Bringing 12-year LTS to 32-bit Arm processors as CRA comes into force

With the release of Ubuntu 24.04 LTS (Noble Numbat) and Ubuntu Core 24, Canonical introduced a 12-year Long Term Support commitment for 32-bit Arm® processors, addressing the critical time_t overflow issue, commonly known as the “Year 2038 problem.” These processors, essential for critical IoT devices requiring a smaller DRAM footprint and optimised cache usage, can now benefit from long-term security maintenance – a critical requirement for the European Union’s Cyber Resilience Act (CRA). In this blog, we explore how Canonical introduced 12-year Long Term Support for 32-bit Arm® processors with Ubuntu 24.04 LTS, addressing the Year 2038 Problem and ensuring compliance with the Cyber Resilience Act through Ubuntu Pro.

The Year 2038 problem: a race against time

The Year 2038 problem, caused by the overflow of the time_t value used in many computing systems, poses a significant threat to the reliability of IoT devices. The time_t value represents the date as the number of seconds since the “UNIX epoch”, dating back to January 1, 1970. On 32-bit ARM^® processors, this is stored as a signed 32-bit integer. On January 19, 2038, at 03:14:07 UTC, this number will exceed 2,147,483,647, causing the integer to overflow and wrap around to a negative number. This will result in time values being misinterpreted. Systems that depend on accurate time for encryption keys, one-time passwords (OTP), or time-based access controls could fail, leaving them exposed.

While 2038 may seem distant, it’s crucial to recognize other immediate implications for current devices, especially around cryptography. All cryptographic keys and certificates have expiry dates, and root certificates often have validity periods extending more than a decade into the future. These certificates must be checked to determine whether they have expired. On traditional 32-bit systems, dates beyond 2038 would “wrap around” to the distant past, causing certificates to appear expired. This could potentially break SSL connections, leading to failures in simple HTTPS connections and other critical security functions. An attacker could exploit the overflow to make expired certificates or tokens appear valid, bypassing authentication checks.

CRA implications for 32-bit Arm

With many 32-bit Arm® processors widely used and still in operation, addressing the Year 2038 problem is critical. In light of the European Union’s Cyber Resilience Act (CRA), which aims to enhance the cybersecurity and reliability of digital products, resolving this issue is not just a technical necessity but also a regulatory imperative. Failure to address known issues like the Year 2038 problem could result in non-compliance penalties.

The CRA mandates stronger cybersecurity requirements for device manufacturers, including secure software development practices, mandatory security updates, and robust vulnerability management. One of the key principles is that manufacturers must ensure their products do not contain any known vulnerabilities at the time of market release. Hardware and software made available for sale must meet new EU compliance standards and are required to report critical vulnerabilities in their products.

Developers and manufacturers must proactively update their systems to handle the impending overflow, ensuring compliance with the CRA and maintaining the integrity and security of their products. By addressing the Year 2038 problem today, device manufacturers can prevent future disruptions and align with regulatory requirements, securing the future of existing devices and enabling new developments without legacy concerns.Learn more about the implications of the CRA for device manufacturers with this webinar or read this whitepaper.

How we solved the Year 2038 problem for Ubuntu

Imagine you are an automotive manufacturer using imperial-sized nuts and bolts. Your supplier switches to metric sizes, causing your entire production line to break down until you adjust all fixings and dimensions. This is akin to the time_t transition: adding a new build flag leads to extensive and widespread consequences requiring substantial updates and modifications to ensure the entire system continues functioning correctly and remains stable.This metaphor gives you an idea of the scale this problem was to solve. Canonical expanded the size of the time_t field on 32-bit ARM^® to 64-bits, permitting the largest offset to be 9,223,372,036,854,775,808, and thus the maximum date representable to be so distant as to be meaningless to calculate (as it is on 64-bit architectures). However, while the actual change itself was adding “-D_TIME_BITS=64” to the glibc build flags, the consequences were enormous and required adjusting and updating thousands of libraries and applications simultaneously to maintain consistency and stability. It was not an easy job, but one needed as it reflects commitment towards open source software security.

Bringing a 12-year LTS to 32-bit Arm

Support for the “Year 2038” fix is now available for Ubuntu 24.04 LTS and Ubuntu Core 24. During the free standard support period of these operating systems—five years for Desktop/Server editions and ten years for Core —users will receive security updates. If you require additional support beyond this period, Extended Security Maintenance (ESM) is available as part of Ubuntu Pro, Canonical’s comprehensive subscription for open-source software security, extending support up to a total of 12 years.

If you are using any other Ubuntu version that is not 24.04 LTS, Core 24, or upcoming LTS, please migrate, as the fix for the “Year 2038” issue cannot be backported to previous Ubuntu versions. Our support for 32-bit ARM® will continue with new Ubuntu LTS releases only.As with any other architecture, if you are using 32-bit ARM certified devices, you will benefit from an out-of-the-box experience and updates that are tested in Canonical’s certification lab.

Canonical’s commitment to security

Since 2006, Canonical has been dedicated to providing long-term support for Ubuntu, ensuring stability and security for enterprises worldwide. By extending this commitment to a 12-year LTS for 32-bit Arm® processors in Ubuntu 24.04 LTS and Ubuntu Core 24, we continue to support legacy systems while proactively addressing future challenges like the Year 2038 problem. This enduring dedication allows our customers to focus on innovation and confidence in the reliability and longevity of their infrastructure.

Further reading

• Get open source security from Canonical
• IoT security with Ubuntu Pro for Devices
• Learn about Ubuntu Core