** Description changed: SRU Justification: ================== [Impact] - * Secure boot of Linux on s390x will no longer be possible - with an upcoming IBM zSystems firmware update. + * Secure boot of Linux on s390x will no longer be possible + with an upcoming IBM zSystems firmware update. [Fix] - * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" - for kinetic and jammy + * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" + for kinetic and jammy - * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch - backport for focal + * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch + backport for focal [Test Plan] - * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is + * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. - * Ensure that 'Enable Secure Boot for Linux' is marked in case - 'SCSI Load' is selected at the HMCs Load task and Activation Profile. + * Ensure that 'Enable Secure Boot for Linux' is marked in case + 'SCSI Load' is selected at the HMCs Load task and Activation Profile. - * Perform an Ubuntu Server installation, either 20.04 or 22.04 - (latest ISO). - It will be a secure boot installation by default in case - 'Enable Secure Boot for Linux' was marked. + * Perform an Ubuntu Server installation, either 20.04 or 22.04 + (latest ISO). + It will be a secure boot installation by default in case + 'Enable Secure Boot for Linux' was marked. - * Check sysfs: - /sys/firmware/ipl/has_secure - '1' indicates hw support for secure boot, otherwise '0' - /sys/firmware/ipl/secure - '1' indicates that secure IPL was successful, otherwise '0' + * Check sysfs: + /sys/firmware/ipl/has_secure + '1' indicates hw support for secure boot, otherwise '0' + /sys/firmware/ipl/secure + '1' indicates that secure IPL was successful, otherwise '0' - * Navigate to the HMC task 'System information' - and check the active firmware release. + * Navigate to the HMC task 'System information' + and check the active firmware release. - * Ensure that Ubuntu is still bootable in secure-boot mode - with the updated firmware active, - by for example doing a reboot after the firmware upgrade. + * Ensure that Ubuntu is still bootable in secure-boot mode + with the updated firmware active, + by for example doing a reboot after the firmware upgrade. + + * There is also a way to test the trailer on systems that do not + have the updated firmware yet - in this case use the following script: + https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] - * The 'trailer' might be broken, invalid or in a wrong format - and can't be identified or read properly, - or may cause issues while compressing/decompressing the kernel. + * The 'trailer' might be broken, invalid or in a wrong format + and can't be identified or read properly, + or may cause issues while compressing/decompressing the kernel. - * In worst case secure boot might become broken, - even on systems that are still on the unpatched firmware level. + * In worst case secure boot might become broken, + even on systems that are still on the unpatched firmware level. - * Or secure boot will become broken in general. + * Or secure boot will become broken in general. [Other Info] - * The above commit was upstream accepted with v6.1-rc3. + * The above commit was upstream accepted with v6.1-rc3. - * And it got tagged for upstream stable with: - "Cc: <sta...@vger.kernel.org> # 5.2+" + * And it got tagged for upstream stable with: + "Cc: <sta...@vger.kernel.org> # 5.2+" - * But since this bug is marked as critical, and the patch is relatively - short, traceable and s390x-specific, I'll go ahead and submit this - patch for Jammy and Focal ahead of upstream stable. + * But since this bug is marked as critical, and the patch is relatively + short, traceable and s390x-specific, I'll go ahead and submit this + patch for Jammy and Focal ahead of upstream stable. - * Since on focal file 'vmlinux.lds.S' is at a different location - 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' - and the context is slightly different, the backport is needed. + * Since on focal file 'vmlinux.lds.S' is at a different location + 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' + and the context is slightly different, the backport is needed. - * It's planned to have kernel 6.2 in lunar (23.04), hence it will have - the patch incl. when at the planned target level. + * It's planned to have kernel 6.2 in lunar (23.04), hence it will have + the patch incl. when at the planned target level. __________ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive: yes Date: 2022-10-27 Author: Peter Oberparleiter <ober...@linux.ibm.com> Component: kernel
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: In Progress Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: In Progress Status in linux source package in Jammy: In Progress Status in linux source package in Kinetic: In Progress Bug description: SRU Justification: ================== [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: <sta...@vger.kernel.org> # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __________ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive: yes Date: 2022-10-27 Author: Peter Oberparleiter <ober...@linux.ibm.com> Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
