Public bug reported:

[Availability]
The package is already in universe.


[Rationale]
The package is in use in the boot sequence on all supported Raspberry Pi 
images, both classic and core.


[Security]
While there are (recent) open CVEs against u-boot, none appear relevant to the 
RPi port specifically. Notably:

* CVE-2020-8432 deals with a double-free in cmd/gpt.c; GPT_CMD is not
enabled in our rpi related u-boot configuration (because the pi does not
support GUID partition tables).

* CVE-2020-10648 deals with bypassing verified boot restrictions on FIT
images; we don't use FIT u-boot images on our pi builds.

* CVE-2019-16258 deals with attackers gaining root access by
manipulating the u-boot console via UART; there's no expectation of boot
security against physical access to a pi so this is irrelevant.

* CVE-2019-14192..14204 deal with stack-based overflows against NFS and
RPC commands. While our u-boot-rpi build does include NFS commands, they
are not used in our boot scripts.

All further CVEs deal with versions prior to 2019.07 (the current
version in focal). Although it is clear vulnerabilities are reported
with some regularity against the package, it is also evident that
upstream responds rapidly to such reports and that many don't apply to
our usage of the package on the pi. Furthermore, the pi is a relatively
"open" platform with little expectation of security against direct
physical access (after all, the storage is removable and unencrypted)
which negates several of the reported vulnerabilities.


[Quality assurance]
As mentioned above, the package is already in active use in the Pi boot 
sequence. There are no outstanding bugs which significantly affect the 
usability (i.e. our images boot successfully on all supported pi models) and no 
important bugs open.

There is no meaningful test suite included in the package, but then for
a bootloader dealing with a novel platform the ultimate test is "does it
boot?", and each update of the package is extensively (manually) tested
against the supported models.

The current version of the package does build-depend against python2.
This is an issue noted in an upstream report (Debian: #943273),
corrected in the current version in sid
(https://salsa.debian.org/debian/u-boot/-/commit/f8a0fc63adbe13e0a3365af9b03e8315f1328913),
and hence will be corrected next time our package is synced with
upstream.


[UI standards]
The sole interactive element is the u-boot console which is only expected to be 
used in the circumstance that the system is un-bootable. This is (hopefully!) a 
sufficiently rare circumstance that the lack of localization does not pose an 
issue (further, it's hard to see how a bootloader could be localized given it 
is running prior to the OS starting and thus without knowledge of user 
configuration).


[Dependencies]
The sole runtime dependency is "awk", the installation candidates for which 
(gawk or mawk) are already present in main.


[Standards compliance]
The package installs its binaries under /usr/lib which may seem odd for 
something essential to booting the system but this is merely a "storage 
location". These binaries are then copied (via postinst currently, hopefully in 
future via flash-kernel) to the more appropriate /boot hierarchy.


[Maintenance]
The package is maintained by the Ubuntu Foundations team.


[Background information]
As mentioned above the package is already in active use on all our Raspberry Pi 
images (both classic and core). It's only recently that it was brought to my 
attention that the package isn't in main already. The package is essential to 
both the classic and core boot experiences: in the classic case for providing 
unpacking duties for compressed kernels, and in the core case for handling A/B 
boot states (neither of these facilities is currently supported by the pi's own 
firmware bootloader).

This package is currently pulled into the images via the "pi-gadget"
(https://github.com/snapcore/pi-gadget) snap which forms the basis of
both the classic and core pi images.

** Affects: u-boot (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1869792

Title:
  [MIR] u-boot-rpi

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/1869792/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to