[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
** Changed in: ubuntu-z-systems Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
This bug was fixed in the package qemu - 1:2.11+dfsg-1ubuntu7.17 --- qemu (1:2.11+dfsg-1ubuntu7.17) bionic; urgency=medium * {Ice,Cascade}Lake IA32_ARCH_CAPABILITIES support (LP: 1828495) Needed patch is in d/p/u/lp1828495-: - 0017-target-i386-add-MDS-NO-feature.patch: target/i386: add MDS-NO feature qemu (1:2.11+dfsg-1ubuntu7.16) bionic; urgency=medium [ Christian Ehrhardt ] * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch: tolerate guests with secure boot loaders (LP: #1830243) [ Rafael David Tinoco ] * {Ice,Cascade}Lake CPUs + IA32_ARCH_CAPABILITIES support (LP: #1828495) Needed patches are in d/p/u/lp1828495-: - 0001-guidance-cpu-models.patch: docs: add guidance on configuring CPU models for x86 + d/qemu-system-common.install: include man/man7/qemu-cpu-models.7 - 0002-msr-new-msr-indices.patch: i386: Add new MSR indices for IA32_PRED_CMD and IA32_ARCH_CAPABILITIES - 0003-cpuid-feature-ia32-arch-capabilities.patch: i386: Add CPUID bit and feature words for IA32_ARCH_CAPABILITIES MSR - 0004-cpuid-bit-for-wbnoinvd.patch: i386: Add CPUID bit for WBNOINVD - 0005-new-cpu-model-for-icelake.patch: i386: Add new CPU model Icelake-{Server,Client} - 0006-update-headers-to-4.16-rc5.patch: update Linux headers to 4.16-rc5 - 0007-kvm-get-msr-feature-index_list.patch: kvm: Add support to KVM_GET_MSR_FEATURE_INDEX_LIST and - 0008-x86-msr-related-data-structure-changes.patch: x86: Data structure changes to support MSR based features - 0009-feature-wordS-arch-capabilities.patch: x86: define a new MSR based feature word -- FEATURE_WORDS_ARCH - 0010-use-kvm-get-msr-index-list.patch: kvm: Use KVM_GET_MSR_INDEX_LIST for MSR_IA32_ARCH_CAPABILITIES support - 0011-disable-arch-cap-when-no-msr.patch: i386: kvm: Disable arch_capabilities if MSR can't be set - 0012-arch-capabilities-migratable.patch: i386: Make arch_capabilities migratable - 0013-cascadelake-server.patch: i386: Add new model of Cascadelake-Server - 0014-remove-cpuid-pconfig.patch: i386: remove the new CPUID 'PCONFIG' from Icelake-Server CPU model - 0015-remove-cpuid-intel_pt.patch: i386: remove the 'INTEL_PT' CPUID bit from named CPU models - 0016-no-ospke-on-some.patch: i386: Disable OSPKE on CPU model definitions -- Rafael David Tinoco Mon, 05 Aug 2019 19:12:08 + ** Changed in: qemu (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
This bug was fixed in the package qemu - 1:3.1+dfsg-2ubuntu3.3 --- qemu (1:3.1+dfsg-2ubuntu3.3) disco; urgency=medium [ Christian Ehrhardt ] * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch: tolerate guests with secure boot loaders (LP: #1830243) [ Rafael David Tinoco ] * {Ice,Cascade}Lake CPUs IA32_ARCH_CAPABILITIES support (LP: #1828495) Needed patches are in d/p/u/lp1828495-: - 0011-disable-arch-cap-when-no-msr.patch (LP: #1828495): i386: kvm: Disable arch_capabilities if MSR can't be set - 0012-arch-capabilities-migratable.patch (LP: #1828495): i386: Make arch_capabilities migratable - 0014-remove-cpuid-pconfig.patch i386: remove the new CPUID 'PCONFIG' from Icelake-Server CPU model - 0015-remove-cpuid-intel_pt.patch i386: remove the 'INTEL_PT' CPUID bit from named CPU models - 0016-no-ospke-on-some.patch (LP: #1828495): i386: Disable OSPKE on CPU model definitions -- Christian Ehrhardt Thu, 04 Jul 2019 14:47:56 +0200 ** Changed in: qemu (Ubuntu Disco) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Just checked on s1lp05 - this one still works as before (as expected as we didn't change it in this fixup upload). ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Hello bugproxy, or anyone else affected, Accepted qemu into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg- 1ubuntu7.17 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Tags removed: verification-done verification-done-bionic ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu10.41 --- qemu (1:2.5+dfsg-5ubuntu10.41) xenial; urgency=medium * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch: tolerate guests with secure boot loaders (LP: #1830243) -- Christian Ehrhardt Thu, 04 Jul 2019 14:47:56 +0200 ** Changed in: qemu (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
1. Installed an Eoan guest on Xenial/Bionic/Disco hosts In the Guest 2. set secure = 1 in /etc/zipl.conf 3. unfortunately xnox refreshed his PPA and it has no pre-signed kernel anymore :-/ I tried to follow https://ubuntu.com/blog/how-to-sign-things-for-secure-boot in various ways, but I assume things are just different for s390x here. After a while I found this old build [1] of which I used [2] Install that and drop the ramdisk line change: image = /boot/vmlinuz-5.2.0-1-generic remove: ramdisk = /boot/initrd.img 4. run zipl verbosely, which should have: Adding IPL section 'ubuntu' (default) signature for.: /lib/s390-tools/stage3.bin kernel image..: /boot/vmlinuz-5.2.0-1-generic signature for.: /boot/vmlinuz-5.2.0-1-generic 5. shut down guest 6. back in the Host, start the guest (fails without the update). Check the console - the error messages differ per version: Xenial: $ virsh start --console test-secureboot-x Domain test-secureboot-x started Connected to domain test-secureboot-x Escape character is ^] .. ! No EXEC entry ! Bionic: Domain test-secureboot-b started error: The domain is not running Disco: seems to work but complains about validations 7. Upgrade to proposed and check again. qemu-system-s390x/disco-proposed 1:3.1+dfsg-2ubuntu3.3 s390x [upgradable from: 1:3.1+dfsg-2ubuntu3.2] qemu-kvm/bionic-proposed 1:2.11+dfsg-1ubuntu7.16 s390x [upgradable from: 1:2.11+dfsg-1ubuntu7.15] qemu-system-s390x/bionic-proposed 1:2.11+dfsg-1ubuntu7.16 s390x [upgradable from: 1:2.11+dfsg-1ubuntu7.15] qemu-system-s390x/xenial-proposed 1:2.5+dfsg-5ubuntu10.41 s390x [upgradable from: 1:2.5+dfsg-5ubuntu10.40] With the upgrade from proposed they all can start fine (well I stole the initrd, so they fail mounting the root disk, but we passed hat we wanted to check). Setting verified [1]: https://launchpad.net/~xnox/+archive/ubuntu/scratch/+build/16859505 [2]: https://launchpad.net/~xnox/+archive/ubuntu/scratch/+build/16859505/+files/linux-image-5.2.0-1-generic_5.2.0-1.2_s390x.deb ** Tags removed: verification-needed verification-needed-bionic verification-needed-disco verification-needed-xenial ** Tags added: verification-done verification-done-bionic verification-done-disco verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
All errors are timeout errors when trying to access armhf archive: # libvirt armhf: The following packages will be upgraded: apt apt-transport-https apt-utils bash binutils binutils-arm-linux-gnueabihf binutils-common bzip2 console-setup console-setup-linux dbus debconf debconf-i18n distro-info-data dmsetup gcc-8-base initramfs-tools initramfs-tools-bin initramfs-tools-core isc-dhcp-client isc-dhcp-common keyboard-configuration libapt-inst2.0 libapt-pkg5.0 libbinutils libbz2-1.0 libdb5.3 libdbus-1-3 libdevmapper1.02.1 libdns-export1100 libelf1 libexpat1 libgcc1 libglib2.0-0 libglib2.0-data libgnutls30 libisc-export169 libldap-2.4-2 libldap-common libnss-systemd libpam-systemd libpython3.6-minimal libpython3.6-stdlib libseccomp2 libsqlite3-0 libssl1.1 libstdc++6 libsystemd0 libudev1 linux-headers-generic login netplan.io nplan openssl passwd python3.6 python3.6-minimal systemd systemd-sysv tzdata ubuntu-minimal udev vim-common vim-tiny xxd 65 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 35.3 MB of archives. After this operation, 85.9 MB of additional disk space will be used. Err:1 http://ftpmaster.internal/ubuntu bionic-updates/main armhf bash armhf 4.4.18-2ubuntu1.2 Could not connect to ftpmaster.internal:80 (91.189.89.99), connection timed out ## nova armhf: The following packages will be upgraded: apt apt-transport-https apt-utils bash binutils binutils-arm-linux-gnueabihf binutils-common bzip2 console-setup console-setup-linux dbus debconf debconf-i18n distro-info-data dmsetup gcc-8-base initramfs-tools initramfs-tools-bin initramfs-tools-core isc-dhcp-client isc-dhcp-common keyboard-configuration libapt-inst2.0 libapt-pkg5.0 libbinutils libbz2-1.0 libdb5.3 libdbus-1-3 libdevmapper1.02.1 libdns-export1100 libelf1 libexpat1 libgcc1 libglib2.0-0 libglib2.0-data libgnutls30 libisc-export169 libldap-2.4-2 libldap-common libnss-systemd libpam-systemd libpython3.6-minimal libpython3.6-stdlib libseccomp2 libsqlite3-0 libssl1.1 libstdc++6 libsystemd0 libudev1 linux-headers-generic login netplan.io nplan openssl passwd python3.6 python3.6-minimal systemd systemd-sysv tzdata ubuntu-minimal udev vim-common vim-tiny xxd 65 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 35.3 MB of archives. After this operation, 85.9 MB of additional disk space will be used. Err:1 http://ftpmaster.internal/ubuntu bionic-updates/main armhf bash armhf 4.4.18-2ubuntu1.2 Could not connect to ftpmaster.internal:80 (91.189.89.99), connection timed out ## systemd armhf: The following packages will be upgraded: apt apt-transport-https apt-utils bash binutils binutils-arm-linux-gnueabihf binutils-common bzip2 console-setup console-setup-linux dbus debconf debconf-i18n distro-info-data dmsetup gcc-8-base initramfs-tools initramfs-tools-bin initramfs-tools-core isc-dhcp-client isc-dhcp-common keyboard-configuration libapt-inst2.0 libapt-pkg5.0 libbinutils libbz2-1.0 libdb5.3 libdbus-1-3 libdevmapper1.02.1 libdns-export1100 libelf1 libexpat1 libgcc1 libglib2.0-0 libglib2.0-data libgnutls30 libisc-export169 libldap-2.4-2 libldap-common libnss-systemd libpam-systemd libpython3.6-minimal libpython3.6-stdlib libseccomp2 libsqlite3-0 libssl1.1 libstdc++6 libsystemd0 libudev1 linux-headers-generic login netplan.io nplan openssl passwd python3.6 python3.6-minimal systemd systemd-sysv tzdata ubuntu-minimal udev vim-common vim-tiny xxd 65 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 35.3 MB of archives. After this operation, 85.9 MB of additional disk space will be used. Err:1 http://ftpmaster.internal/ubuntu bionic-updates/main armhf bash armhf 4.4.18-2ubuntu1.2 Could not connect to ftpmaster.internal:80 (91.189.89.99), connection timed out -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
I asked someone with permissions to restart those tests to check if timeout issue is gone. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
** Changed in: ubuntu-z-systems Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Hello bugproxy, or anyone else affected, Accepted qemu into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg- 1ubuntu7.16 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: qemu (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic ** Changed in: qemu (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Hello bugproxy, or anyone else affected, Accepted qemu into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:3.1+dfsg- 2ubuntu3.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: qemu (Ubuntu Disco) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-disco -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Tags pushed and uploaded to X/B/D unapproved for the SRU Team to do a final review and accept. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
** Description changed: + [Impact] + + * s390x is about to add secure boot features which are implemented by a +new IPL section + + * Older qemu bootloaders for s390x will stumble over that IPL section and +be unable to boot. + + * Backport the changes from upstream that make qemu tolerate those +sections (not the new feature of secure boot, just the avoidance of the +guest crash on boot) + + [Test Case] + + * Take a signed kernel on s390x (either the one from xnox in comment #19 +or use signtool to create one) + * Install that kernel in a guest of the qemu that is to be tested + * Run zipl with --secure 1 to write a secure boot section for sure + * With an unpatched qemu this would now fail to boot again + * Install the update to qemu and boot the guest, by skipping the +"tolerated, but not supported" new section it works again. + + [Regression Potential] + + * If any of the checks goes wrong we might affect booting of guests in a +negative way. For example it might no more start or load a wrong +kernel. But since the IPL records written by `zipl` are clearly +specified that should hopefully not be the case here. The code added +clearly only skips an additional section that didn't exist before. + + [Other Info] + + * n/a + + --- + Secure boot enablement KVM. Will be made available with qemu 4.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Got signed kernels from xnox in [1]. With those they zipl Using config file '/etc/zipl.conf' Target device information Device..: fc:00 Partition...: fc:01 Device name.: vda Device driver name..: virtblk Type: disk partition Disk layout.: SCSI disk layout Geometry - start: 2048 File system block size..: 4096 Physical block size.: 512 Device size in physical blocks..: 16775135 Building bootmap in '/boot' Adding IPL section 'ubuntu' (default) initial ramdisk...: /boot/initrd.img-5.2.0-1-generic signature for.: /lib/s390-tools/stage3.bin kernel image..: /boot/vmlinuz-5.2.0-1-generic signature for.: /boot/vmlinuz-5.2.0-1-generic kernel parmline...: 'root=LABEL=cloudimg-rootfs' component address: heap area...: 0x2000-0x5fff stack area..: 0xf000-0x internal loader.: 0xa000-0xefff parameters..: 0x9000-0x91ff kernel image: 0x0001-0x004b8fff parmline: 0x004ba000-0x004ba1ff initial ramdisk.: 0x004c-0x01622bff Preparing boot device: vda (). Detected SCSI PCBIOS disk layout. Writing SCSI master boot record. Syncing disks... Done. With that starting the guest gave either 2019-07-05 10:17:06.535+: shutting down, reason=crashed or ! No EXEC entry ! With the qemu from PPA [2] things work again. I can go forward with the SRU on this, thanks for your help everybody. P.S. I have a few other changes I want to bundle, so I beg your pardon for a few days extra delay. But this isn't urgent until the signed kernels would land so that should be ok. [1]: https://launchpad.net/~xnox/+archive/ubuntu/scratch [2]: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1830243-secure-boot-toleration ** Changed in: qemu (Ubuntu Disco) Status: Incomplete => In Progress ** Changed in: qemu (Ubuntu Bionic) Status: Incomplete => In Progress ** Changed in: qemu (Ubuntu Xenial) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Thanks Christian, but when doing so I get: $ cat /etc/zipl.conf # This has been modified by the cloud image build process [defaultboot] default=ubuntu [ubuntu] target = /boot secure = 1 image = /boot/vmlinuz parameters = root=LABEL=cloudimg-rootfs ramdisk = /boot/initrd.img $ sudo zipl -V Using config file '/etc/zipl.conf' Target device information Device..: fc:00 Partition...: fc:01 Device name.: vda Device driver name..: virtblk Type: disk partition Disk layout.: SCSI disk layout Geometry - start: 2048 File system block size..: 4096 Physical block size.: 512 Device size in physical blocks..: 16775135 Building bootmap in '/boot' Adding IPL section 'ubuntu' (default) initial ramdisk...: /boot/initrd.img signature for.: /lib/s390-tools/stage3.bin kernel image..: /boot/vmlinuz Error: Could not install Secure Boot IPL records: Missing signature in image file /boot/vmlinuz So do I really not need a kernel with a signature? If so how to avoid the break on the missing signature? @Dimitri - I found none in the archive yet, do you have signed s390x kernel around that could be used? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
I have access to secureboot signed zipl & kernels. I will prepare a sample cloud-image to test boot with all the qemus. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/369709 ** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/369710 ** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/369711 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Yeah lets focus on 2497b4a3 "s390-bios: Skip bootmap signature entries" here then. If ever "IPLing from a dasd attached via vfio-ccw" is wanted that would be an extra bug/discussion. Thanks Christian B. for pointing to the core change of this bug! That way it applies as-is to 3.1, with very slight noise to 2.11 and even 2.5. Started test builds in [1] as a PPA to evaluate. Who has s390x test kernels with secure boot enabled available to give this a try? Marking the bug tasks incomplete until that has been verified. For formal review MPs are up [2][3][4] as well. P.S. Cosmic will be EOL until this reaches the SRU queues. Not preparing that. [1]: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1830243-secure-boot-toleration [2]: https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/369709 [3]: https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/369710 [4]: https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/369711 ** Changed in: qemu (Ubuntu Disco) Status: New => Incomplete ** Changed in: qemu (Ubuntu Cosmic) Status: New => Incomplete ** Changed in: qemu (Ubuntu Cosmic) Status: Incomplete => Won't Fix ** Changed in: qemu (Ubuntu Bionic) Status: New => Incomplete ** Changed in: qemu (Ubuntu Xenial) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
I also wonder if we need secureboot toleration patches in zipl for xenial+ (when it has no signed stage3.bin) Specifically, it should strip secureboot signatures off kernels or otherwise things might not boot. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
Ok, now that things are in Eoan how do we want to work on the SRUs. Dimitri already identified quite a lot of changes on top of 3.1 in comment #5. I can only assume that this will get worse and worse further back. will IBM provide branches or patches for qemu 2.5, 2.11 and 3.1 or should I give things a try starting with the list in comment #5 and someone will check against a PPA, or ... ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
** Changed in: ubuntu-z-systems Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
This bug was fixed in the package qemu - 1:4.0+dfsg-0ubuntu1 --- qemu (1:4.0+dfsg-0ubuntu1) eoan; urgency=medium * Merge with Upstream release of qemu 4.0. Among many other things this fixes LP Bugs: LP: #1782206 - SnowRidge Accelerator Interfacing Architecture (AIA) LP: #1828038 - Update s390x CPU Model for more HW support LP: #1832622 - count cache flush Spectre v2 mitigation for ppc64el Remaining Changes: - qemu-kvm to systemd unit - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm, hugepages and architecture specifics - d/qemu-system-common.qemu-kvm.service: systemd unit to call qemu-kvm-init - d/qemu-system-common.install: install helper script - d/qemu-system-common.maintscript: clean old sysv and upstart scripts - d/qemu-system-common.qemu-kvm.default: defaults for /etc/default/qemu-kvm - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm - Enable nesting by default - d/qemu-system-x86.modprobe: set nested=1 module option on intel. (is default on amd) - d/qemu-system-x86.postinst: re-load kvm_intel.ko if it was loaded without nested=1 - d/p/ubuntu/expose-vmx_qemu64cpu.patch: expose nested kvm by default in qemu64 cpu type. - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default in qemu64 on amd - d/qemu-system-x86.README.Debian: document intention of nested being default is comfort, not full support - Distribution specific machine type (LP: 1304107 1621042) - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine types - d/qemu-system-x86.NEWS Info on fixed machine type defintions for host-phys-bits=true (LP: 1776189) - add an info about -hpb machine type in debian/qemu-system-x86.NEWS - provide pseries-bionic-2.11-sxxm type as convenience with all meltdown/spectre workarounds enabled by default. (LP: 1761372). - improved dependencies - Make qemu-system-common depend on qemu-block-extra - Make qemu-utils depend on qemu-block-extra - let qemu-utils recommend sharutils - s390x support - Create qemu-system-s390x package - Enable numa support for s390x - arch aware kvm wrappers - d/control: update VCS links - qemu-guest-agent: freeze-hook fixes (LP: 1484990) - d/qemu-guest-agent.install: provide /etc/qemu/fsfreeze-hook - d/qemu-guest-agent.dirs: provide /etc/qemu/fsfreeze-hook.d - d/control-in: enable RDMA support in qemu (LP: 1692476) - enable RDMA config option - add libibumad-dev build-dep - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490) - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types reference 256k path - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to handle incoming migrations from former releases. - d/control-in: Disable capstone disassembler library support (universe) - Move s390x roms to a new qemu-system-data-s390x - d/qemu-system-data.install: install s390x roms as architecture:all in qemu-system-data - d/rules: build s390-ccw.img with upstream Makefile - d/rules: build s390-netboot.img with upstream Makefile - d/p/ubuntu/lp-1790901-partial-SLOF-for-s390x-netboot.patch: bring back some SLOF bits stripped in DFSG to be able to build s390x-netboot roms As that hack to build s390-ccw.img rom can't build s390x-netboot.img replace it with a build-indep using the upstream makefiles. This is less prone to miss future changes/fixes that are done to the makefiles - d/control-in: add breaks/replaces for moving s390x roms from qemu-system-s390x to qemu-system-data - remove /dev/kvm permission handling (moved to systemd 239-6) (#892945) [From not yet uploaded Debian branch] - d/p/debianize-qemu-guest-service.patch: fix path of qemu-ga - d/rules: fix qemu-kvm service for debhelper compat >=12 - disable pvrdma - besides several security holes there are many other bugs there as well * Dropped patches that are upstream in v4.0 - d/p/do-not-link-everything-with-xen.patch - d/p/usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC-CVE-2018-16872.patch - d/p/hw_usb-fix-mistaken-de-initialization-of-CCID-state.patch - d/p/scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch - d/p/slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778 - d/p/i2c-ddc-fix-oob-read-CVE-2019-3812.patch - d/p/ubuntu/lp-1759509-qmp-query-current-machine-with-wakeup-suspend-suppor (LP: 1759509) - d/p/ubuntu/lp-1759509-qga-update-guest-suspend-ram-and-guest-suspend-hybri - d/p/ubuntu/lp-1759509-qmp-hmp-Make-system_wakeup-check-wake-up-support-and -
[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu
** Information type changed from Private to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs