July 2020 - openSUSE Kernel Bugs - openSUSE Mailing Lists

[kernel-bugs] [Bug 1173402] Kernel delays boot by 12s if ip= option given
by bugzilla_noreply＠suse.com 02 Jul '20

02 Jul '20

https://bugzilla.suse.com/show_bug.cgi?id=1173402 https://bugzilla.suse.com/show_bug.cgi?id=1173402#c8 --- Comment #8 from Fabian Vogt <fvogt(a)suse.com> --- (In reply to Thomas Blume from comment #7) > Thanks, the culprit is in the ifup.sh script. > Because there is no ip= boot parameter, it goes to: > > --> > # no ip option directed at our interface? > if [ -z "$NO_AUTO_DHCP" ] && [ ! -e /tmp/net.${netif}.up ]; then > if [ -e /tmp/net.bootdev ]; then > BOOTDEV=$(cat /tmp/net.bootdev) > if [ "$netif" = "$BOOTDEV" ] || [ "$BOOTDEV" = "$(cat > /sys/class/net/${netif}/address)" ]; then > load_ipv6 > do_dhcp > fi > else > if getargs 'ip=dhcp6'; then > load_ipv6 > do_dhcp -6 > fi > if getargs 'ip=dhcp'; then > do_dhcp -4 > fi > fi > --< That only does something in the bootdev/ip=dhcp case though AFAICT, but a bit further up there is: --> # No ip lines default to dhcp ip=$(getarg ip) if [ -z "$NO_AUTO_DHCP" ] && [ -z "$ip" ]; then if [ "$netroot" = "dhcp6" ]; then do_dhcp -6 else do_dhcp -4 fi for s in $(getargs nameserver); do [ -n "$s" ] || continue echo nameserver $s >> /tmp/net.$netif.resolv.conf done fi --< So this behaviour is a combination of: - Interfaces without explicit ip= config fall back to DHCP - It waits for (any) explicitly configured interface to be up - ip=dhcp counts as "explicitly configuring all interfaces" This might just need a '>/tmp/net.${netif}.did-setup' there? As there is no ip parameter set, it can't possibly reach the code in the 'for p in $(getargs ip=)' loop which creates the did-setup flag, but net-genrules.sh generated the initqueue hook waiting for them irregardless of any ip parameters. > ... > > It does setup the ip but not the netroot. > So, without the ip= parameter, dracut doesn't seems to recognize that the > system root is provided via network. > According to the manpage, rd.neednet only commands dracut to set up the > network, but not to provide netroot: > > --> > rd.neednet=1 > boolean, bring up network even without netroot set > --< That's actually what it's used for here - have network in the initrd, but boot from local disk. It's because a dracut module (ignition) uses network for downloading files. > I guess you would have to add a netroot parameter to make dracut aware that > system root is provided via network. > Maybe also root=dhcp works, though. That might break booting... Even if that works as alternative to ip=dhcp without the delay, it doesn't seem like a good idea to use it instead, just the name alone would need a big disclaimer... -- You are receiving this mail because: You are the assignee for the bug.

1 0

[kernel-bugs] [Bug 1173402] Kernel delays boot by 12s if ip= option given
by bugzilla_noreply＠suse.com 02 Jul '20

02 Jul '20

https://bugzilla.suse.com/show_bug.cgi?id=1173402 https://bugzilla.suse.com/show_bug.cgi?id=1173402#c7 --- Comment #7 from Thomas Blume <thomas.blume(a)suse.com> --- Thanks, the culprit is in the ifup.sh script. Because there is no ip= boot parameter, it goes to: --> # no ip option directed at our interface? if [ -z "$NO_AUTO_DHCP" ] && [ ! -e /tmp/net.${netif}.up ]; then if [ -e /tmp/net.bootdev ]; then BOOTDEV=$(cat /tmp/net.bootdev) if [ "$netif" = "$BOOTDEV" ] || [ "$BOOTDEV" = "$(cat /sys/class/net/${netif}/address)" ]; then load_ipv6 do_dhcp fi else if getargs 'ip=dhcp6'; then load_ipv6 do_dhcp -6 fi if getargs 'ip=dhcp'; then do_dhcp -4 fi fi --< Comparing that to the setup loop when the ip= parameter is present, the call to the netroot script is missing: --> # Specific configuration, spin through the kernel command line # looking for ip= lines for p in $(getargs ip=); do [...] # and finally, finish interface set up if there isn't already a script # to do so (which is the case in the dhcp path) if [ ! -e $hookdir/initqueue/setup_net_$netif.sh ]; then setup_net $netif source_hook initqueue/online $netif if [ -z "$manualup" ]; then /sbin/netroot $netif fi fi if command -v wicked >/dev/null && [ -z "$manualup" ]; then /sbin/netroot $netif fi --< It does setup the ip but not the netroot. So, without the ip= parameter, dracut doesn't seems to recognize that the system root is provided via network. According to the manpage, rd.neednet only commands dracut to set up the network, but not to provide netroot: --> rd.neednet=1 boolean, bring up network even without netroot set --< I guess you would have to add a netroot parameter to make dracut aware that system root is provided via network. Maybe also root=dhcp works, though. -- You are receiving this mail because: You are the assignee for the bug.

1 0

[kernel-bugs] [Bug 1173402] Kernel delays boot by 12s if ip= option given
by bugzilla_noreply＠suse.com 02 Jul '20

02 Jul '20

https://bugzilla.suse.com/show_bug.cgi?id=1173402 https://bugzilla.suse.com/show_bug.cgi?id=1173402#c6 Fabian Vogt <fvogt(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fvogt(a)suse.com) | --- Comment #6 from Fabian Vogt <fvogt(a)suse.com> --- Created attachment 839298 --> https://bugzilla.suse.com/attachment.cgi?id=839298&action=edit Log with rd.neednet=1 rd.debug ip=dhcp Done. It can be seen that in both cases, DHCP is done successfully, but only with ip=dhcp, the did-setup flag file got created. -- You are receiving this mail because: You are the assignee for the bug.

1 0

[kernel-bugs] [Bug 1173402] Kernel delays boot by 12s if ip= option given
by bugzilla_noreply＠suse.com 02 Jul '20

02 Jul '20

https://bugzilla.suse.com/show_bug.cgi?id=1173402 https://bugzilla.suse.com/show_bug.cgi?id=1173402#c5 --- Comment #5 from Fabian Vogt <fvogt(a)suse.com> --- Created attachment 839297 --> https://bugzilla.suse.com/attachment.cgi?id=839297&action=edit Log with rd.neednet=1 rd.debug -- You are receiving this mail because: You are the assignee for the bug.

1 0

[kernel-bugs] [Bug 1173402] Kernel delays boot by 12s if ip= option given
by bugzilla_noreply＠suse.com 02 Jul '20

02 Jul '20

https://bugzilla.suse.com/show_bug.cgi?id=1173402 https://bugzilla.suse.com/show_bug.cgi?id=1173402#c4 Thomas Blume <thomas.blume(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fvogt(a)suse.com Flags| |needinfo?(fvogt(a)suse.com) --- Comment #4 from Thomas Blume <thomas.blume(a)suse.com> --- (In reply to Fabian Vogt from comment #3) > Dammit. I did some more tests meanwhile and it doesn't work in some cases, > presumably in those where there were no ifcfg-* files copied into the initrd. > It still acquires an IP over DHCP, but the dracut initqueue times out anyway. > > Any idea what could be used as a workaround? dhcp is the fallback, if there is no ip= config given. Maybe it doesn't try all interfaces then. But better I check the boot log. Could you provide a log from a failing boot with the rd.debug boot parameter? -- You are receiving this mail because: You are the assignee for the bug.

1 0

[kernel-bugs] [Bug 1173402] Kernel delays boot by 12s if ip= option given
by bugzilla_noreply＠suse.com 02 Jul '20

02 Jul '20

https://bugzilla.suse.com/show_bug.cgi?id=1173402 https://bugzilla.suse.com/show_bug.cgi?id=1173402#c3 --- Comment #3 from Fabian Vogt <fvogt(a)suse.com> --- (In reply to Thomas Blume from comment #2) > (In reply to Fabian Vogt from comment #0) > > @dracut maintainers: It seems like "rd.neednet=1" is enough to get dracut to > > acquire an address over DHCP, so a workaround is to just drop "ip=dhcp". I'd > > like to have confirmation that this is intended behaviour and won't break > > without notice in the future. This doesn't help for cases without DHCP > > though. > > Need to double check but AFAIK, rd.neednet isn't sufficient, at least if the > machine has multiple network interfaces. In this case you need to tell > dracut which interface to use. > ip=dhcp works in this case, because it is a wildcard to try all network > interfaces. Dammit. I did some more tests meanwhile and it doesn't work in some cases, presumably in those where there were no ifcfg-* files copied into the initrd. It still acquires an IP over DHCP, but the dracut initqueue times out anyway. Any idea what could be used as a workaround? -- You are receiving this mail because: You are the assignee for the bug.

1 0

[kernel-bugs] [Bug 1173402] Kernel delays boot by 12s if ip= option given
by bugzilla_noreply＠suse.com 01 Jul '20

01 Jul '20

https://bugzilla.suse.com/show_bug.cgi?id=1173402 https://bugzilla.suse.com/show_bug.cgi?id=1173402#c2 Thomas Blume <thomas.blume(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(thomas.blume@suse | |.com), | |needinfo?(daniel.molkentin@ | |suse.com) | --- Comment #2 from Thomas Blume <thomas.blume(a)suse.com> --- (In reply to Fabian Vogt from comment #0) > @dracut maintainers: It seems like "rd.neednet=1" is enough to get dracut to > acquire an address over DHCP, so a workaround is to just drop "ip=dhcp". I'd > like to have confirmation that this is intended behaviour and won't break > without notice in the future. This doesn't help for cases without DHCP > though. > > If it's not possible to avoid the "ip=foo" induced kernel delay, it might be > a good idea to provide "rd.ip=foo" or similar as alias, which is ignored by > the kernel. Need to double check but AFAIK, rd.neednet isn't sufficient, at least if the machine has multiple network interfaces. In this case you need to tell dracut which interface to use. ip=dhcp works in this case, because it is a wildcard to try all network interfaces. -- You are receiving this mail because: You are the assignee for the bug.

1 0

[kernel-bugs] [Bug 1173567] VUL-0: kernel-source: [ARM] lockdown bypass for loading unsigned modules
by bugzilla_noreply＠suse.com 01 Jul '20

01 Jul '20

https://bugzilla.suse.com/show_bug.cgi?id=1173567 Marcus Meissner <meissner(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|kernel-bugs(a)opensuse.org |kernel-bugs(a)suse.de -- You are receiving this mail because: You are the assignee for the bug.

1 0

[kernel-bugs] [Bug 1173567] New: [ARM] lockdown bypass for loading unsigned modules
by bugzilla_noreply＠suse.com 01 Jul '20

01 Jul '20

http://bugzilla.opensuse.org/show_bug.cgi?id=1173567 Bug ID: 1173567 Summary: [ARM] lockdown bypass for loading unsigned modules Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: aarch64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs(a)opensuse.org Reporter: guillaume.gardet(a)arm.com QA Contact: qa-bugs(a)suse.de CC: afaerber(a)suse.com, dmueller(a)suse.com Found By: --- Blocker: --- There is an exploit on ARM SecureBoot. The lockdown can be bypassed for loading unsigned modules. See: https://www.openwall.com/lists/oss-security/2020/06/14/1 There is a WIP patch to harden the AML/memory interaction, preventing AML code to poke around in memory: http://lists.infradead.org/pipermail/linux-arm-kernel/2020-June/580418 This final patch will need to go to supported SLE/Leap. -- You are receiving this mail because: You are the assignee for the bug.

1 3