[Bug 2088069] Autopkgtest regression report (systemd/255.4-1ubuntu8.6)

Ubuntu SRU Bot 2088069 at bugs.launchpad.net
Fri Feb 28 07:21:36 UTC 2025 

All autopkgtests for the newly accepted systemd (255.4-1ubuntu8.6) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

ayatana-indicator-session/24.2.0-1build2 (arm64, ppc64el, s390x)
ceph/19.2.0-0ubuntu0.24.04.2 (ppc64el)
certspotter/unknown (armhf)
clamav/unknown (armhf)
clevis/unknown (armhf)
collectd/5.12.0-17.1build2 (s390x)
cron/3.0pl1-184ubuntu2 (ppc64el)
csync2/unknown (armhf)
cups/unknown (armhf)
dbus/unknown (armhf)
dbus-broker/35-2 (s390x)
debci/unknown (armhf)
dovecot/1:2.3.21+dfsg1-2ubuntu6 (s390x)
dpdk/23.11.2-0ubuntu0.24.04.1 (amd64, ppc64el)
exim4/4.97-4ubuntu4.2 (ppc64el)
freedom-maker/unknown (armhf)
gpsd/unknown (armhf)
haproxy/unknown (armhf)
hddemux/unknown (armhf)
hwloc/unknown (armhf)
kodi/2:20.5+dfsg-1ubuntu1 (ppc64el)
liblinux-systemd-perl/unknown (armhf)
libqb/unknown (armhf)
libvirt/unknown (armhf)
libvirt-dbus/unknown (armhf)
lighttpd/unknown (armhf)
linux-azure-6.11/6.11.0-1008.8~24.04.1 (amd64, arm64)
linux-gcp-6.11/6.11.0-1006.6~24.04.2 (arm64)
linux-gke/6.8.0-1019.23 (amd64)
linux-hwe-6.11/6.11.0-21.21~24.04.1 (amd64, arm64)
linux-hwe-6.11/unknown (armhf)
linux-lowlatency/6.8.0-56.58.1 (amd64)
linux-lowlatency-hwe-6.11/6.11.0-1010.11~24.04.1 (arm64)
linux-nvidia/6.8.0-1024.27 (arm64)
linux-nvidia-lowlatency/6.8.0-1024.27.1 (arm64)
linux-oem-6.8/6.8.0-1022.22 (amd64)
logiops/unknown (armhf)
logrotate/unknown (armhf)
mandos/unknown (armhf)
mariadb/1:10.11.8-0ubuntu0.24.04.1 (armhf)
mediawiki/1:1.39.7-1 (ppc64el)
mosquitto/2.0.18-1build3 (amd64, arm64, armhf, ppc64el, s390x)
mpd/unknown (armhf)
munin/unknown (armhf)
mutter/unknown (armhf)
netplan.io/1.1.1-1~ubuntu24.04.1 (arm64)
open-build-service/unknown (armhf)
openbsd-inetd/unknown (armhf)
openssh/1:9.6p1-3ubuntu13.8 (ppc64el)
pipewire/unknown (armhf)
policykit-1/unknown (armhf)
polkit-qt-1/unknown (armhf)
postgresql-16/unknown (armhf)
procps/unknown (armhf)
prometheus-homeplug-exporter/unknown (armhf)
prometheus-ipmi-exporter/1.8.0-1ubuntu0.24.04.2 (ppc64el)
prometheus-postfix-exporter/unknown (armhf)
prometheus-postgres-exporter/unknown (armhf)
prometheus-squid-exporter/unknown (armhf)
pulseaudio/unknown (armhf)
pystemd/unknown (armhf)
rsyslog/8.2312.0-3ubuntu9 (s390x)
rust-whoami/unknown (armhf)
rust-zram-generator/unknown (armhf)
sbws/unknown (armhf)
seatd/unknown (armhf)
shibboleth-sp/unknown (armhf)
swupdate/unknown (armhf)
systemd-cron/unknown (armhf)
systemd-hwe/unknown (armhf)
tinyssh/unknown (armhf)
tmux/unknown (armhf)
usbauth/unknown (armhf)
yder/unknown (armhf)


Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-
migration/noble/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2088069

Title:
  systemd-stub should provide a way to be forced to use handover

Status in systemd package in Ubuntu:
  Won't Fix
Status in systemd source package in Noble:
  Fix Committed
Status in systemd source package in Oracular:
  Won't Fix

Bug description:
  [Original description/Impact]

  Since systemd 252, systemd-stub does LoadImage/StartImage to executed
  the kernel in the .linux section.

  See origin PR: https://github.com/systemd/systemd/pull/24777

  Before, it was using the "EFI handover protocol". Unfortunately kernel
  handover is now deprecated. Also it was only for x86, and missing some
  features. So upstream decided to use LoadImage/StartImage.

  In order to use LoadImage, it needs to be able to prevent signature
  verification and measurement. Because the .linux section is part of
  the UKI that is already signed and measured. Do that that, it
  overrides the functions in security architectural protocols.

  Security architectural protocols are part of the platform
  initialization specifications. They are optional in these
  specifications, and the platform initialization specifications are
  optional by themselves. So some UEFI firmware will not support
  systemd-stub.

  For upstream this is not really an issue. UKIs are still something new
  that has not been used by many distributions yet. And there is
  probably not that many firmware that does not support the needed
  features.

  However, Ubuntu Core has been shipping UKIs since Ubuntu Core 20. And
  kernel handover has been in use by users that have firmware that do
  not support the needed features.

  The bugs that can be caused are:
   * If EFI_SECURITY2_ARCH_PROTOCOL is not implemented, there will be a spurious measurement of the .linux section on PCR 4. We have observed this behavior in the wild.
   * If EFI_SECURITY_ARCH_PROTOCOL is not implemented, this should generate a "security violation" error. This is hypothetical. We have not yet observed this.

  Ubuntu Core 24 uses systemd-stub with LoadImage/StartImage. That means
  some users cannot upgrade from Ubuntu Core 22 to Ubuntu Core 24.

  systemd-stub still has a fallback to handover entry point if the
  embedded kernel is too old to support the PE/COFF entry point. The
  kernel from 24.04 does support both LoadImage/StartImage and handover.
  That means systemd-stub will always use LoadImage, and never the
  handover.

  We need to be able to force systemd-stub to use handover for some of
  our users.

  Ubuntu Core supports kernel command line changes from the gadget
  (since we use PCR12 as part of the PCR policies to unseal storage
  keys, it is safe). So it is easy to pass the information to enable
  handover that way. So I propose we look for the "signal" there and
  force handover.

  Here is my proposed patch:
  https://gist.github.com/valentindavid/7ab6247c8fe0d3a91d089d201e160ba4

  [Test plan]

  Unfortunately, because of the way the pc-kernel snap is built, we
  cannot trivially test changes once they land in -proposed. In order to
  test this ahead of time, we applied this patch in a PPA[1], and then
  rebuilt the kernel snap in a private PPA such that we could deploy
  something testable to the affected customer.

  To get a full end-to-end test, we need to release the fix to -updates
  first so that a genuine pc-kernel snap can be built and tested by the
  customer.

  [1] https://launchpad.net/~enr0n/+archive/ubuntu/systemd-stub-force-
  handover

  [Where problems could occur]

  This patch adds logic to systemd-stub to obey a magic kernel command
  line. It is limited to systemd-stub, which currently is only used in
  Ubuntu core, so this should not have any impact on classic systems
  whatsoever.

  By default, when the command line option is not set, no behavior
  should change. However, if there are problems with the command line
  parsing that would potentially cause problems for Ubuntu core users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2088069/+subscriptions

More information about the foundations-bugs mailing list