Waydroid/binder module not working

[TaeHagen]

Issue Description

I can't use Waydroid at all, setup fails complaining /dev/binderfs/binder-control doesn't exist.

Steps to Reproduce

As far as I can tell, it is caused by using Orchid with IBT enabled (11th gen intel or newer)

On what version of Vanilla OS this happens?

Unreleased

Additional Information

Attempting to mount /dev/binderfs mount crashes with a segfault, dmesg shows a missing endbr instruction. This is a security feature being triggered caused by the binder module not being compiled with the right options, see https://lwn.net/Articles/889475/

At a glance, it would appear the module should be compiled with -fcf-protection=branch, but i'm not sure how that needs to happen, nor if it's anbox's issue or an issue with dkms.

[ghost]

This might be a similar issue, I'm facing although I don't have logs Vanilla-OS/desktop-image#111

[axtloss]

Make sure that you have secure boot disabled, the module cannot be loaded if it is enabled.

[mirkobrombin]

I pushed a fix that checks if secure boot is enabled and then raise the proper error. Let me know if the problem persist once the fix is distributed. Feel free to re-open.

[mirkobrombin]

Re-opening since I now have the same problem on another laptop (with secure boot disabled):

[TaeHagen]

I don't think it has anything to do with secure boot, it's a feature of Intel IBT on 11th gen and later processors. You need to compile the waydroid module with different flags iirc. You can disable IBT via the kernel command line, but that weakens security and isn't a solution.

[mks-h]

I've applied the fix proposed by @TaeHagen in desktop-image's vso-waydroid-fcf-protection branch.
@mirkobrombin could you try if that solves it for you?

[mks-h]

You can disable IBT via the kernel command line, but that weakens security and isn't a solution.

@TaeHagen, I assume it works for you when disabling IBT, right?

[TaeHagen]

Honestly haven't tried, based on the error I assumed that would fix it.

[mks-h]

It would be helpful if you could verify, so that we can know for sure.

[mks-h]

The proposed fix is included in the new update.

[TaeHagen]

I updated to the latest beta version, still getting same error. Is the fix included in the latest build? How do I know I have the fix?

[kbdharun]

I updated to the latest beta version, still getting same error. Is the fix included in the latest build? How do I know I have the fix?

Hi, are you in a VM in your installation using the vm image? (Seems like a build for it hasn't been triggered, will do it now)

[TaeHagen]

No, I'm using raw standard hardware (non-nvidia)

[mirkobrombin]

I updated to the latest beta version, still getting same error. Is the fix included in the latest build? How do I know I have the fix?

What's the result of abroot status?

[TaeHagen]

ABRoot Partitions:
• Present: vos-b ✓
• Future: vos-a

Loaded Configuration: /etc/abroot/abroot.json

Device Specifications:
• CPU: 11th Gen Intel(R) Core(TM) i5-1155G7 @ 2.50GHz
• GPU: [Intel Corporation TigerLake-LP GT2 [Iris Xe Graphics] (rev 03)]
• Memory: 23827 MB

ABImage:
• Digest: sha256:7d3e5bd662a3d22dc27cc93c025d34c021c8d3f6b9f798b9cf068651e6c0cf51
• Timestamp: 2024-05-15 17:36:45
• Image: ghcr.io/vanilla-os/desktop:main

Kernel Arguments: %s quiet splash bgrt_disable $vt_handoff

Packages:
• Added: docker.io
• Removed:
• Unstaged: docker.io
There are 1 unstaged packages. Please run 'abroot pkg apply' to apply them.

Package agreement: true

[kbdharun]

Hi, I am pretty sure this issue is no longer present, I tested Waydroid implementation a few days ago with Secure boot disabled on Intel hardware and it works fine, can you try checking it again?

[TaeHagen]

Sorry, I think there's been a misunderstanding. This issue has nothing to do with secure boot. It affects 11th gen and higher intel chips, regardless of whether secure boot is enabled or not. It is a problem with indirect branch tracking. It has nothing to do with secure boot. IBT can be disabled with a kernel command line argument, but that reduces security.

Thank you!