[Bug 1459871] Re: arm64 images built w/ setjmp module fail w/ license error

dann frazier dann.frazier at canonical.com
Wed Dec 2 23:17:13 UTC 2015 

On Tue, Dec 1, 2015 at 7:30 PM, Steve Langasek
<steve.langasek at canonical.com> wrote:
> This change is self-evidently correct, but is there a bug task somewhere
> for MAAS to not generate kitchen-sink .efi images that are exercising
> non-default configurations?

Not specifically. We've submitted hacks to MAAS to exclude "bad"
modules temporarily in the past - it currently omits setjmp & progress
on arm64.

> This seems like something that we should
> abstract at a different layer.  E.g., we already have to build grub
> netboot images in both d-i and grub2 (the grub2 ones in order to get
> EFI-signed netboot images).  It seems preferable for MAAS to be able to
> use a "stock" netboot image config provided by grub2 instead.

Agreed. Ultimately I'd like to see MAAS boot resources provide these
images via signed simplestream metadata, like it does for other boot
files/images.

> Longer term, this may be by virtue of MAAS using EFI-signed images for
> arm64, the way it does already on x86_64.  So maybe that's the solution
> here.

It solves part of the problem, but it'd actually make things more
insecure today (LP: #1457982).

  -dann

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1459871

Title:
  arm64 images built w/ setjmp module fail w/ license error

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2 source package in Trusty:
  Fix Committed
Status in grub2 source package in Vivid:
  Fix Committed
Status in grub2 source package in Wily:
  Fix Committed
Status in grub2 source package in Xenial:
  Fix Released

Bug description:
  [Impact]
  Any ARM64 GRUB image that includes the setjmp module will fail, reporting an "incompatible license" error. Ubuntu doesn't normally include this module in most images. The one exception I know of is MAAS which, by default, includes all modules when generating EFI images. MAAS currently has a hack to blacklist setjmp on arm64 because a fix wasn't available at the time - but I fear other users will try to do the same thing and hit this issue which can be difficult to track down.

  [Test Case]
  PXE boot a grub image on arm64 that includes the setjmp module:

  $ grub-mkimage -v -o grubaa64.efi -O arm64-efi -d
  /usr/lib/grub/arm64-efi setjmp

  [Regression Risk]
  The patch merely adds a license section to the module and it has been tested to work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1459871/+subscriptions

More information about the foundations-bugs mailing list