FS#63698 - [systemd] systemd-boot messages

Attached to Project: Arch Linux
Opened by Ronan Pigott (Brocellous) - Monday, 09 September 2019, 05:20 GMT
Last edited by freswa (frederik) - Saturday, 22 February 2020, 16:17 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 18
Private No

Details

Description: systemd-boot now has two new messages for me when I boot any OS.

"SHA256 validated" and
"Failed to acquire RNG protocol: Not Found"

They appear one per line in the top left-hand corner of my display after selecting a kernel and remain until they are overwritten.
The boot seems to work fine after that.

Both messages are from the same source file.

"SHA256 validated" appears to be some kind of self-test:
https://github.com/systemd/systemd-stable/blob/64d0f7042dfbaa306e16996d2fbb331ee7d59dc8/src/boot/efi/random-seed.c#L170
There's a macro to disable it but I suppose its not set for arch's build. Perhaps it should be?

"Failed to acquire RNG protocol: Not Found" is something else related to the new systemd-boot random-seed stuff I suppose.
Not sure what causes the error or how to fix it, though it doesn't seem to negatively impact the boot, not noticeably anyway.
I tried running the new `bootctl random-seed` command, which succeeds, but the message remains on subsequent boots.

Additional info:
* package version(s): systemd 243.0-1
* link to upstream bug report: Someone seems to have reported the same behavior upstream recently: https://github.com/systemd/systemd/issues/13503

Example loader.conf entry that exhibits the messages:
```
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options root=LABEL=Arch rw
options quiet mitigations=off acpi_rev_override=1
```
though the messages are present regardless of entry selected for me.

Hardware info that may turn out to be relevant:
/sys/class/dmi/id/sys_vendor: Dell Inc.
/sys/class/dmi/id/product_name: XPS 15 9560
/sys/class/dmi/id/bios_version: 1.16.0
This task depends upon

Closed by  freswa (frederik)
Saturday, 22 February 2020, 16:17 GMT
Reason for closing:  Fixed
Additional comments about closing:  https://github.com/systemd/systemd/pull/ 13510#event-2758825938
Comment by Michel Koss (MichelKoss1) - Monday, 09 September 2019, 10:24 GMT
"There's a macro to disable it but I suppose its not set for arch's build. Perhaps it should be?"

No it shouldn't. It just shows everything is ok.
Comment by loqs (loqs) - Monday, 09 September 2019, 10:34 GMT Comment by Armand (Kewl) - Monday, 09 September 2019, 15:47 GMT
you can add the line `random-seed-mode off` in `loader.conf` to avoid the issue.
Comment by loqs (loqs) - Monday, 09 September 2019, 16:24 GMT
@Kewl disabling the random-seed which ensures that the kernel RNG is fully seeded because of an informational message seems an over reaction to me.
Comment by Jonas Witschel (diabonas) - Tuesday, 10 September 2019, 08:46 GMT
To clarify, you can suppress "Failed to acquire RNG protocol" with random-seed-mode, but not "SHA256 validated", see https://github.com/systemd/systemd/issues/13503#issuecomment-529836979 There is https://github.com/systemd/systemd/pull/13510 which if accepted will remove the latter message.
Comment by Ronan Pigott (Brocellous) - Tuesday, 10 September 2019, 23:23 GMT
@diabonas I don't think users should set random-seed-mode off, as it seems sd-boot still manages to do some useful work initializing the kernel rng, even if it can't get anything from the efi. I just want to boot silently, and have systmed-boot make its best effort attempt I guess. Though it would be nice if the efi rng stuff could be fixed.
Comment by Jay Gatsby (JayGatsbyBugs) - Wednesday, 11 September 2019, 02:09 GMT
Found something online to suggest that logic for accessing EFI RNG (random number generator) protocol was introduced in UEFI 2.4. Is it possible that this "Failed to acquire RNG protocol: Not Found" is only impacting folks with older firmware for UEFI?
Comment by Ronan Pigott (Brocellous) - Wednesday, 11 September 2019, 02:31 GMT
bootctl indicates for me that my UEFI is 2.40, so not in my case I don't think.

System:
Firmware: UEFI 2.40 (American Megatrends 5.11)
Secure Boot: disabled
Setup Mode: user
Comment by Doug T (neobim) - Wednesday, 11 September 2019, 03:02 GMT
Judging from the code, this should be stripped out in optimized builds: "#ifndef __OPTIMIZE__"... Is the Arch build not optimized? Perhaps it's missing a certain compile flag?
Comment by Ronan Pigott (Brocellous) - Wednesday, 11 September 2019, 03:40 GMT
@neobim

No, I was mistaken. systemd-boot is always built -O0. https://github.com/systemd/systemd-stable/blob/64d0f7042dfbaa306e16996d2fbb331ee7d59dc8/src/boot/efi/meson.build#L116

As @diabonas points out, there is now a PR upstream to remove the SHA256 verified message.
Comment by christian (damachine) - Thursday, 12 September 2019, 15:09 GMT
I have noticed this bug too.
Comment by Tolga Cakir (tolga9009) - Tuesday, 24 September 2019, 22:15 GMT
I have UEFI 2.31 and also getting both messages during silent boot, "SHA256 validated" and the RNG one.

I have temporarily set random-seed-mode to off until this is fixed upstream, but have found no temporary solution for the SHA256 message. The upstream developers seem to agree with us (https://github.com/systemd/systemd/issues/13503#issuecomment-531548064):

"neither message should be visible during boot. The RNG one should just go. And the other one should go in optimized builds."

In the meantime PR #13510 (https://github.com/systemd/systemd/pull/13510) received a few more commits, which remove the "SHA256 validated" message aswell.
Comment by Jeremy (loserMcloser) - Sunday, 29 September 2019, 14:59 GMT
The RNG protocol message disappeared for me after updating my bios.
Comment by Juan Simón (j1simon) - Thursday, 03 October 2019, 20:28 GMT
I have the same "problem". My BIOS info:

System:
Firmware: UEFI 2.50 (American Megatrends 5.12)
Secure Boot: disabled
Setup Mode: setup

Current Boot Loader:
Product: systemd-boot 243.51-1-arch
Features: ✓ Boot counting
✓ Menu timeout control
✓ One-shot menu timeout control
✓ Default entry control
✓ One-shot entry control
✓ Support for XBOOTLDR partition
✓ Support for passing random seed to OS
ESP: /dev/disk/by-partuuid/ee9927e1-d312-5543-a450-fa9ebff5dbd4
File: └─/EFI/BOOT/BOOTX64.EFI

Random Seed:
Passed to OS: yes
System Token: set
Exists: yes

According to bootctl it has "Support for passing random seed to OS", so I don't understand the warning message.
--------------------------------------------------------------------------

This document (https://systemd.io/RANDOM_SEEDS#linux-kernel-entropy-pool ) explains this subject in depth and in section about "hardware random number generators (hwrng)" explains:

All recent Intel and AMD CPUs provide the CPU opcode RDRAND to acquire random bytes. Linux includes random bytes generated this way in its entropy pool, but didn’t use to credit entropy for it (i.e. data from this source wasn’t considered good enough to consider the entropy pool properly filled even though it was used). This has changed recently however, and most big distributions have turned on the CONFIG_RANDOM_TRUST_CPU=y kernel compile time option. This means systems with CPUs supporting this opcode will be able to very quickly reach the “pool filled” state.

But Arch Linux kernel has "CONFIG_RANDOM_TRUST_CPU is not set". Wouldn't it be a good idea to activate this option?


Comment by Michel Koss (MichelKoss1) - Friday, 04 October 2019, 19:27 GMT
@j1simon Arch rejected enabling that option and it has nothing to do with this ticket. "Failed to acquire RNG protocol: Not Found" is related to BIOS/UEFI capabilities.
Comment by Jeremy Audet (ichimonji10) - Thursday, 17 October 2019, 16:42 GMT
As per https://github.com/systemd/systemd/issues/13503#issuecomment-531548064 , it looks like both messages will be suppressed in future versions of systemd. But FWIW, I get both messages on a system with a reasonably up-to-date UEFI firmware (I updated it about a week ago):

```
System:
Firmware: UEFI 2.40 (American Megatrends 5.11)
Secure Boot: disabled
Setup Mode: user

Current Boot Loader:
Product: systemd-boot 243.51-1-arch
Features: ✓ Boot counting
✓ Menu timeout control
✓ One-shot menu timeout control
✓ Default entry control
✓ One-shot entry control
✓ Support for XBOOTLDR partition
✓ Support for passing random seed to OS
ESP: /dev/disk/by-partuuid/91856fb6-a909-4181-bf8d-a2a999b74b86
File: └─/EFI/systemd/systemd-bootx64.efi

Random Seed:
Passed to OS: yes
System Token: set
Exists: yes

[snip!]
```
Comment by Michel Koss (MichelKoss1) - Thursday, 31 October 2019, 17:31 GMT
This is now fixed in upstream master branch: https://github.com/systemd/systemd/pull/13510#event-2758825938

Loading...