------- Comment From daniel.axte...@ibm.com 2020-12-17 23:45 EDT------- Squeezing in right before the end of the year! I tested this with my pseries secure boot setup. I built the key from the PPA into grub and signed grub with the testing key which I built into SLOF.
I was then able to boot 5.10.0-9-generic in secure boot mode under P8 KVM. The kernel correctly detected secure boot mode and entered lockdown: [ 0.000000] Secure boot mode enabled [ 0.000000] Kernel is locked down from PowerNV Secure Boot mode; see man kernel_lockdown.7 (The text is a bit of a misnomer, but that's of no consequence.) Lockdown appears to work as expected, I can't open /dev/mem for example. Given LP: #1903288 / BZ 189099, I didn't test kexec. In summary, I don't see anything from booting with secure boot on or off that would prevent you promoting 5.10 for hirsute. Enjoy your end of year break! Kind regards, Daniel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1904906 Title: 5.10 kernel fails to boot with secure boot disabled Status in The Ubuntu-power-systems project: New Status in linux package in Ubuntu: New Bug description: Canonical requests to test the secure boot for the 5.10 kernel but kernel fails to boot with secure boot disabled. The 5.10 kernel can be found in: https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/bootstrap They can be installed by installing the linux-generic-wip package with this PPA enabled. As usual, they are only signed using a key specific to that PPA. This key can be retrieved from the signing tarballs for the kernels, e.g.: http://ppa.launchpad.net/canonical-kernel- team/bootstrap/ubuntu/dists/hirsute/main/signed/linux-5.10-ppc64el/5.10.0-2.3/signed.tar.gz Our tester installed the 5.10 kernel via aptitude. If booting directly from the bootmenu, it stucks at: "kexec_core: Starting new kernel" If booting recovery kernel for 5.10.0, it proceeds farther and after kexec_core, it failed at: " [ 0.029830] LSM: Security Framework initializing [ 0.029916] Yama: b " Two attempts with a different scenario; running with 5.8 kernel and boot via commandline for 5.10: kexec -l /boot/vmlinux-5.10.0-0-generic --initrd=/boot/initrd.img-5.10.0-0-generic --append="root=UUID=49d000cb-dba2-4d70-809e-38f2b31d0f09 ro quiet splash" kexec -e Both attempts also failed while rebooting, once with the same error as the error from booting with bootmenu; the other failure occurred a lot earlier. Wondering what new CONFIGs and/or features for the 5.10 kernel? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1904906/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp