[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2021-02-16 20:13 EDT--- I retested this with my pseries secure boot setup. I built the key from the PPA into grub and signed grub with the testing key which I built into SLOF. I was then able to boot 5.11.0-9-generic in secure boot mode and without secure boot under P8 KVM. The kernel correctly detected secure boot mode and entered lockdown. Lockdown appears to work as expected, I can't open /dev/mem for example. In summary, I don't see anything from booting with secure boot on or off that would prevent you promoting 5.11 for hirsute. Kind regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904906 Title: 5.10 kernel fails to boot with secure boot disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1904906/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-12-17 23:45 EDT--- Squeezing in right before the end of the year! I tested this with my pseries secure boot setup. I built the key from the PPA into grub and signed grub with the testing key which I built into SLOF. I was then able to boot 5.10.0-9-generic in secure boot mode under P8 KVM. The kernel correctly detected secure boot mode and entered lockdown: [0.00] Secure boot mode enabled [0.00] Kernel is locked down from PowerNV Secure Boot mode; see man kernel_lockdown.7 (The text is a bit of a misnomer, but that's of no consequence.) Lockdown appears to work as expected, I can't open /dev/mem for example. Given LP: #1903288 / BZ 189099, I didn't test kexec. In summary, I don't see anything from booting with secure boot on or off that would prevent you promoting 5.10 for hirsute. Enjoy your end of year break! Kind regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904906 Title: 5.10 kernel fails to boot with secure boot disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1904906/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-12-14 19:40 EDT--- Hi, Thanks for your patience. I tested 5.10.0-8-generic. /boot/config-5.10.0-8-generic contains: # CONFIG_RCU_SCALE_TEST is not set It boots fine in a P9 kvm guest, both when loaded by kexec and when loaded by grub. There is no secure-boot in these tests. Please let me know if you need anything else. Kind regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904906 Title: 5.10 kernel fails to boot with secure boot disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1904906/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-12-10 08:44 EDT--- Hi, We've had some good progress with debugging upstream: https://lore.kernel.org/lkml/20201209202732.5896-1-ure...@gmail.com/t/#u fixes the issue properly. Would you prefer to take that and leave the config unchanged? It'll almost certainly end up in stable trees soon anyway... Kind regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904906 Title: 5.10 kernel fails to boot with secure boot disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1904906/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-12-01 23:08 EDT--- No worries, let me know if you'd like me to test another spin. We continue to look into the issue upstream: https://lore.kernel.org /linuxppc-dev/87eekfh80a@dja-thinkpad.axtens.net/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904906 Title: 5.10 kernel fails to boot with secure boot disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1904906/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-11-25 21:40 EDT--- Ok, so sadly I cannot find a tarball with the patches not already applied, which is very frustrating. However, it turns out I don't need that because, as it turns out... Doing an upstream checkout of v5.10-rc4 and building with config-5.10.0-4-generic also fails to boot under qemu. Previously I hadn't tested upstream with a Canoni-config, so I thought it was an ubuntu-specific bug, which clearly it is not. Apologies about that. It also affects 5.10-rc5 and powerpc/fixes, so I'm trying to get some eyes on it internally. Kind regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904906 Title: 5.10 kernel fails to boot with secure boot disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1904906/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-11-25 06:47 EDT--- Hi, Thanks, I'll look at sources tarball, hopefully tomorrow. (I'm in AU, so no thanksgiving here!) Have you tested this on any of your local systems? I can't get it to work much on P9, even on stock hardware/qemu without any secure-boot features. Indeed, it even fails on qemu TCG (so you don't actually need a Power system at all!): qemu-system-ppc64 -M pseries -m 1G -nographic -vga none -smp 4 -cpu power9 -kernel dbg/usr/lib/debug/boot/vmlinux-5.10.0-4-generic Actually, the failure matrix is really interesting: Power8 host + KVM + grub -> boots Power9 host bare metal (kexec) -> fails Power9 host + KVM + grub -> fails Power9 host + KVM + qemu -kernel -> boots qemu TCG + power9 cpu-> fails qemu TCG + power8 cpu-> fails I'm assuming the tarball includes the debian/patches directory, in which case it should be easy to apply and git bisect. Kind regards, Daniel (IBMers: is there someone outside the security team that we should pull in? It doesn't seem at all to be a security-related issue.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904906 Title: 5.10 kernel fails to boot with secure boot disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1904906/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-11-25 00:34 EDT--- Hi, Looks like it fails to boot on a p9 qemu/kvm guest even out of grub: hangs trying to bring up SMP. That's probably what we saw in bare-metal too, the console probably just didn't catch up. I will continue investigating, but I'm not sure what kernel tree you're using: git://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/hirsute has something based on linux-5.8. What tree are you building from? Kind regards, Daniel Loading Linux 5.10.0-4-generic ... Loading initial ramdisk ... OF stdout device is: /vdevice/vty@3000 Preparing to boot Linux version 5.10.0-4-generic (buildd@bos02-ppc64el-008) (gcc (Ubuntu 10.2.0-17ubuntu1) 10.2.0, GNU ld (GNU Binutils for Ubuntu) 2.35.1) #5-Ubuntu SMP Mon Nov 16 09:41:59 UTC 2020 (Ubuntu 5.10.0-4.5-generic 5.10.0-rc4) Detected machine type: 0101 command line: BOOT_IMAGE=/boot/vmlinux-5.10.0-4-generic root=UUID=19b72275-8385-4e0e-8001-62baacf410e3 ro console=hvc0 earlyprintk xmon=rw Max number of cores passed to firmware: 2048 (NR_CPUS = 2048) Calling ibm,client-architecture-support... done memory layout at init: memory_limit : (16 MB aligned) alloc_bottom : 0657 alloc_top: 1000 alloc_top_hi : 0004 rmo_top : 1000 ram_top : 0004 instantiating rtas at 0x0daf... done prom_hold_cpus: skipped copying OF device tree... Building dt strings... Building dt structure... Device tree strings 0x0658 -> 0x06580b32 Device tree struct 0x0659 -> 0x065a Quiescing Open Firmware ... Booting Linux via __start() @ 0x0200 ... [0.00] radix-mmu: Page sizes from device-tree: [0.00] radix-mmu: Page size shift = 12 AP=0x0 [0.00] radix-mmu: Page size shift = 16 AP=0x5 [0.00] radix-mmu: Page size shift = 21 AP=0x1 [0.00] radix-mmu: Page size shift = 30 AP=0x2 [0.00] radix-mmu: Activating Kernel Userspace Execution Prevention [0.00] radix-mmu: Activating Kernel Userspace Access Prevention [0.00] radix-mmu: Mapped 0x-0x0200 with 2.00 MiB pages (exec) [0.00] radix-mmu: Mapped 0x0200-0x0004 with 2.00 MiB pages [0.00] lpar: Using radix MMU under hypervisor [0.00] Linux version 5.10.0-4-generic (buildd@bos02-ppc64el-008) (gcc (Ubuntu 10.2.0-17ubuntu1) 10.2.0, GNU ld (GNU Binutils for Ubuntu) 2.35.1) #5-Ubuntu SMP Mon Nov 16 09:41:59 UTC 2020 (Ubuntu 5.10.0-4.5-generic 5.10.0-rc4) [0.00] Secure boot mode disabled [0.00] Found initrd at 0xc470:0xc656fbfa [0.00] Using pSeries machine description [0.00] printk: bootconsole [udbg0] enabled [0.00] Partition configured for 24 cpus. [0.00] CPU maps initialized for 1 thread per core [0.00] - [0.00] phys_mem_size = 0x4 [0.00] dcache_bsize = 0x80 [0.00] icache_bsize = 0x80 [0.00] cpu_features = 0x0001c07b8f4f91a7 [0.00] possible= 0x000ffbfbcf5fb1a7 [0.00] always = 0x0003800081a1 [0.00] cpu_user_features = 0xdc0065c2 0xeff0 [0.00] mmu_features = 0xbc007441 [0.00] firmware_features = 0x0085455a445f [0.00] vmalloc start = 0xc008 [0.00] IO start = 0xc00a [0.00] vmemmap start = 0xc00c [0.00] - [0.00] numa: NODE_DATA [mem 0x3ffd24900-0x3ffd2bfff] [0.00] rfi-flush: fallback displacement flush available [0.00] count-cache-flush: flush disabled. [0.00] link-stack-flush: flush disabled. [0.00] stf-barrier: eieio barrier available [0.00] PCI host bridge /pci@8002000 ranges: [0.00] IO 0x2000..0x2000 -> 0x [0.00] MEM 0x20008000..0x2000 -> 0x8000 [0.00] MEM 0x2100..0x21ff -> 0x2100 [0.00] PPC64 nvram contains 65536 bytes [0.00] barrier-nospec: using ORI speculation barrier [0.00] Zone ranges: [0.00] Normal [mem 0x-0x0003] [0.00] Device empty [0.00] Movable zone start for each node [0.00] Early memory node ranges [0.00] node 0: [mem 0x-0x0003] [0.00] Initmem setup node 0 [mem 0x-0x0003] [0.00] percpu: Embedded 11 pages/cpu s628760 r0 d92136 u720896 [0.00] Built 1 zonelists, mobility grouping on. Total pages: 261888 [0.00] Policy zone: Normal [0.00] Kernel command line:
[Bug 1904906] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-11-24 02:07 EDT--- Hi, Ok, I have been experimenting with the hirsute kernel: 5.10.0-4-generic #5-Ubuntu It boots without issue on a pseries guest with secure boot both on and off. However, this doesn't exercise booting out of kexec. Booting on a machine with no OS secure-boot support also fails coming out of kexec, so something is going wrong with kexec. I will see if this can be replicated under qemu and try a bisect over the next couple of days. In the mean time, here's the log of a boot with `earlyprintk` and without `quiet`. Kind regards, Daniel [ 182.160030] kexec_core: Starting new kernel [0.00] dt-cpu-ftrs: setup for ISA 3000 [0.00] dt-cpu-ftrs: final cpu/mmu features = 0x0001f86b8f5fb1a7 0x3c007041 [0.00] radix-mmu: Page sizes from device-tree: [0.00] radix-mmu: Page size shift = 12 AP=0x0 [0.00] radix-mmu: Page size shift = 16 AP=0x5 [0.00] radix-mmu: Page size shift = 21 AP=0x1 [0.00] radix-mmu: Page size shift = 30 AP=0x2 [0.00] radix-mmu: Activating Kernel Userspace Execution Prevention [0.00] radix-mmu: Activating Kernel Userspace Access Prevention [0.00] radix-mmu: Mapped 0x-0x4000 with 1.00 GiB pages (exec) [0.00] radix-mmu: Mapped 0x4000-0x0008 with 1.00 GiB pages [0.00] radix-mmu: Mapped 0x2000-0x2008 with 1.00 GiB pages [0.00] radix-mmu: Initializing Radix MMU [0.00] Linux version 5.10.0-4-generic (buildd@bos02-ppc64el-008) (gcc (Ubuntu 10.2.0-17ubuntu1) 10.2.0, GNU ld (GNU Binutils for Ubun tu) 2.35.1) #5-Ubuntu SMP Mon Nov 16 09:41:59 UTC 2020 (Ubuntu 5.10.0-4.5-generic 5.10.0-rc4) [0.00] Secure boot mode disabled [0.00] Found initrd at 0xc490:0xc66f0cf4 [0.00] OPAL: Found memory mapped LPC bus on chip 0 [0.00] Using PowerNV machine description [0.00] printk: bootconsole [udbg0] enabled [0.00] CPU maps initialized for 4 threads per core [0.00] - [0.00] phys_mem_size = 0x10 [0.00] dcache_bsize = 0x80 [0.00] icache_bsize = 0x80 [0.00] cpu_features = 0x0001f86b8f5fb1a7 [0.00] possible= 0x000ffbfbcf5fb1a7 [0.00] always = 0x0003800081a1 [0.00] cpu_user_features = 0xdc0065c2 0xaef0 [0.00] mmu_features = 0xbc007441 [0.00] firmware_features = 0x00011000 [0.00] vmalloc start = 0xc008 [0.00] IO start = 0xc00a [0.00] vmemmap start = 0xc00c [0.00] - [0.00] kvm_cma_reserve: reserving 3276 MiB for global area [0.00] cma: Reserved 3280 MiB at 0x20072f00 [0.00] numa: NODE_DATA [mem 0x7ffd44900-0x7ffd4bfff] [0.00] numa: NODE_DATA [mem 0x2007ff438900-0x2007ff43] [0.00] rfi-flush: mttrig type flush available [0.00] count-cache-flush: flush disabled. [0.00] link-stack-flush: software flush enabled. [0.00] stf-barrier: eieio barrier available [0.00] Initializing IODA2 PHB (/pciex@600c3c000) [0.00] PCI host bridge /pciex@600c3c000 (primary) ranges: [0.00] MEM 0x000600c0..0x000600c07ffe -> 0x8000 [0.00] ioremap() called early from pnv_pci_init_ioda_phb+0x360/0x968. Use early_ioremap() instead [0.00] MEM 0x0006..0x0006003f -> 0x0006 (M64 #1..31) [0.00] Using M64 #31 as default window [0.00] 512 (511) PE's M32: 0x8000 [segment=0x40] [0.00] M64: 0x40 [segment=0x2000] [0.00] Allocated bitmap for 4088 MSIs (base IRQ 0xfe000) [0.00] Initializing IODA2 PHB (/pciex@600c3c010) [0.00] PCI host bridge /pciex@600c3c010 ranges: [0.00] MEM 0x000600c08000..0x000600c0fffe -> 0x8000 [0.00] ioremap() called early from pnv_pci_init_ioda_phb+0x360/0x968. Use early_ioremap() instead [0.00] MEM 0x00060040..0x0006007f -> 0x00060040 (M64 #1..15) [0.00] Using M64 #15 as default window [0.00] 256 (255) PE's M32: 0x8000 [segment=0x80] [0.00] M64: 0x40 [segment=0x4000] [0.00] Allocated bitmap for 2040 MSIs (base IRQ 0xfd800) [0.00] Initializing IODA2 PHB (/pciex@600c3c020) [0.00] PCI host bridge /pciex@600c3c020 ranges: [0.00] MEM 0x000600c1..0x000600c17ffe -> 0x8000 [0.00] ioremap() called early from pnv_pci_init_ioda_phb+0x360/0x968. Use early_ioremap() instead [0.00] MEM
