I reviewed opensbi 0.9-1ubuntu3 as checked into hirsute. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
opensbi is a firmware for riscv-based systems. It executes outside of operating systems, in order to provide services necessary for bootloaders, hypervisors, etc. - CVE History: - no cves in our database - Build-Depends? - gcc-riscv64-linux-gnu, debhelper-compat - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - none - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - I didn't see anything useful - cron jobs? - none - Build logs: - clean - Processes spawned? - none - Memory management? - Looked careful - File IO? - none - Logging? - very little, looked fine - Environment variable usage? - none - Use of privileged functions? - not posix privileged functions, but rather privileged CPU instructions - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - none - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck results? - only false positives - Any significant Coverity results? - unavailable - Any significant shellcheck results? - nothing important - Any significant bandit results? - none This is highly complex software, but it's fairly straightforward C, programmed carefully. I opened two issues for things I found, but wouldn't be surprised if they both get closed as not-a-bug. Security team ACK for promoting opensbi to main with the caveat that we have no hardware, no way to test our updates without help, and will be in the position of publishing updates -- or *not* publishing updates -- based entirely on upstream's recommendations and support. We will need help from foundations in the event of updates. https://github.com/riscv/opensbi/issues/201 https://github.com/riscv/opensbi/issues/202 Thanks ** Changed in: opensbi (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Bug watch added: github.com/riscv/opensbi/issues #201 https://github.com/riscv/opensbi/issues/201 ** Bug watch added: github.com/riscv/opensbi/issues #202 https://github.com/riscv/opensbi/issues/202 ** Changed in: opensbi (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906668 Title: [MIR] opensbi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opensbi/+bug/1906668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
