This bug is awaiting verification that the linux-nvidia/5.15.0-1011.11 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-jammy ** Tags added: kernel-spammed-jammy-linux-nvidia verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: ================== [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: <sta...@vger.kernel.org> # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __________ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive: yes Date: 2022-10-27 Author: Peter Oberparleiter <ober...@linux.ibm.com> Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
