[Bug 2088069] Re: systemd-stub should provide a way to be forced to use handover

Nick Rosbrook 2088069 at bugs.launchpad.net
Tue Feb 18 14:47:30 UTC 2025 

** Tags added: systemd-sru-next

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2088069

Title:
  systemd-stub should provide a way to be forced to use handover

Status in systemd package in Ubuntu:
  New
Status in systemd source package in Noble:
  New
Status in systemd source package in Oracular:
  New

Bug description:
  Since systemd 252, systemd-stub does LoadImage/StartImage to executed
  the kernel in the .linux section.

  See origin PR: https://github.com/systemd/systemd/pull/24777

  Before, it was using the "EFI handover protocol". Unfortunately kernel
  handover is now deprecated. Also it was only for x86, and missing some
  features. So upstream decided to use LoadImage/StartImage.

  In order to use LoadImage, it needs to be able to prevent signature
  verification and measurement. Because the .linux section is part of
  the UKI that is already signed and measured. Do that that, it
  overrides the functions in security architectural protocols.

  Security architectural protocols are part of the platform
  initialization specifications. They are optional in these
  specifications, and the platform initialization specifications are
  optional by themselves. So some UEFI firmware will not support
  systemd-stub.

  For upstream this is not really an issue. UKIs are still something new
  that has not been used by many distributions yet. And there is
  probably not that many firmware that does not support the needed
  features.

  However, Ubuntu Core has been shipping UKIs since Ubuntu Core 20. And
  kernel handover has been in use by users that have firmware that do
  not support the needed features.

  The bugs that can be caused are:
   * If EFI_SECURITY2_ARCH_PROTOCOL is not implemented, there will be a spurious measurement of the .linux section on PCR 4. We have observed this behavior in the wild.
   * If EFI_SECURITY_ARCH_PROTOCOL is not implemented, this should generate a "security violation" error. This is hypothetical. We have not yet observed this.

  Ubuntu Core 24 uses systemd-stub with LoadImage/StartImage. That means
  some users cannot upgrade from Ubuntu Core 22 to Ubuntu Core 24.

  systemd-stub still has a fallback to handover entry point if the
  embedded kernel is too old to support the PE/COFF entry point. The
  kernel from 24.04 does support both LoadImage/StartImage and handover.
  That means systemd-stub will always use LoadImage, and never the
  handover.

  We need to be able to force systemd-stub to use handover for some of
  our users.

  Ubuntu Core supports kernel command line changes from the gadget
  (since we use PCR12 as part of the PCR policies to unseal storage
  keys, it is safe). So it is easy to pass the information to enable
  handover that way. So I propose we look for the "signal" there and
  force handover.

  Here is my proposed patch:
  https://gist.github.com/valentindavid/7ab6247c8fe0d3a91d089d201e160ba4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2088069/+subscriptions

More information about the foundations-bugs mailing list