** Description changed: + [Impact] + + This impacts the opal-prd userspace command from the skiboot package + + On systems using recent versions of systemd /dev (devtmpfs) is mounted + with noexec option. Such mount prevents mapping HBRT image code region + as RWX from /dev. This commit, as suggested in github PR linked below, + attempts to work around the situation by copying HBRT image to anon + mmaped memory region and sets mprotect rwx on it, allowing opal-prd to + successfully execute the code region. + + The direct Impact is that the opal-prd command will not start on groovy + and focal + + [Test Case] + + Unfortunately due to the specific hardware requirement I wasn't able to + reproduce this problem and provide a test case for it. However I was + able to build this package into a ppa and got the IBM team to confirm + this problem was resolved for groovy focal, bionic, xenial see comment + #4 + + I would anticipate this test should work based on the description + $> opal-prd + contemplate crash + $> sudo apt update skiboot + $> opal-prd + no crash with the updated package + + [What could go wrong] + + Hopefully not much. The initial fix was prepared back in October and I + would think regression could have been discovered by now. The change is + also limited to single user space command that IBM is closely using and + maintaining. I anticipate regression to be reported to us promptly. + + [Original Description] + == Comment: #0 - VASANT HEGDE <[email protected]> - 2020-11-23 23:23:22 == ---Problem Description--- opal-prd fails to start on 20.04 - + Contact Information = Vasant hegde <[email protected]> - + ---uname output--- Ubuntu 20.04 - - Machine Type = All Power System - + + Machine Type = All Power System + ---Steps to Reproduce--- - opal-prd fails to start on 20.04 - - Userspace tool common name: opal-prd - - The userspace tool has the following bit modes: 64bit + opal-prd fails to start on 20.04 + + Userspace tool common name: opal-prd + + The userspace tool has the following bit modes: 64bit Userspace rpm: opal-prd This is fixed in upstream by below commit. Please backport this patch to 20.04 LTS release. Also applicable for 20.10. commit 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de Author: Georgy Yakovlev <[email protected]> Date: Mon Oct 12 14:29:17 2020 -0700 - opal-prd: handle devtmpfs mounted with noexec - - On systems using recent versions of systemd /dev (devtmpfs) is mounted with - noexec option. Such mount prevents mapping HBRT image code region as RWX - from /dev. This commit, as suggested in github PR linked below, attempts to - work around the situation by copying HBRT image to anon mmaped memory - region and sets mprotect rwx on it, allowing opal-prd to sucessfully - execute the code region. - - Having memory region set as RWX is not ideal for security, but fixing that - is a separate and hard to solve problem. Original code also mmaped region - as RWX, so this PR does not make things worse at least. - - Closes: https://github.com/open-power/skiboot/issues/258 - Signed-off-by: Georgy Yakovlev <[email protected]> - Reviewed-by: Vasant Hegde <[email protected]> - [oliver: whitespace fix, add a comment, reflow commit message] - Signed-off-by: Oliver O'Halloran <[email protected]> + opal-prd: handle devtmpfs mounted with noexec + + On systems using recent versions of systemd /dev (devtmpfs) is mounted with + noexec option. Such mount prevents mapping HBRT image code region as RWX + from /dev. This commit, as suggested in github PR linked below, attempts to + work around the situation by copying HBRT image to anon mmaped memory + region and sets mprotect rwx on it, allowing opal-prd to sucessfully + execute the code region. + + Having memory region set as RWX is not ideal for security, but fixing that + is a separate and hard to solve problem. Original code also mmaped region + as RWX, so this PR does not make things worse at least. + + Closes: https://github.com/open-power/skiboot/issues/258 + Signed-off-by: Georgy Yakovlev <[email protected]> + Reviewed-by: Vasant Hegde <[email protected]> + [oliver: whitespace fix, add a comment, reflow commit message] + Signed-off-by: Oliver O'Halloran <[email protected]> -Vasant
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905393 Title: Ubuntu 20.04: opal-prd fails to start on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1905393/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
