Ubuntu
ipxe package

Merge ~paelzer/ubuntu/+source/ipxe:lp-1882671-fix-tpl-on-efi-entry-FOCAL into ubuntu/+source/ipxe:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/ipxe
  3. lp-1882671-fix-tpl-on-efi-entry-FOCAL
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 4fe18a4b9257c32c080e89e876280d41fc599a40
Merged at revision: 4fe18a4b9257c32c080e89e876280d41fc599a40
Proposed branch: ~paelzer/ubuntu/+source/ipxe:lp-1882671-fix-tpl-on-efi-entry-FOCAL
Merge into: ubuntu/+source/ipxe:ubuntu/focal-devel
Diff against target: 198 lines (+104/-26)
6 files modified
debian/changelog (+11/-1)
debian/patches/enable-https.patch (+19/-0)
debian/patches/lp-1882671-efi-Raise-TPL-during-driver-entry-point.patch (+65/-0)
debian/patches/series (+2/-0)
debian/rules (+3/-17)
debian/util/check-rom-sizes (+4/-8)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+387531@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4156/+packages

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tested the new PPA for Focal, working fine fixing the issue.

I have fully unblocked the Groovy ipxe upload, that should migrate soon.

If ok (or only minor changes needed), I'd appreciate if this could be sponsored into focal-unapproved by the reviewer to not loose the week I'm off.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Groovy upload reached -release now.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

+1. All good. Change is the same as the one we've discussed in groovy. Much better for SRU'ing indeed.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks tagged and uploaded

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index e021aec..20fb879 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,7 +1,17 @@
6+ipxe (1.0.0+git-20190109.133f4c4-0ubuntu3.2) focal; urgency=medium
7+
8+ * Revert the changes of the non released version
9+ 1.0.0+git-20190109.133f4c4-0ubuntu3.1 as there is a less impactful
10+ fix more suited for an SRU.
11+ * d/p/lp-1882671-efi-Raise-TPL-during-driver-entry-point.patch: fix the
12+ formerly avoided efi TPL issues (LP: #1882671)
13+
14+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 16 Jul 2020 16:51:30 +0200
15+
16 ipxe (1.0.0+git-20190109.133f4c4-0ubuntu3.1) focal; urgency=medium
17
18 * only enable https on non EFI roms. This lets EFI/OVMF handle https
19- itself and avoids breakage in TPL manipulations (LP: #1882671)
20+ itself and avoids breakage in TPL manipulations (LP: 1882671)
21 - d/p/enable-https.patch: drop old global way to Enable HTTPS support
22 - d/rules: enable https on non EFI roms.
23 - d/util/check-rom-sizes: fix if size does exactly match
24diff --git a/debian/patches/enable-https.patch b/debian/patches/enable-https.patch
25new file mode 100644
26index 0000000..5309417
27--- /dev/null
28+++ b/debian/patches/enable-https.patch
29@@ -0,0 +1,19 @@
30+Description: enable https
31+Forwarded: no (downstream config option)
32+Author: James Page <james.page@ubuntu.com>
33+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1025239
34+Last-Update: 2012-11-14
35+
36+Index: ipxe-1.0.0+git-20150424.a25a16d/src/config/general.h
37+===================================================================
38+--- ipxe-1.0.0+git-20150424.a25a16d.orig/src/config/general.h
39++++ ipxe-1.0.0+git-20150424.a25a16d/src/config/general.h
40+@@ -52,7 +52,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
41+
42+ #define DOWNLOAD_PROTO_TFTP /* Trivial File Transfer Protocol */
43+ #define DOWNLOAD_PROTO_HTTP /* Hypertext Transfer Protocol */
44+-#undef DOWNLOAD_PROTO_HTTPS /* Secure Hypertext Transfer Protocol */
45++#define DOWNLOAD_PROTO_HTTPS /* Secure Hypertext Transfer Protocol */
46+ #undef DOWNLOAD_PROTO_FTP /* File Transfer Protocol */
47+ #undef DOWNLOAD_PROTO_SLAM /* Scalable Local Area Multicast */
48+ #undef DOWNLOAD_PROTO_NFS /* Network File System Protocol */
49diff --git a/debian/patches/lp-1882671-efi-Raise-TPL-during-driver-entry-point.patch b/debian/patches/lp-1882671-efi-Raise-TPL-during-driver-entry-point.patch
50new file mode 100644
51index 0000000..de507a9
52--- /dev/null
53+++ b/debian/patches/lp-1882671-efi-Raise-TPL-during-driver-entry-point.patch
54@@ -0,0 +1,65 @@
55+From 2ae5d4338661b65c63eb5cb1a96e5b803fe7d620 Mon Sep 17 00:00:00 2001
56+From: Michael Brown <mcb30@ipxe.org>
57+Date: Tue, 30 Jun 2020 16:32:59 +0100
58+Subject: [PATCH] [efi] Raise TPL during driver entry point
59+
60+As per commit c89a446 ("[efi] Run at TPL_CALLBACK to protect against
61+UEFI timers") we expect to run at TPL_CALLBACK almost all of the time.
62+Various code paths rely on this assumption. Code paths that need to
63+temporarily lower the TPL (e.g. for entropy gathering) will restore it
64+to TPL_CALLBACK.
65+
66+The entropy gathering code will be run during DRBG initialisation,
67+which happens during the call to startup(). In the case of iPXE
68+compiled as an EFI application this code will run within the scope of
69+efi_snp_claim() and so will execute at TPL_CALLBACK as expected.
70+
71+In the case of iPXE compiled as an EFI driver the code will
72+incorrectly run at TPL_APPLICATION since there is nothing within the
73+EFI driver entry point that raises (and restores) the TPL. The net
74+effect is that a build that includes the entropy-gathering code
75+(e.g. a build with HTTPS enabled) will return from the driver entry
76+point at TPL_CALLBACK, which causes a system lockup.
77+
78+Fix by raising and restoring the TPL within the EFI driver entry
79+point.
80+
81+Debugged-by: Ignat Korchagin <ignat@cloudflare.com>
82+Signed-off-by: Michael Brown <mcb30@ipxe.org>
83+
84+Origin: backport, https://github.com/ipxe/ipxe/commit/2ae5d4338661b65c63eb5cb1a96e5b803fe7d620
85+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1882671
86+Last-Update: 2020-07-16
87+
88+---
89+ src/interface/efi/efidrvprefix.c | 9 +++++++++
90+ 1 file changed, 9 insertions(+)
91+
92+--- a/src/interface/efi/efidrvprefix.c
93++++ b/src/interface/efi/efidrvprefix.c
94+@@ -34,16 +34,25 @@ FILE_LICENCE ( GPL2_OR_LATER );
95+ */
96+ EFI_STATUS EFIAPI _efidrv_start ( EFI_HANDLE image_handle,
97+ EFI_SYSTEM_TABLE *systab ) {
98++ EFI_BOOT_SERVICES *bs;
99++ EFI_TPL saved_tpl;
100+ EFI_STATUS efirc;
101+
102+ /* Initialise EFI environment */
103+ if ( ( efirc = efi_init ( image_handle, systab ) ) != 0 )
104+ return efirc;
105+
106++ /* Raise TPL */
107++ bs = efi_systab->BootServices;
108++ saved_tpl = bs->RaiseTPL ( TPL_CALLBACK );
109++
110+ /* Initialise iPXE environment */
111+ initialise();
112+ startup();
113+
114++ /* Restore TPL */
115++ bs->RestoreTPL ( saved_tpl );
116++
117+ return 0;
118+ }
119+
120diff --git a/debian/patches/series b/debian/patches/series
121index fd451e8..5b4384d 100644
122--- a/debian/patches/series
123+++ b/debian/patches/series
124@@ -1,4 +1,6 @@
125 0001-rom-change-banner-timeout.diff.patch
126 util-elf2efi-GNU_SOURCE.patch
127+enable-https.patch
128 handle-dhcp-nack.patch
129 0005-strip-802.1Q-VLAN-0-priority-tags.patch
130+lp-1882671-efi-Raise-TPL-during-driver-entry-point.patch
131diff --git a/debian/rules b/debian/rules
132index 9de0eee..22f9a36 100755
133--- a/debian/rules
134+++ b/debian/rules
135@@ -17,29 +17,15 @@ override_dh_auto_configure:
136 # This is _a bit_ hacky, it assumes any rom we build are for qemu. Which
137 # is true at the moment, but maybe it changes at some point.
138 src/bin/%.rom src/bin-x86_64-efi/%.efirom: export CONFIG=qemu
139-# qemu EFI roms are built without HTTPS, EFI does that on its own (and better)
140-src/bin-x86_64-efi/%.efirom: export NOHTTPS=true
141
142 src/bin/% src/bin-x86_64-efi/%:
143- # clean and reconfigure if either NOHTTPS or CONFIG=qemu switches
144- if [ "config:$(CONFIG)nohttps:$(NOHTTPS)" != "$(shell cat debian/last-used-config 2>/dev/null)" ]; then \
145- if [ "$(NOHTTPS)" = "true" ]; then \
146- cp -v debian/config/* src/config/local; \
147- else \
148- echo "#define DOWNLOAD_PROTO_HTTPS" >> src/config/local/general.h; \
149- fi; \
150- $(MAKE) -C src clean; \
151- echo -n "config:$(CONFIG)" > debian/last-used-config; \
152- echo -n "nohttps:$(NOHTTPS)" >> debian/last-used-config; \
153- fi;
154+ [ "$(CONFIG)" = "$(shell cat debian/current-config 2>/dev/null)" ] || $(MAKE) -C src clean
155+ @echo $(CONFIG) > debian/current-config
156 dh_auto_build --sourcedirectory=src -- V=1 NO_WERROR=1 VERSION="$(VERSION)" $(subst src/,,$@)
157
158 src/bin-efi/%.efirom: src/bin/%.rom src/bin-x86_64-efi/%.efirom
159 @[ -d $(dir $@) ] || mkdir $(dir $@)
160 src/util/catrom.pl $^ > $@
161- # efi roms are >256k since Bionic due to https + natural growth
162- # stay at 256k-512k after disabling https in efi via padding
163- src/util/padimg.pl --blksize=524288 --byte=0xff --verbose $@
164
165 src/bin-efi/%.iso: src/bin/%.lkrn src/bin-x86_64-efi/%.efi
166 @[ -d $(dir $@) ] || mkdir $(dir $@)
167@@ -53,7 +39,7 @@ override_dh_install:
168
169 override_dh_auto_clean:
170 $(MAKE) -C src veryclean
171- rm -f debian/last-used-config
172+ rm -f debian/current-config
173 rm -fr src/bin*
174 rm -fr src/config/local/*
175
176diff --git a/debian/util/check-rom-sizes b/debian/util/check-rom-sizes
177index d1333fd..31664d1 100755
178--- a/debian/util/check-rom-sizes
179+++ b/debian/util/check-rom-sizes
180@@ -52,15 +52,11 @@ for rom in "${!roms[@]}"; do
181 done
182 bucket=$((bucket<<1))
183 # being smaller could be ok, but check -eq to warn/break on unexpected size loss as well
184- if [ "${size}" -eq "${roms[$rom]}" ]; then
185- echo "OK: ${rom} is exactly ${size} bytes as expected"
186+ if [ "${bucket}" -eq "${roms[$rom]}" ]; then
187+ echo "OK: ${rom} is ${size} bytes and thereby in bucket ${bucket} which matches ${roms[$rom]}"
188 else
189- if [ "${bucket}" -eq "${roms[$rom]}" ]; then
190- echo "OK: ${rom} is ${size} bytes and thereby in bucket ${bucket} which matches ${roms[$rom]}"
191- else
192- echo "ERROR: ${rom} is ${size} bytes and thereby in bucket ${bucket} which does not match ${roms[$rom]}"
193- rc=1
194- fi
195+ echo "ERROR: ${rom} is ${size} bytes and thereby in bucket ${bucket} which does not match ${roms[$rom]}"
196+ rc=1
197 fi
198 done
199

Subscribers

People subscribed via source and target branches