Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checks for u2mfn kernel module in metapackage #189

Merged
merged 1 commit into from
Aug 27, 2020
Merged

Checks for u2mfn kernel module in metapackage #189

merged 1 commit into from
Aug 27, 2020

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Aug 26, 2020
edited
Loading

Overview

The u2mfn kernel module is required for GUI operations in a VM. It should be built automatically via dkms, but that process can fail. We must report such errors up to the parent apt operation to notify users. The /etc/kernel/postinst.d/dkms hooks are run on installation of the linux-image-* packages, so we don't need an explicit call to dkms autoinstall (which fails silently) in the metapackage postinst.

Since we've observed VMs fail to build the u2mfn.ko dynamically in the past, let's try to recover in that situation, otherwise fail loudly.

Related issues:

Test plan

Reproduce distorted GUI

In order to verify that changes here reliably resolve the garbled terminal problem, you'll need a candidate VM that exhibits the problem. That's easy enough to create:

# Clone an up-to-date SDW TemplateVM, so tests happen in an isolated VM
qvm-clone securedrop-workstation-buster sdw-kernel-test

# Open a terminal for the subsequent commands. Note that the terminal
# works, i.e. is not garbled!
qvm-run sdw-kernel-test gnome-terminal

In the domU terminal:

uname -r # should show '4.14.186-grsec-workstation'
sudo rm -v /usr/lib/modules/$(uname -r)/updates/dkms/u2mfn.ko

Now reboot the VM, and re-run qvm-run sdw-kernel-test gnome-terminal. The graphical window should be garbled, as shown in freedomofpress/securedrop-workstation#590 . If it's not, stop testing here!

Confirm resolution via new metapackage

Now we'll attempt to resolve the broken GUI via the new metapackage. Check out the new metapackage build logic locally from this branch, and run in your dev VM (e.g. sd-dev):

# Build the new package
PKG_VERSION=4.14.186+buster2 make securedrop-workstation-grsec
# Copy the new package to your test VM 'sdw-kernel-test'
# You may need to adjust tags or RPC policies in dom0 to allow this,
# e.g. 'qvm-tags sdw-kernel-test del sd-workstation' in dom0
qvm-copy /home/user/debbuild/packaging/securedrop-workstation-grsec_4.14.186+buster2_amd64.deb

Since the graphical terminal is unusable, we'll install the package via cli from dom0:

qvm-run -p sdw-kernel-test 'sudo dpkg -i ./QubesIncoming/sd-dev/securedrop-workstation-grsec_4.14.186+buster2_amd64.deb'
echo $? # should show '0'

You should see dkms output referencing the build. That's good! Reboot the VM again, and re-run gnome-terminal. The graphical display should work correctly. Finally, as a sanity check, run the following in sdw-kernel-test:

uname -r # should show '4.14.186-grsec-workstation', as before
aptitude show securedrop-workstation-grsec | grep Version # should show '4.14.186+buster2' is installed
sudo ls -1 /usr/lib/modules/$(uname -r)/updates/dkms/u2mfn.ko # should display the fullpath to the module

That's it. If all that works, we should be in a good position to proceed with building the metapackage and placing on apt-test.

Checks for u2mfn kernel module in metapackage
a096e8b 
The u2mfn kernel module is required for GUI operations in a VM. It
should be built automatically via dkms, but that process can fail. We
must report such errors up to the parent apt operation to notify users.
The /etc/kernel/postinst.d/dkms hooks are run on installation of the
linux-image-* packages, so we don't need an explicit call to dkms
autoinstall (which fails silently) in the metapackage postinst.

Since we've observed VMs fail to build the u2mfn.ko dynamically in the
past, let's try to recover in that situation, otherwise fail loudly.
@conorsch conorsch force-pushed the grsec-metapackage-no-dkms branch from e70713d to a096e8b Compare August 26, 2020 22:43
@eloquence
Copy link
Member

Reproducing garbled display

Open a terminal for the subsequent commands. Note that the terminal
works, i.e. is not garbled!

Confirmed.

Now reboot the VM, and re-run qvm-run sdw-kernel-test gnome-terminal. The graphical window should be garbled, as shown in freedomofpress/securedrop-workstation#590

Confirmed:
badqubes

@conorsch
Copy link
Contributor Author

@eloquence Excellent! Thanks for confirming. I've added the rest of the test plan, so I'm going to mark this and related PRs as "Ready for review."

@conorsch conorsch marked this pull request as ready for review August 26, 2020 23:20
@conorsch conorsch requested a review from eloquence August 26, 2020 23:20
@conorsch conorsch mentioned this pull request Aug 26, 2020
Merged
3 tasks
@eloquence
Copy link
Member

Confirm resolution via new metapackage

You should see dkms output referencing the build.

Confirmed. Output: https://gist.github.com/eloquence/9132c4fb69e5c828c72d13bb10469526

The graphical display should work correctly

Confirmed.

should show '4.14.186-grsec-workstation', as before
should show '4.14.186+buster2' is installed
should display the fullpath to the module

Confirmed. :)

@conorsch
Copy link
Contributor Author

Thanks for sharing the full gist with the installation output. That looks how I'd expect. Will ping at standup tomorrow to see if more folks want to chime in on review, but I'm satisfied with moving forward with a posting a package on apt-test.

rmol
rmol approved these changes Aug 27, 2020
View reviewed changes
Copy link
Contributor

@rmol rmol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Ran through the test plan, everything was as described.

@rmol rmol merged commit 3f33993 into main Aug 27, 2020
@rmol rmol deleted the grsec-metapackage-no-dkms branch August 27, 2020 20:29
conorsch pushed a commit to freedomofpress/build-logs that referenced this pull request Aug 31, 2020
Add log for securedrop-workstation-grsec buster2
1ba0ccf 
Full version string is 4.14.186+buster2, includes changes from
freedomofpress/securedrop-builder#189
conorsch pushed a commit to freedomofpress/securedrop-apt-test that referenced this pull request Aug 31, 2020
Adds SDW kernel metapackage 4.14.186+buster2
76630a1 
Includes changes from
freedomofpress/securedrop-builder#189
@conorsch conorsch mentioned this pull request Aug 31, 2020
Merged
3 tasks
@eloquence eloquence mentioned this pull request Sep 3, 2020
Closed
@conorsch conorsch mentioned this pull request Sep 8, 2020
Closed
@conorsch conorsch mentioned this pull request Nov 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmol rmol rmol approved these changes

@eloquence eloquence Awaiting requested review from eloquence

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Investigate DKMS autoinstall failure behavior Latest kernel shows problems on some hardware
3 participants
@conorsch @eloquence @rmol