initramfs unpacking failed: invalid magic at start of compressed image

[williamcroberts]

initramfs unpacking failed: invalid magic at start of compressed image, see below image:

[williamcroberts]

I followed the steps on the README (https://github.com/intel/ccc-linux-guest-hardening#readme) and did a make deploy and the rebooted.

[Wenzel]

Hello @williamcroberts ! I fell like this is an issue related to an unsupported compression algorithm used by the initramfs.

[williamcroberts]

Hello @williamcroberts ! I fell like this is an issue related to an unsupported compression algorithm used by the initramfs.

Why does make deploy pick a bad initramfs algorithm?

[williamcroberts]

Ok So it re-uses the existing initramfs, I thought it was generating a new one. So if the initramfs is ahead of the kernel, boom.

[il-steffen]

On debian/ubuntu the image is generated by initramfs-tools helpers. We don't do the full deploy with kernel install very often but it may be related to recent updates in Ubuntu or using a "too new" distro version.

You can change the default compression algo in /etc/initramfs-tools/

[williamcroberts]

So the workaround for others is to verify the compression algorithm in /etc/initramfs-tools/initramfs.conf (at least in ubuntu-22.04) and check the algorithm used for the COMPRESS variable. Mine was on zstd, changing it to lz4 and rebuilding the initramfs via sudo update-initramfs -c -k all and re-deploying.

[tz0]

I tried a fresh install using make deploy on a local machine and can boot into the SDV emulation kernel. My compression is xz.

[williamcroberts]

Ok I was able to boot the environment, I did the following:

1. Did a fresh install of Ubuntu 22.04
2. Updated my init-ramfs compression algorithm from zstd to lz4
3. did the make deploy
4. rebooted

As a side note, many of the apps don't work as it complains about cgroup operation not being supported. Probably a mismatch between userspace and kernel version.

[williamcroberts]

Following the instructions here:

• https://askubuntu.com/questions/1369947/after-ubuntu-21-10-upgrade-cannot-attach-cgroup-program-operation-not-permitt

and adding systemd.unified_cgroup_hierarchy=0 to my kernel cmd line by following the instructions here:

• https://wiki.ubuntu.com/Kernel/KernelBootParameters worked and now browsers like Firefox launch.

[ereshetova]

I think we need a doc update to highlight this problem. I have run into the same on my machine.

[ereshetova]

So the steps to fix this (minimal set):

1. Edit /etc/initramfs-tools/initramfs.conf to change the algorithm from zstd to lz4
2. Rebuild the initramfs as 'sudo update-initramfs -c -k all'
3. Reboot

Nothing else is needed, you should be able to boot to the kafl kernel sucessfully.

@tz0 could you please make a quick PR with the above instructions for workarounds to the docs? I have verified that the previous sequence works on my ubuntu 22 LTS

[williamcroberts]

The other thing is, where does this host kernel come from? Can we enable ztsd support in it?

[Wenzel]

@williamcroberts this host kernel comes from our kafl.linux releases

ZSTD compression is only supported starting with kernels 5.8 or newer. (our latest SDV enabled kAFL kernel for TDX is 5.6)

the mainline kAFL already supports kernel 5.10.73, and will soon release a 6.0.0 kernel as well.

Can we enable ztsd support in it?

It will be enabled by default, as long as you use a 5.8+ kernel

We can of course document this. And to fix this issue permanently, we have to upgrade our SDV enabled kernel to 5.10.73, or even 6.0.0 https://github.com/intel/ccc-linux-guest-hardening/blob/master/deploy/roles/bkc/meta/main.yml#L10

[il-steffen]

This is what Daniel + Pawan were working on, to lift the "SDV" host kernel to 6.x.

[tz0]

So the steps to fix this (minimal set):

1. Edit /etc/initramfs-tools/initramfs.conf to change the algorithm from zstd to lz4
2. Rebuild the initramfs as 'sudo update-initramfs -c -k all'
3. Reboot

Nothing else is needed, you should be able to boot to the kafl kernel sucessfully.

@tz0 could you please make a quick PR with the above instructions for workarounds to the docs? I have verified that the previous sequence works on my ubuntu 22 LTS

Yes. Updated the README.md for the above. PR#94

[ereshetova]

I merged the above PR. Now can close the issue.