Ubuntu
initramfs-tools package

[SRU] hwrng drivers missing in initrd.img

Bug #1983359 reported by Heinrich Schuchardt
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
initramfs-tools (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

The initialization of the entropy buffer of the urandom device is critical for security.

When booting Jammy 22.04.1 on QEMU riscv64 I see the following warnings:

[ 14.654546] random: lvm: uninitialized urandom read (4 bytes read)
[ 15.247995] random: lvm: uninitialized urandom read (2 bytes read)
[ 22.484719] random: lvm: uninitialized urandom read (4 bytes read)
[ 43.161846] random: lvmconfig: uninitialized urandom read (4 bytes read)
[ 48.862281] random: lvm: uninitialized urandom read (4 bytes read)

Module virtio-rng.ko is missing in initrd.img.
Adding virtio_rng to /etc/initramfs-tools/modules avoids the warnings.

Hardware RNG drivers should generally be included in the initrd to provide early entropy.

[Test case]

To reproduce the issue:

Install the prerequisites:
sudo apt-get update
sudo apt-get install opensbi qemu-system-misc u-boot-qemu

Download https://old-releases.ubuntu.com/releases/22.04.1/ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz.

Decompress it with
xz -d ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz

Run it in QEMU with

qemu-system-riscv64 \
-machine virt -nographic -m 2048 -smp 4 \
-bios /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.bin \
-kernel /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf \
-device virtio-net-device,netdev=eth0 -netdev user,id=eth0 \
-device virtio-rng-pci \
-drive file=ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img,format=raw,if=virtio

You can log into the system with user ubuntu, password ubuntu after seeing the message "Cloud-init v. 22.2-0ubuntu1~22.04.3 finished"

Run 'sudo dmesg | grep 'uninitialized urandom'

To test the fix:

Update the initramfs-tools package.

Run 'update-initramfs -k $(uname -r) -u' with MODULES=most (defined in /etc/initramfs-tools/initramfs.conf or in /etc/initramfs-tools/conf.d/*.conf)

Unpack the initrd with 'unmkinitramfs /boot/initrd.img-$(uname -r)'

Check that [main/]lib/modules/$(uname -r)/kernel/drivers/char/hw_random/ exists and contains kernel modules. When running on QEMU the relevant module is virtio-rng.ko.

Reboot and check the kernel log by running 'sudo dmesg | grep 'uninitialized urandom'.

[Where problems could occur]

Adding more drivers increases the size of the initrd. The larger initrd might not fit onto the boot partition. The total size of hw_random drivers on amd64 is less than 150 KiB so this seem improbable.

[Other Info]

n/a

See original description
Brian Murray (brian-murray)
tags: added: rls-kk-incoming
Revision history for this message
Heinrich Schuchardt (xypron) wrote :
Changed in initramfs-tools (Ubuntu):
status: New → Confirmed
tags: added: fr-2588
Łukasz Zemczak (sil2100)
information type: Private Security → Public
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Sponsored for kinetic.

Changed in initramfs-tools (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "initramfs-tools-0.140ubuntu14..0.140ubuntu15.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package initramfs-tools - 0.140ubuntu16

---------------
initramfs-tools (0.140ubuntu16) kinetic; urgency=medium

  * Add char/hw_random drivers (LP: #1983359)

 -- Heinrich Schuchardt <email address hidden> Tue, 02 Aug 2022 22:54:09 +0200

Changed in initramfs-tools (Ubuntu):
status: Fix Committed → Fix Released
Steve Langasek (vorlon)
tags: removed: rls-kk-incoming
Changed in initramfs-tools (Ubuntu Kinetic):
status: New → Fix Released
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

This needs the bug description completed according to https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template ("Where problems could occur") before it can be sponsored.

Changed in initramfs-tools (Ubuntu Jammy):
status: New → Incomplete
Heinrich Schuchardt (xypron)
description: updated
Heinrich Schuchardt (xypron)
description: updated
summary: - hwrng drivers missing in initrd.img
+ [SRU] hwrng drivers missing in initrd.img
Revision history for this message
Heinrich Schuchardt (xypron) wrote :
Changed in initramfs-tools (Ubuntu Jammy):
assignee: nobody → Heinrich Schuchardt (xypron)
status: Incomplete → Confirmed
assignee: Heinrich Schuchardt (xypron) → nobody
Heinrich Schuchardt (xypron)
Changed in initramfs-tools (Ubuntu Jammy):
assignee: nobody → Heinrich Schuchardt (xypron)
Heinrich Schuchardt (xypron)
description: updated
description: updated
Heinrich Schuchardt (xypron)
Changed in initramfs-tools (Ubuntu Jammy):
assignee: Heinrich Schuchardt (xypron) → nobody
Simon Chopin (schopin)
Changed in initramfs-tools (Ubuntu Jammy):
status: Confirmed → In Progress
Revision history for this message
Simon Chopin (schopin) wrote :

Hi,

Thanks for adressing Steve's comments, I uploaded the Jammy debdiff, it's now in the SRU queue. I also unsubscribe ubuntu-sponsors, so if by any chance there's a need to revisit this upload do remember to subscribe it again :)

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Heinrich, or anyone else affected,

Accepted initramfs-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/initramfs-tools/0.140ubuntu13.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in initramfs-tools (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Heinrich Schuchardt (xypron) wrote :

I tested the fix on Jammy successfully:

On top of ubuntu-22.04.1-preinstalled-server-riscv64+unmatched.img.xz I installed

initramfs-tools-bin_0.140ubuntu13.2_riscv64.deb
initramfs-tools-core_0.140ubuntu13.2_all.deb
initramfs-tools_0.140ubuntu13.2_all.deb

from jammy-proposed.

The initrd contained
lib/modules/5.15.0-1016-generic/kernel/drivers/char/hw_random/virtio-rng.ko
and other RNG drivers.

The system rebooted without problems.

sudo dmesg | grep 'uninitialized urandom'

returned no record.

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for the verification. This looks good to release, except due to a current breakage in jammy's DEP8 reporting[1], I can't easily verify if the autopkgtests are green. I can check the test from initramfs-tools[2] itself pretty easily, but not the DEP8 results of the other tests triggered by this initramfs-tools update.

1. https://irclogs.ubuntu.com/2023/06/29/%23ubuntu-release.html#t17:28
2. https://autopkgtest.ubuntu.com/packages/i/initramfs-tools

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package initramfs-tools - 0.140ubuntu13.2

---------------
initramfs-tools (0.140ubuntu13.2) jammy; urgency=medium

  * Add char/hw_random drivers (LP: #1983359)

 -- Heinrich Schuchardt <email address hidden> Wed, 14 Jun 2023 08:54:33 +0200

Changed in initramfs-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for initramfs-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.