https://bugzilla.suse.com/show_bug.cgi?id=1173402https://bugzilla.suse.com/show_bug.cgi?id=1173402#c8
--- Comment #8 from Fabian Vogt <fvogt(a)suse.com> ---
(In reply to Thomas Blume from comment #7)
> Thanks, the culprit is in the ifup.sh script.
> Because there is no ip= boot parameter, it goes to:
>
> -->
> # no ip option directed at our interface?
> if [ -z "$NO_AUTO_DHCP" ] && [ ! -e /tmp/net.${netif}.up ]; then
> if [ -e /tmp/net.bootdev ]; then
> BOOTDEV=$(cat /tmp/net.bootdev)
> if [ "$netif" = "$BOOTDEV" ] || [ "$BOOTDEV" = "$(cat
> /sys/class/net/${netif}/address)" ]; then
> load_ipv6
> do_dhcp
> fi
> else
> if getargs 'ip=dhcp6'; then
> load_ipv6
> do_dhcp -6
> fi
> if getargs 'ip=dhcp'; then
> do_dhcp -4
> fi
> fi
> --<
That only does something in the bootdev/ip=dhcp case though AFAICT, but a bit
further up there is:
-->
# No ip lines default to dhcp
ip=$(getarg ip)
if [ -z "$NO_AUTO_DHCP" ] && [ -z "$ip" ]; then
if [ "$netroot" = "dhcp6" ]; then
do_dhcp -6
else
do_dhcp -4
fi
for s in $(getargs nameserver); do
[ -n "$s" ] || continue
echo nameserver $s >> /tmp/net.$netif.resolv.conf
done
fi
--<
So this behaviour is a combination of:
- Interfaces without explicit ip= config fall back to DHCP
- It waits for (any) explicitly configured interface to be up
- ip=dhcp counts as "explicitly configuring all interfaces"
This might just need a '>/tmp/net.${netif}.did-setup' there?
As there is no ip parameter set, it can't possibly reach the code in
the 'for p in $(getargs ip=)' loop which creates the did-setup flag,
but net-genrules.sh generated the initqueue hook waiting for them
irregardless of any ip parameters.
> ...
>
> It does setup the ip but not the netroot.
> So, without the ip= parameter, dracut doesn't seems to recognize that the
> system root is provided via network.
> According to the manpage, rd.neednet only commands dracut to set up the
> network, but not to provide netroot:
>
> -->
> rd.neednet=1
> boolean, bring up network even without netroot set
> --<
That's actually what it's used for here - have network in the initrd, but boot
from local disk.
It's because a dracut module (ignition) uses network for downloading files.
> I guess you would have to add a netroot parameter to make dracut aware that
> system root is provided via network.
> Maybe also root=dhcp works, though.
That might break booting... Even if that works as alternative to ip=dhcp
without the delay, it doesn't seem like a good idea to use it instead, just the
name alone would need a big disclaimer...
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173402https://bugzilla.suse.com/show_bug.cgi?id=1173402#c7
--- Comment #7 from Thomas Blume <thomas.blume(a)suse.com> ---
Thanks, the culprit is in the ifup.sh script.
Because there is no ip= boot parameter, it goes to:
-->
# no ip option directed at our interface?
if [ -z "$NO_AUTO_DHCP" ] && [ ! -e /tmp/net.${netif}.up ]; then
if [ -e /tmp/net.bootdev ]; then
BOOTDEV=$(cat /tmp/net.bootdev)
if [ "$netif" = "$BOOTDEV" ] || [ "$BOOTDEV" = "$(cat
/sys/class/net/${netif}/address)" ]; then
load_ipv6
do_dhcp
fi
else
if getargs 'ip=dhcp6'; then
load_ipv6
do_dhcp -6
fi
if getargs 'ip=dhcp'; then
do_dhcp -4
fi
fi
--<
Comparing that to the setup loop when the ip= parameter is present, the call to
the netroot script is missing:
-->
# Specific configuration, spin through the kernel command line
# looking for ip= lines
for p in $(getargs ip=); do
[...]
# and finally, finish interface set up if there isn't already a script
# to do so (which is the case in the dhcp path)
if [ ! -e $hookdir/initqueue/setup_net_$netif.sh ]; then
setup_net $netif
source_hook initqueue/online $netif
if [ -z "$manualup" ]; then
/sbin/netroot $netif
fi
fi
if command -v wicked >/dev/null && [ -z "$manualup" ]; then
/sbin/netroot $netif
fi
--<
It does setup the ip but not the netroot.
So, without the ip= parameter, dracut doesn't seems to recognize that the
system root is provided via network.
According to the manpage, rd.neednet only commands dracut to set up the
network, but not to provide netroot:
-->
rd.neednet=1
boolean, bring up network even without netroot set
--<
I guess you would have to add a netroot parameter to make dracut aware that
system root is provided via network.
Maybe also root=dhcp works, though.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173402https://bugzilla.suse.com/show_bug.cgi?id=1173402#c6
Fabian Vogt <fvogt(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|needinfo?(fvogt(a)suse.com) |
--- Comment #6 from Fabian Vogt <fvogt(a)suse.com> ---
Created attachment 839298
--> https://bugzilla.suse.com/attachment.cgi?id=839298&action=edit
Log with rd.neednet=1 rd.debug ip=dhcp
Done. It can be seen that in both cases, DHCP is done successfully, but only
with ip=dhcp, the did-setup flag file got created.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173402https://bugzilla.suse.com/show_bug.cgi?id=1173402#c4
Thomas Blume <thomas.blume(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fvogt(a)suse.com
Flags| |needinfo?(fvogt(a)suse.com)
--- Comment #4 from Thomas Blume <thomas.blume(a)suse.com> ---
(In reply to Fabian Vogt from comment #3)
> Dammit. I did some more tests meanwhile and it doesn't work in some cases,
> presumably in those where there were no ifcfg-* files copied into the initrd.
> It still acquires an IP over DHCP, but the dracut initqueue times out anyway.
>
> Any idea what could be used as a workaround?
dhcp is the fallback, if there is no ip= config given.
Maybe it doesn't try all interfaces then.
But better I check the boot log.
Could you provide a log from a failing boot with the rd.debug boot parameter?
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173402https://bugzilla.suse.com/show_bug.cgi?id=1173402#c3
--- Comment #3 from Fabian Vogt <fvogt(a)suse.com> ---
(In reply to Thomas Blume from comment #2)
> (In reply to Fabian Vogt from comment #0)
> > @dracut maintainers: It seems like "rd.neednet=1" is enough to get dracut to
> > acquire an address over DHCP, so a workaround is to just drop "ip=dhcp". I'd
> > like to have confirmation that this is intended behaviour and won't break
> > without notice in the future. This doesn't help for cases without DHCP
> > though.
>
> Need to double check but AFAIK, rd.neednet isn't sufficient, at least if the
> machine has multiple network interfaces. In this case you need to tell
> dracut which interface to use.
> ip=dhcp works in this case, because it is a wildcard to try all network
> interfaces.
Dammit. I did some more tests meanwhile and it doesn't work in some cases,
presumably in those where there were no ifcfg-* files copied into the initrd.
It still acquires an IP over DHCP, but the dracut initqueue times out anyway.
Any idea what could be used as a workaround?
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173402https://bugzilla.suse.com/show_bug.cgi?id=1173402#c2
Thomas Blume <thomas.blume(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|needinfo?(thomas.blume@suse |
|.com), |
|needinfo?(daniel.molkentin@ |
|suse.com) |
--- Comment #2 from Thomas Blume <thomas.blume(a)suse.com> ---
(In reply to Fabian Vogt from comment #0)
> @dracut maintainers: It seems like "rd.neednet=1" is enough to get dracut to
> acquire an address over DHCP, so a workaround is to just drop "ip=dhcp". I'd
> like to have confirmation that this is intended behaviour and won't break
> without notice in the future. This doesn't help for cases without DHCP
> though.
>
> If it's not possible to avoid the "ip=foo" induced kernel delay, it might be
> a good idea to provide "rd.ip=foo" or similar as alias, which is ignored by
> the kernel.
Need to double check but AFAIK, rd.neednet isn't sufficient, at least if the
machine has multiple network interfaces. In this case you need to tell dracut
which interface to use.
ip=dhcp works in this case, because it is a wildcard to try all network
interfaces.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1173567
Marcus Meissner <meissner(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|kernel-bugs(a)opensuse.org |kernel-bugs(a)suse.de
--
You are receiving this mail because:
You are the assignee for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1173567
Bug ID: 1173567
Summary: [ARM] lockdown bypass for loading unsigned modules
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 15.2
Hardware: aarch64
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Kernel
Assignee: kernel-bugs(a)opensuse.org
Reporter: guillaume.gardet(a)arm.com
QA Contact: qa-bugs(a)suse.de
CC: afaerber(a)suse.com, dmueller(a)suse.com
Found By: ---
Blocker: ---
There is an exploit on ARM SecureBoot. The lockdown can be bypassed for loading
unsigned modules.
See: https://www.openwall.com/lists/oss-security/2020/06/14/1
There is a WIP patch to harden the AML/memory interaction, preventing AML code
to poke around in memory:
http://lists.infradead.org/pipermail/linux-arm-kernel/2020-June/580418
This final patch will need to go to supported SLE/Leap.
--
You are receiving this mail because:
You are the assignee for the bug.