** Description changed: [Impact] + opal-prd (the daemon on a power system that listens for hw diagnostic system events at the /dev/opal-prd device) fails to start. + The reason is that opal-prd is not able to properly handle devtmpfs, mounted with noexec in /dev, which is the case on recent versions of systemd (like used in focal or newer).. + Currently such a mount prevents mapping HBRT image code region as 'rwx' from /dev. - This impacts the opal-prd userspace command from the skiboot package - - On systems using recent versions of systemd /dev (devtmpfs) is mounted - with noexec option. Such mount prevents mapping HBRT image code region - as RWX from /dev. This commit, as suggested in github PR linked below, - attempts to work around the situation by copying HBRT image to anon - mmaped memory region and sets mprotect rwx on it, allowing opal-prd to - successfully execute the code region. - - The direct Impact is that the opal-prd command will not start on groovy - and focal + [Fix] + This patch/commit attempts to work around the situation by copying HBRT image to a non mmapped memory region and sets mprotect rwx on it, allowing opal-prd to successfully execute the code region (as suggested here: https://github.com/open-power/skiboot/issues/258): + 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de 47005e8 "opal-prd: handle devtmpfs mounted with noexec" [Test Case] - - Unfortunately due to the specific hardware requirement I wasn't able to - reproduce this problem and provide a test case for it. However I was - able to build this package into a ppa and got the IBM team to confirm - this problem was resolved for groovy focal, bionic, xenial see comment - #4 - - I would anticipate this test should work based on the description - $> opal-prd - contemplate crash - $> sudo apt update skiboot - $> opal-prd - no crash with the updated package + Since the opal-prd daemon must be running in the background as a separate process, the test is to: + - install the updated package that includes the patched opal-prd daemon (e.g. from the PPA mentioned below) + - double check the installed package version (dpkg -l) and maybe the opal-pd version that's in place (opal-prd --version) + - start opal-prd as daemon: 'service opal-prd start' (if not started automatically) + - verify the opal-prd status and check if it's running or not, by for example 'service opal-prd status' [What could go wrong] - - Hopefully not much. The initial fix was prepared back in October and I - would think regression could have been discovered by now. The change is - also limited to single user space command that IBM is closely using and - maintaining. I anticipate regression to be reported to us promptly. + Things can go wrong in case the HBRT image copy is done wrong; in case it's accidentally copied to a wrong memory area (e.g. to an already mapped range, or erroneously calculated address/size), a seg. fault will happen and the system would core dump. + The mprotect code is pretty straight forward, but the fact that mprotect rwx is set on it, allows opal-prd to successfully execute the code region. It's not generally a perfect approach to map memory as RWX, but HBRT requires the ability to write into the image at runtime - and it got upstream accepted that way with skiboot v6.7. + The fix was released back in October and was pre-tested by the IBM Power team. + On top a patched Ubuntu package was build and shared in a PPA (see comment #1) and again successfully validated on focal and groovy. + __________ [Original Description] == Comment: #0 - VASANT HEGDE <hegdevas...@in.ibm.com> - 2020-11-23 23:23:22 == ---Problem Description--- opal-prd fails to start on 20.04 Contact Information = Vasant hegde <hegdevas...@linux.vnet.ibm.com> ---uname output--- Ubuntu 20.04 Machine Type = All Power System ---Steps to Reproduce--- opal-prd fails to start on 20.04 Userspace tool common name: opal-prd The userspace tool has the following bit modes: 64bit Userspace rpm: opal-prd This is fixed in upstream by below commit. Please backport this patch to 20.04 LTS release. Also applicable for 20.10. commit 47005e8d4c9aeda5826c17c4a013cfbda1a3f2de Author: Georgy Yakovlev <gyakov...@gentoo.org> Date: Mon Oct 12 14:29:17 2020 -0700 opal-prd: handle devtmpfs mounted with noexec On systems using recent versions of systemd /dev (devtmpfs) is mounted with noexec option. Such mount prevents mapping HBRT image code region as RWX from /dev. This commit, as suggested in github PR linked below, attempts to work around the situation by copying HBRT image to anon mmaped memory region and sets mprotect rwx on it, allowing opal-prd to sucessfully execute the code region. Having memory region set as RWX is not ideal for security, but fixing that is a separate and hard to solve problem. Original code also mmaped region as RWX, so this PR does not make things worse at least. Closes: https://github.com/open-power/skiboot/issues/258 Signed-off-by: Georgy Yakovlev <gyakov...@gentoo.org> Reviewed-by: Vasant Hegde <hegdevas...@linux.vnet.ibm.com> [oliver: whitespace fix, add a comment, reflow commit message] Signed-off-by: Oliver O'Halloran <ooh...@gmail.com> -Vasant
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905393 Title: Ubuntu 20.04: opal-prd fails to start on 20.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1905393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
