github.blog/2024-01-17-github-hosted-runners-double-the-power- for-open-source/ We started using it in systemd, and we hit this bug: https://paste.centos.org/view/411107c8 This will start quickly affecting everybody who tries to use KVM in their CI jobs on Github. Could you please arrange for this fix to be backported to the azure kernel for jammy? ** Also affects: linux (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: linux-meta-azure-6.5 (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: linux-meta-azure-6.5 (Ubuntu Jammy) Status: New => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-meta-azure-6.5 in Ubuntu. https://bugs.launchpad.net/bugs/2038777 Title: UBSAN: array-index-out-of-bounds (drivers/net/hyperv/netvsc.c) Status in linux package in Ubuntu: Expired Status in linux-meta-azure-6.5 package in Ubuntu: Confirmed Status in linux source package in Jammy: New Status in linux-meta-azure-6.5 source package in Jammy: Confirmed Bug description: HiperV VM network problems [ 19.259297] [ 19.259536] UBSAN: array-index-out-of-bounds in /build/linux-7dWMY3/linux-6.5.0/drivers/net/hyperv/netvsc.c:1445:41 [ 19.259715] index 1 is out of range for type 'vmtransfer_page_range [1]' [ 19.259896] CPU: 1 PID: 1306 Comm: (udev-worker) Not tainted 6.5.0-7-generic #7-Ubuntu [ 19.259898] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 04/06/2022 [ 19.259899] Call Trace: [ 19.259901] [ 19.259902] dump_stack_lvl+0x48/0x70 [ 19.259908] dump_stack+0x10/0x20 [ 19.259909] __ubsan_handle_out_of_bounds+0xc6/0x110 [ 19.259912] netvsc_receive+0x437/0x490 [hv_netvsc] [ 19.259917] netvsc_poll+0x176/0x4b0 [hv_netvsc] [ 19.259921] __napi_poll+0x30/0x1f0 [ 19.259924] net_rx_action+0x181/0x2e0 [ 19.259925] __do_softirq+0xd6/0x346 [ 19.259927] ? _raw_spin_unlock+0xe/0x40 [ 19.259929] __irq_exit_rcu+0x75/0xa0 [ 19.259932] irq_exit_rcu+0xe/0x20 [ 19.259933] sysvec_hyperv_callback+0x92/0xd0 [ 19.259935] [ 19.259935] ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: ubuntu-release-upgrader-core 1:23.10.8 ProcVersionSignature: Ubuntu 6.5.0-7.7-generic 6.5.3 Uname: Linux 6.5.0-7-generic x86_64 ApportVersion: 2.27.0-0ubuntu4 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config CrashDB: ubuntu Date: Sun Oct 8 23:09:45 2023 InstallationDate: Installed on 2021-03-07 (945 days ago) InstallationMedia: Ubuntu-Server 20.04.2 LTS "Focal Fossa" - Release amd64 (20210201.2) PackageArchitecture: all ProcEnviron: LANG=es_ES.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm XDG_RUNTIME_DIR= SourcePackage: ubuntu-release-upgrader Symptom: release-upgrade UpgradeStatus: Upgraded to mantic on 2023-10-08 (0 days ago) VarLogDistupgradeLspcitxt: VarLogDistupgradeXorgFixuplog: INFO:root:/usr/bin/do-release-upgrade running INFO:root:No xorg.conf, exiting --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 oct 9 20:46 seq crw-rw 1 root audio 116, 33 oct 9 20:46 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.27.0-0ubuntu5 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: N/A CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config DistroRelease: Ubuntu 23.10 InstallationDate: Installed on 2021-03-07 (948 days ago) InstallationMedia: Ubuntu-Server 20.04.2 LTS "Focal Fossa" - Release amd64 (20210201.2) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lspci: Lspci-vt: Lsusb: Error: command ['lsusb'] failed with exit code 1: Lsusb-t: Lsusb-v: Error: command ['lsusb', '-v'] failed with exit code 1: MachineType: {report['dmi.sys.vendor']} {report['dmi.product.name']} Package: linux (not installed) PciMultimedia: ProcEnviron: LANG=es_ES.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm XDG_RUNTIME_DIR= ProcFB: 0 hyperv_drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.5.0-9-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro mitigations=off iommu=pt ProcVersionSignature: Ubuntu 6.5.0-9.9-generic 6.5.3 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or
[Kernel-packages] [Bug 2050083] [NEW] generate and ship vmlinux.h to allow packages to build BPF CO-RE
Public bug reported: A vmlinux.h header generated from a kernel build with bpftool is needed to build and ship BPF CO-RE programs. We are looking to ship these in the next version of systemd. vmlinux.h being generated depends on the kernel version, architecture and kconfig. There are some vague promises of backward compatibility, but it is hard to gauge. We definitely do not want this file to be generated from the kernel running the build machine when building a package though, as very often these are very old and stable kernels building packages for the bleeding edge. In Fedora and now Debian we generate vmlinux.h at kernel package build time, and ship it with the other kernel headers (_not_ UAPI, the internal headers): https://salsa.debian.org/kernel- team/linux/-/commit/ac6f7eda4c3e8b0d0db20ad4bb8236371cf8d38e Please consider doing the same in Ubuntu's linux-headers. ** Affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2050083 Title: generate and ship vmlinux.h to allow packages to build BPF CO-RE Status in linux package in Ubuntu: New Bug description: A vmlinux.h header generated from a kernel build with bpftool is needed to build and ship BPF CO-RE programs. We are looking to ship these in the next version of systemd. vmlinux.h being generated depends on the kernel version, architecture and kconfig. There are some vague promises of backward compatibility, but it is hard to gauge. We definitely do not want this file to be generated from the kernel running the build machine when building a package though, as very often these are very old and stable kernels building packages for the bleeding edge. In Fedora and now Debian we generate vmlinux.h at kernel package build time, and ship it with the other kernel headers (_not_ UAPI, the internal headers): https://salsa.debian.org/kernel- team/linux/-/commit/ac6f7eda4c3e8b0d0db20ad4bb8236371cf8d38e Please consider doing the same in Ubuntu's linux-headers. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2050083/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045561] Re: linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from linux-modules-extra to linux-modules
Gentle ping. Would love to see this fix in time for Noble's release. Thanks! ** Description changed: SRU Justification [Impact] The dmi-sysfs.ko module (CONFIG_DMI_SYSFS) is currently shipped in linux-modules-extra. This makes it hard to pull in via the linux-virtual package, it can only come from the linux-generic one that also pulls in the firmware and everything else needed for baremetal, and that serves no purpose in a qemu VM. This stops VMs using these kernels from being configurable using qemu or cloud-hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this backported. For example: qemu-system-x86_64 \ -machine type=q35,accel=kvm,smm=on \ -smp 2 \ -m 1G \ -cpu host \ -nographic \ -nodefaults \ -serial mon:stdio \ -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ -device virtio-scsi-pci,id=scsi \ -device scsi-hd,drive=hd,bootindex=1 \ -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] Please consider moving this module to linux-modules. These are already enabled in the 'main' kernel config, and in other distros. In Debian/Archlinux/Fedora it is a built-in, and on SUSE it is a module installed by default. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this module installed and loaded, the directory won't be there. Once enabled, it will be there. [Regression Potential] Moving a module from a less-common to a more-common package should not - have any negative side effects. + have any negative side effects. The main effect will be a little more + disk space used by the more common package, whether the module is in use + or not. There will also be more functionality available in the default + installation, which means a slightly increased surface and possibility + of new bugs in case it gets used. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045561 Title: linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from linux-modules-extra to linux-modules Status in linux package in Ubuntu: New Status in linux source package in Jammy: New Status in linux source package in Lunar: New Status in linux source package in Mantic: New Status in linux source package in Noble: New Bug description: SRU Justification [Impact] The dmi-sysfs.ko module (CONFIG_DMI_SYSFS) is currently shipped in linux-modules-extra. This makes it hard to pull in via the linux- virtual package, it can only come from the linux-generic one that also pulls in the firmware and everything else needed for baremetal, and that serves no purpose in a qemu VM. This stops VMs using these kernels from being configurable using qemu or cloud-hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this backported. For example: qemu-system-x86_64 \ -machine type=q35,accel=kvm,smm=on \ -smp 2 \ -m 1G \ -cpu host \ -nographic \ -nodefaults \ -serial mon:stdio \ -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ -device virtio-scsi-pci,id=scsi \ -device scsi-hd,drive=hd,bootindex=1 \ -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] Please consider moving this
[Kernel-packages] [Bug 2045561] Re: linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from linux-modules-extra to linux-modules
** Description changed: SRU Justification [Impact] - The kvm flavours currently do not enable CONFIG_DMI_SYSFS. This stops - VMs using these kernels from being configurable using qemu or cloud- - hypervisor's SMBIOS type 11 strings. This feature is supported and used - widely by systemd: + The dmi-sysfs.ko module (CONFIG_DMI_SYSFS) is currently shipped in + linux-modules-extra. This makes it hard to pull in via the linux-virtual + package, it can only come from the linux-generic one that also pulls in + the firmware and everything else needed for baremetal, and that serves + no purpose in a qemu VM. This stops VMs using these kernels from being + configurable using qemu or cloud-hypervisor's SMBIOS type 11 strings. + This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, - which uses Jammy, so it would be great to have this kconfig enabled and - backported. + which uses Jammy, so it would be great to have this backported. For example: qemu-system-x86_64 \ - -machine type=q35,accel=kvm,smm=on \ - -smp 2 \ - -m 1G \ - -cpu host \ - -nographic \ - -nodefaults \ - -serial mon:stdio \ - -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ - -device virtio-scsi-pci,id=scsi \ - -device scsi-hd,drive=hd,bootindex=1 \ - -smbios type=11,value=io.systemd.credential:mycred=supersecret + -machine type=q35,accel=kvm,smm=on \ + -smp 2 \ + -m 1G \ + -cpu host \ + -nographic \ + -nodefaults \ + -serial mon:stdio \ + -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ + -device virtio-scsi-pci,id=scsi \ + -device scsi-hd,drive=hd,bootindex=1 \ + -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] - Please consider enabling the following kconfigs: - - CONFIG_DMI_SYSFS + Please consider moving this module to linux-modules. These are already enabled in the 'main' kernel config, and in other - distros. + distros. In Debian/Archlinux/Fedora it is a built-in, and on SUSE it is + a module installed by default. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 - Without this kconfig, the directory won't be there. Once enabled, it - will be there. + Without this module installed and loaded, the directory won't be there. + Once enabled, it will be there. [Regression Potential] - Enabling a new DMI option could affect the DMI subsystem in unforeseen - ways. + Moving a module from a less-common to a more-common package should not + have any negative side effects. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045561 Title: linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from linux-modules-extra to linux-modules Status in linux package in Ubuntu: New Status in linux source package in Jammy: New Status in linux source package in Lunar: New Status in linux source package in Mantic: New Status in linux source package in Noble: New Bug description: SRU Justification [Impact] The dmi-sysfs.ko module (CONFIG_DMI_SYSFS) is currently shipped in linux-modules-extra. This makes it hard to pull in via the linux- virtual package, it can only come from the linux-generic one that also pulls in the firmware and everything else needed for baremetal, and that serves no purpose in a qemu VM. This stops VMs using these kernels from being configurable using qemu or cloud-hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is
[Kernel-packages] [Bug 2045561] Re: linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from linux-modules-extra to linux-modules
Given this module doesn't really depend on firmware or anything, it would be a good candidate to be in linux-modules instead of linux- modules-extra. That way it will be pulled in without having to use the virtual package that depends on the firmware too. On Debian, Fedora and Archlinux it is a built-in. On OpenSUSE, it is a module installed by default. ** Summary changed: - linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support + linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from linux-modules-extra to linux-modules ** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** No longer affects: linux-kvm (Ubuntu) ** No longer affects: linux-kvm (Ubuntu Jammy) ** Also affects: linux (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Lunar) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Noble) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2045561 Title: linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from linux-modules-extra to linux-modules Status in linux package in Ubuntu: New Status in linux source package in Jammy: New Status in linux source package in Lunar: New Status in linux source package in Mantic: New Status in linux source package in Noble: New Bug description: SRU Justification [Impact] The dmi-sysfs.ko module (CONFIG_DMI_SYSFS) is currently shipped in linux-modules-extra. This makes it hard to pull in via the linux- virtual package, it can only come from the linux-generic one that also pulls in the firmware and everything else needed for baremetal, and that serves no purpose in a qemu VM. This stops VMs using these kernels from being configurable using qemu or cloud-hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this backported. For example: qemu-system-x86_64 \ -machine type=q35,accel=kvm,smm=on \ -smp 2 \ -m 1G \ -cpu host \ -nographic \ -nodefaults \ -serial mon:stdio \ -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ -device virtio-scsi-pci,id=scsi \ -device scsi-hd,drive=hd,bootindex=1 \ -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] Please consider moving this module to linux-modules. These are already enabled in the 'main' kernel config, and in other distros. In Debian/Archlinux/Fedora it is a built-in, and on SUSE it is a module installed by default. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this module installed and loaded, the directory won't be there. Once enabled, it will be there. [Regression Potential] Moving a module from a less-common to a more-common package should not have any negative side effects. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2045561/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045561] Re: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support
So it's a module: CONFIG_DMI_SYSFS=m and it's part of the modules-extra package. That means there's no way, without knowing the exact kernel version in advance, to pull that package in using linux-virtual. You'd have to use linux-generic, but that also pulls in all the firmware stuff. Can a solution be implemented to make this easier? Other distros have it as built-in. It could also be moved to the core package. Or linux- virtual could depend on the appropriate modules-extra package. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2045561 Title: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support Status in linux-kvm package in Ubuntu: Fix Released Status in linux-kvm source package in Jammy: Won't Fix Bug description: SRU Justification [Impact] The kvm flavours currently do not enable CONFIG_DMI_SYSFS. This stops VMs using these kernels from being configurable using qemu or cloud- hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this kconfig enabled and backported. For example: qemu-system-x86_64 \ -machine type=q35,accel=kvm,smm=on \ -smp 2 \ -m 1G \ -cpu host \ -nographic \ -nodefaults \ -serial mon:stdio \ -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ -device virtio-scsi-pci,id=scsi \ -device scsi-hd,drive=hd,bootindex=1 \ -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] Please consider enabling the following kconfigs: CONFIG_DMI_SYSFS These are already enabled in the 'main' kernel config, and in other distros. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this kconfig, the directory won't be there. Once enabled, it will be there. [Regression Potential] Enabling a new DMI option could affect the DMI subsystem in unforeseen ways. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/2045561/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045561] Re: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support
Got it, thank you -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2045561 Title: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support Status in linux-kvm package in Ubuntu: Fix Released Status in linux-kvm source package in Jammy: Won't Fix Bug description: SRU Justification [Impact] The kvm flavours currently do not enable CONFIG_DMI_SYSFS. This stops VMs using these kernels from being configurable using qemu or cloud- hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this kconfig enabled and backported. For example: qemu-system-x86_64 \ -machine type=q35,accel=kvm,smm=on \ -smp 2 \ -m 1G \ -cpu host \ -nographic \ -nodefaults \ -serial mon:stdio \ -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ -device virtio-scsi-pci,id=scsi \ -device scsi-hd,drive=hd,bootindex=1 \ -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] Please consider enabling the following kconfigs: CONFIG_DMI_SYSFS These are already enabled in the 'main' kernel config, and in other distros. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this kconfig, the directory won't be there. Once enabled, it will be there. [Regression Potential] Enabling a new DMI option could affect the DMI subsystem in unforeseen ways. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/2045561/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045561] Re: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support
Thanks - what about Jammy? ** Changed in: linux-kvm (Ubuntu Mantic) Status: New => Won't Fix ** Changed in: linux-kvm (Ubuntu Noble) Status: New => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2045561 Title: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support Status in linux-kvm package in Ubuntu: New Status in linux-kvm source package in Jammy: New Status in linux-kvm source package in Mantic: Won't Fix Status in linux-kvm source package in Noble: Won't Fix Bug description: SRU Justification [Impact] The kvm flavours currently do not enable CONFIG_DMI_SYSFS. This stops VMs using these kernels from being configurable using qemu or cloud- hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this kconfig enabled and backported. For example: qemu-system-x86_64 \ -machine type=q35,accel=kvm,smm=on \ -smp 2 \ -m 1G \ -cpu host \ -nographic \ -nodefaults \ -serial mon:stdio \ -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ -device virtio-scsi-pci,id=scsi \ -device scsi-hd,drive=hd,bootindex=1 \ -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] Please consider enabling the following kconfigs: CONFIG_DMI_SYSFS These are already enabled in the 'main' kernel config, and in other distros. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this kconfig, the directory won't be there. Once enabled, it will be there. [Regression Potential] Enabling a new DMI option could affect the DMI subsystem in unforeseen ways. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/2045561/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2045561] Re: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support
** Description changed: SRU Justification [Impact] The kvm flavours currently do not enable CONFIG_DMI_SYSFS. This stops VMs using these kernels from being configurable using qemu or cloud- hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this kconfig enabled and backported. + + For example: + + qemu-system-x86_64 \ + -machine type=q35,accel=kvm,smm=on \ + -smp 2 \ + -m 1G \ + -cpu host \ + -nographic \ + -nodefaults \ + -serial mon:stdio \ + -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ + -device virtio-scsi-pci,id=scsi \ + -device scsi-hd,drive=hd,bootindex=1 \ + -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] Please consider enabling the following kconfigs: CONFIG_DMI_SYSFS These are already enabled in the 'main' kernel config, and in other distros. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this kconfig, the directory won't be there. Once enabled, it will be there. [Regression Potential] Enabling a new DMI option could affect the DMI subsystem in unforeseen ways. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2045561 Title: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support Status in linux-kvm package in Ubuntu: New Status in linux-kvm source package in Jammy: New Status in linux-kvm source package in Mantic: New Status in linux-kvm source package in Noble: New Bug description: SRU Justification [Impact] The kvm flavours currently do not enable CONFIG_DMI_SYSFS. This stops VMs using these kernels from being configurable using qemu or cloud- hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this kconfig enabled and backported. For example: qemu-system-x86_64 \ -machine type=q35,accel=kvm,smm=on \ -smp 2 \ -m 1G \ -cpu host \ -nographic \ -nodefaults \ -serial mon:stdio \ -drive if=none,id=hd,file=ubuntu_jammy.raw,format=raw \ -device virtio-scsi-pci,id=scsi \ -device scsi-hd,drive=hd,bootindex=1 \ -smbios type=11,value=io.systemd.credential:mycred=supersecret [Fix] Please consider enabling the following kconfigs: CONFIG_DMI_SYSFS These are already enabled in the 'main' kernel config, and in other distros. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this kconfig, the directory won't be there. Once enabled, it will be there. [Regression Potential] Enabling a new DMI option could affect the DMI subsystem in unforeseen ways. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/2045561/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages
[Kernel-packages] [Bug 2045561] [NEW] linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support
Public bug reported: SRU Justification [Impact] The kvm flavours currently do not enable CONFIG_DMI_SYSFS. This stops VMs using these kernels from being configurable using qemu or cloud- hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this kconfig enabled and backported. [Fix] Please consider enabling the following kconfigs: CONFIG_DMI_SYSFS These are already enabled in the 'main' kernel config, and in other distros. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this kconfig, the directory won't be there. Once enabled, it will be there. [Regression Potential] Enabling a new DMI option could affect the DMI subsystem in unforeseen ways. ** Affects: linux-kvm (Ubuntu) Importance: Undecided Status: New ** Affects: linux-kvm (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: linux-kvm (Ubuntu Mantic) Importance: Undecided Status: New ** Affects: linux-kvm (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: linux-kvm (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: linux-kvm (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: linux-kvm (Ubuntu Mantic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2045561 Title: linux-kvm: please enable CONFIG_DMI_SYSFS for SMBIOS support Status in linux-kvm package in Ubuntu: New Status in linux-kvm source package in Jammy: New Status in linux-kvm source package in Mantic: New Status in linux-kvm source package in Noble: New Bug description: SRU Justification [Impact] The kvm flavours currently do not enable CONFIG_DMI_SYSFS. This stops VMs using these kernels from being configurable using qemu or cloud- hypervisor's SMBIOS type 11 strings. This feature is supported and used widely by systemd: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html https://systemd.io/CREDENTIALS/ A user launching a VM using the linux-kvm kernel image is not able to specify SMBIOS strings to automatically configured userspace services and programs due to the lack of this kconfig. We make extensive use of these in systemd's upstream CI, which is running on Github Actions, which uses Jammy, so it would be great to have this kconfig enabled and backported. [Fix] Please consider enabling the following kconfigs: CONFIG_DMI_SYSFS These are already enabled in the 'main' kernel config, and in other distros. To verify this works, it is sufficient to check that the /sys/firmware/dmi/entries/ directory in sysfs is present: $ ls /sys/firmware/dmi/entries/ 0-0126-1 126-4 126-8 130-0 133-0 136-0 140-2 15-0 18-0 21-1 221-1 24-0 7-1 8-2 8-6 1-0126-10 126-5 126-9 131-0 134-0 14-0 140-3 16-0 19-0 219-0 221-2 3-0 7-2 8-3 9-0 12-0 126-2 126-6 127-0 131-1 135-0 140-0 140-4 17-0 2-0 22-0 221-3 4-0 8-0 8-4 9-1 126-0 126-3 126-7 13-0 132-0 135-1 140-1 14-1 17-1 21-0 221-0 222-0 7-0 8-1 8-5 Without this kconfig, the directory won't be there. Once enabled, it will be there. [Regression Potential] Enabling a new DMI option could affect the DMI subsystem in unforeseen ways. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/2045561/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Tags removed: verification-needed-focal-linux-aws-5.15 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Tags removed: verification-needed-kinetic ** Tags added: verification-done-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Committed Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
linux-generic looks good, thanks. Will the changes to linux-kvm and linux-azure be merged separately later? ** Tags removed: verification-needed-jammy verification-needed-lunar ** Tags added: verification-done-jammy verification-done-lunar -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Committed Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
Hi, any update on these configs changes? Have they been queued? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: In Progress Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: In Progress Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
Thank you! Do you have details about the performance impact of IMA_ARCH? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: In Progress Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: In Progress Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
There's no specific log to share, I've downloaded the kconfig for the kvm flavour from the linux- buildinfo-6.2.0-1003-kvm_6.2.0-1003.3_amd64.deb package, extracted usr/lib/linux/6.2.0-1003-kvm/config and checked for these kconfigs, and they are not present: $ grep DM_VERITY config # CONFIG_DM_VERITY is not set $ grep IMA_ARCH config $ ** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: New Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: New Status in linux-meta-azure source package in Kinetic: New Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: New Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Summary changed: - linux-kvm: please enable dm-verity kconfigs + linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images ** Also affects: linux-meta-azure (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-meta-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux-meta-azure package in Ubuntu: New Status in linux-meta-kvm package in Ubuntu: New Bug description: The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta-azure/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-kvm: please enable dm-verity kconfigs
Also, please enable CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING on the cloud kernels - especially I am interested in the Azure one. Same reason as above - the other options are already enabled there. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-meta-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-kvm: please enable dm-verity kconfigs Status in linux-meta-kvm package in Ubuntu: New Bug description: The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] [NEW] linux-kvm: please enable dm-verity kconfigs
Public bug reported: The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm- verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. ** Affects: linux-meta-kvm (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-meta-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-kvm: please enable dm-verity kconfigs Status in linux-meta-kvm package in Ubuntu: New Bug description: The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta-kvm/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1961771] Re: Enable CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT in Jammy
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1961771 Title: Enable CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT in Jammy Status in linux package in Ubuntu: Confirmed Bug description: [Impact] The CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT option allows to support pretimeout actions on device drivers without the hardware capability to support it. It was introduced in Linux 5.14: https://github.com/torvalds/linux/commit/7b7d2fdc8c3e3f9fdb3558d674e1eeddc16c7d9e It is now enabled in Debian: https://salsa.debian.org/kernel- team/linux/-/commit/d09d223632f0505c3a82dc77d6f70e120002a221 More information about watchdog pretimeouts: https://elinux.org/Tests:Watchdog-Pretimeout We are adding support for this feature in systemd: https://github.com/systemd/systemd/pull/19970 More specifically, if it was enabled in Jammy, we could add an upstream autopkgtest case using qemu to cover this functionality, which is not tested at all currently, when we rebase our autopkgtest image from Focal to Jammy. [Test Plan] To verify that this is working, simply boot Qemu with '-device i6300esb,id=watchdog0 -watchdog-action reset' then check the available governors: modprobe pretimeout_noop cat /sys/class/watchdog/watchdog0/pretimeout_available_governors [Where problems could occur] The feature is disabled by default, as the modules have to be manually loaded, so chance of side effects for general users is very low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1961771/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1961771] [NEW] Enable CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT in Jammy
Public bug reported: [Impact] The CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT option allows to support pretimeout actions on device drivers without the hardware capability to support it. It was introduced in Linux 5.14: https://github.com/torvalds/linux/commit/7b7d2fdc8c3e3f9fdb3558d674e1eeddc16c7d9e It is now enabled in Debian: https://salsa.debian.org/kernel- team/linux/-/commit/d09d223632f0505c3a82dc77d6f70e120002a221 More information about watchdog pretimeouts: https://elinux.org/Tests:Watchdog-Pretimeout We are adding support for this feature in systemd: https://github.com/systemd/systemd/pull/19970 More specifically, if it was enabled in Jammy, we could add an upstream autopkgtest case using qemu to cover this functionality, which is not tested at all currently, when we rebase our autopkgtest image from Focal to Jammy. [Test Plan] To verify that this is working, simply boot Qemu with '-device i6300esb,id=watchdog0 -watchdog-action reset' then check the available governors: modprobe pretimeout_noop cat /sys/class/watchdog/watchdog0/pretimeout_available_governors [Where problems could occur] The feature is disabled by default, as the modules have to be manually loaded, so chance of side effects for general users is very low. ** Affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1961771 Title: Enable CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT in Jammy Status in linux package in Ubuntu: New Bug description: [Impact] The CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT option allows to support pretimeout actions on device drivers without the hardware capability to support it. It was introduced in Linux 5.14: https://github.com/torvalds/linux/commit/7b7d2fdc8c3e3f9fdb3558d674e1eeddc16c7d9e It is now enabled in Debian: https://salsa.debian.org/kernel- team/linux/-/commit/d09d223632f0505c3a82dc77d6f70e120002a221 More information about watchdog pretimeouts: https://elinux.org/Tests:Watchdog-Pretimeout We are adding support for this feature in systemd: https://github.com/systemd/systemd/pull/19970 More specifically, if it was enabled in Jammy, we could add an upstream autopkgtest case using qemu to cover this functionality, which is not tested at all currently, when we rebase our autopkgtest image from Focal to Jammy. [Test Plan] To verify that this is working, simply boot Qemu with '-device i6300esb,id=watchdog0 -watchdog-action reset' then check the available governors: modprobe pretimeout_noop cat /sys/class/watchdog/watchdog0/pretimeout_available_governors [Where problems could occur] The feature is disabled by default, as the modules have to be manually loaded, so chance of side effects for general users is very low. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1961771/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1905975] Re: kernel: Enable CONFIG_BPF_LSM on Ubuntu
FYI, Debian 11 will ship with BPF_LSM built in, but disabled by default (by explicitly setting CONFIG_LSM to the desired list) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1905975 Title: kernel: Enable CONFIG_BPF_LSM on Ubuntu Status in linux package in Ubuntu: Confirmed Status in linux source package in Groovy: Confirmed Status in linux source package in Hirsute: Confirmed Bug description: == Impact == Enabling CONFIG_BPF_LSM in the KConfig of Ubuntu Kernels, allowing users to use BPF LSM programs. == Background == The BPF LSM was merged into the Linux kernel 5.7 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=641cd7b06c911c5935c34f24850ea18690649917 https://outflux.net/blog/archives/2020/09/21/security-things-in- linux-v5-7 It allows users to implement MAC and Audit Policies using BPF programs. As a follow-up from the interest generated by the LSM on BPF/Linux conferences and on request from users, we’d like to request the enabling of CONFIG_BPF_LSM on Ubuntu starting with H. The LSM won't be added to the list of active LSMs by default (in CONFIG_LSM or lsm= on the boot parameters) yet, as it adds an indirect function call overhead by registering an empty LSM hook for all hooks. However enabling it in the kernel config will support users who wish to use BPF LSM programs without needing to replace their kernel image. The LSM can be made "active" by default when our work on getting rid of this overhead is merged in the kernel: https://lore.kernel.org/bpf/20200820164753.3256899-1-jackm...@chromium.org == Regression Potential == None. The LSM is not active by default, so it does not have any performance or functional regression. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1905975/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp