[MIR] opensbi
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
opensbi (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Availability:
in universe
Rationale:
opensbi is a bootloader/firmware component for riscv64. It is used by qemu-system-riscv64 to load uboot-qemu firmware which then can load kernel/initrd of a cloud-image to boot it.
It is also used as a build-dependency by u-boot, to create combined uboot-spl (secondary program loader) image. Such a combind image of opensbi+uboot+dtb can be used to create selfcontained bootable firmware on an sd-card, to allow booting SiFive HiFive Boards.
Quality assurance:
The package simply provides a static datafile. It's upto qemu & u-boot to consume it, which they do. The paths and features it provides are fairly well defined with SBI specifications with uboot and kernel adhere to.
Dependencies:
It is effectively freestanding ELF object without dependencies. Hence it is packaged as arch:all package.
Standards compliance:
Packages files in multiarch locations for the supported platforms.
Maintenance:
In sync with Debian, to be maintained by Foundations, foundations-bugs subscribed.
Background information:
Example usage with cloud-image is documented at https:/
How it is used by u-boot can be seen in this diff http://
Security checks
https:/
The code however runs in M-mode to interface with S-mode & HS-modes, thus this is highly privileged code used as firmware.
No executables or shared libraries or daemons shipped. Does not open ports.
Changed in opensbi (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in opensbi (Ubuntu): | |
status: | Confirmed → New |
Changed in opensbi (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
[Summary]
MIR Team nack until the unbundling of libfdt was checked and either done
or reasonably explained why it is undoable + a security ack on the exception
to do so.
Furthermore I'd strongly recommend to add an autopkgtest for it before we
promote it.
Report back here once those are resolved, to get an MIR-Ack and passing it
along to the security team then. Setting the state abck to invalid to reflect
that the action is on the reporter.
Notes:
- if it can't work against libfdt1 from the archive we will need security
to consider if this is ok as a special case or a no-go.
Required TODOs:
- embedded libfdt is outdated and well, embedded. Please build and link
against the libfdt1 / libfdt-dev that is in main.
Recommended TODOs:
- Self-tests are essentially non-existent. I'd be slightly scared of breakage
even due to other components or by the toolchain used on build.
Could we add a autopkgtest that uses this to boot a minimal riscv system?
[Duplication]
OK:
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no static linking in the usual sense. As outlined when filing the result
are elf object without runtime dependencies to load on boot.
The one problem in this is libfdt (see below)
Problems: tree-compiler
- embedded source present - libfdt
This contains, builds and uses a contained libfdt
This package exists in the archive and in main
libfdt1 | 1.5.1-1 | focal
libfdt1 | 1.6.0-1 | groovy
libfdt1 | 1.6.0-1 | hirsute
The bundled code is outdated (on 1.5.1 atm).
Due to being a static link anyway - after a fix of src:device-
that provided libfdt a rebuild of src:opensbi would be needed anyway.
But we won't know if fixed are monitored the same way and/or applicable
to the bundled code.
The code itself is rather stable, no public API change since 1.2.
Please try if this can build and (static) link with the in-distro
libfdt. If we can't it is up to security to decide if that is ok or a problem
that should be blocked on.
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- as outlined by the reporter this runs in the highes possible privilege
mode. Combined with the issues around libfdt I'd recommend security having
a look.
[Common blockers]
OK:
- does not FTBFS currently
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- not a python/go package, no extra constraints to consider int hat regard
- no new python2 dependency
Problems:
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
Since Risc is emulated anyway this should wor...