------- Comment From grgo.mari...@ibm.com 2024-08-23 06:09 EDT------- We installed from ppa:canonical-kernel-team/unstable: # cat /etc/os-release PRETTY_NAME="Ubuntu Oracular Oriole (development branch)" NAME="Ubuntu" VERSION_ID="24.10" VERSION="24.10 (Oracular Oriole)" VERSION_CODENAME=oracular ... ... # apt search linux-image-6.11 linux-image-6.11.0-4-generic/oracular,now 6.11.0-4.4 s390x [installed,automatic] Signed kernel image generic # uname -r 6.11.0-4-generic # grep [0-9] /sys/firmware/ipl/*sec* /sys/firmware/ipl/has_secure:1 /sys/firmware/ipl/secure:0
# ls -l /boot/vmlinuz /boot/initrd.img lrwxrwxrwx 1 root root 27 Aug 23 09:08 /boot/initrd.img -> initrd.img-6.11.0-4-generic lrwxrwxrwx 1 root root 24 Aug 23 09:08 /boot/vmlinuz -> vmlinuz-6.11.0-4-generic load with kernel vmlinuz-6.11.0-4-generic - without secure boot enable - without adding the signature IPB received. IPB sent. System version 9. Watchdog enabled. Running 'ZBootLoader' version '3.3.5' level 'D51C.D51C_328.24'. --- Audit message summary start --- MLOLOA62693210 Audit: Signature verification failure for component 3 in program 0 loaded from device HBA:0.0.1900,WWPN:500507630700572C,LUN:4051402C00000000. MLOLOA62693210 Audit: Signature verification failure for component 5 in program 0 loaded from device HBA:0.0.1900,WWPN:500507630700572C,LUN:4051402C00000000. --- Audit message summary end --- OK00000000 Success load with kernel vmlinuz-6.11.0-4-generic - with secure boot enable - without adding the signature IPB received. IPB sent. System version 9. Watchdog enabled. Running 'ZBootLoader' version '3.3.5' level 'D51C.D51C_328.24'. --- Audit message summary start --- MLOLOA62693210 Audit: Signature verification failure for component 3 in program 0 loaded from device HBA:0.0.1900,WWPN:500507630700572C,LUN:4051402C00000000. MLOLOA62693210 Audit: Signature verification failure for component 5 in program 0 loaded from device HBA:0.0.1900,WWPN:500507630700572C,LUN:4051402C00000000. --- Audit message summary end --- MLOLOA6269321F A security violation error was encountered when loading from devi ce HBA:0.0.1900,WWPN:500507630700572C,LUN:4051402C00000000. IPL failed (110). load with kernel vmlinuz-6.11.0-4-generic - with secure boot enable - with adding the signature IPB received. IPB sent. System version 9. Watchdog enabled. Running 'ZBootLoader' version '3.3.5' level 'D51C.D51C_328.24'. OK00000000 Success [ 0.078590] Linux version 6.11.0-4-generic (buildd@bos02-s390x-011) (s390x-linux-gnu-gcc-14 (Ubuntu 14.2.0-3ubuntu1) 14.2.0, GNU ld (GNU Binutils for Ubuntu) 2.43.1) #4-Ubuntu SMP Tue Aug 20 14:03:40 UTC 2024 (Ubuntu 6.11.0-4.4-generic 6.11.0-rc4) [ 0.078592] setup: Linux is running natively in 64-bit mode [ 0.078593] setup: Linux is running with Secure-IPL enabled [ 0.078593] setup: The IPL report contains the following components: [ 0.078594] setup: 0000000000002000 - 0000000000006000 (not signed) [ 0.078596] setup: 0000000000009000 - 0000000000009200 (not signed) [ 0.078597] setup: 000000000000a000 - 000000000000e000 (signed, verified) [ 0.078598] setup: 000000000000f000 - 0000000000010000 (not signed) [ 0.078599] setup: 0000000000010000 - 0000000000a0b000 (signed, verified) [ 0.078601] setup: 0000000000a0c000 - 0000000000a0c200 (not signed) [ 0.078602] setup: 0000000000a1c000 - 0000000000a1d000 (not signed) [ 0.078603] setup: 0000000000a20000 - 00000000022dcc00 (not signed) [ 0.078604] Kernel is locked down from Secure IPL mode; see man kernel_lockdown.7 After secure boot load # grep [0-9] /sys/firmware/ipl/*sec* /sys/firmware/ipl/has_secure:1 /sys/firmware/ipl/secure:1 we used these Certificate: # openssl x509 -text -in sipl1.x509 Certificate: Data: Version: 3 (0x2) Serial Number: a1:b6:a0:75:09:df:f4:18 Signature Algorithm: sha512WithRSAEncryption Issuer: CN = PPA canonical-kernel-team unstable SIPL Validity Not Before: Aug 23 20:47:25 2019 GMT Not After : Aug 20 20:47:25 2029 GMT Subject: CN = PPA canonical-kernel-team unstable SIPL ... ... # openssl x509 -text -in sipl2.x509 Certificate: Data: Version: 3 (0x2) Serial Number: ee:61:db:02:41:ef:d1:06 Signature Algorithm: sha512WithRSAEncryption Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (ZIPL, 2019)" Validity Not Before: May 16 13:50:05 2019 GMT Not After : May 14 13:50:05 2049 GMT Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (ZIPL, 2019)" .. this was tested on our Z16 machine No problems detected. Secure boot works as expected. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2077540 Title: [24.10] Please test secure-boot and lockdown on the 6.11 kernel (s390x) for Oracular Status in Ubuntu on IBM z Systems: New Status in linux package in Ubuntu: New Bug description: The Canonical kernel team is working on a new 6.11 kernel for 'oracular' (24.10) and has an early build ready for secure-boot and lockdown testing (version 6.11.0-4.4). To avoid potentially negative implications that a broken secure-boot lockdown functionality would cause (esp. using the production key), we ask to get secure-boot tested early in the cycle using Canonical kernel team's PPA key for signature. The early test build is available at: ppa:canonical-kernel-team/unstable (https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/) The PPA key used for signing can be found in the tarball available here: https://ppa.launchpad.net/canonical-kernel-team/unstable/ubuntu/dists/devel/main/signed/linux-generate-unstable-s390x/current/ (Please note that this kernel is coming from the 'canonical-kernel- team' PPA, hence it is NOT signed with the regular archive/release/production key, instead with the above PPA's key!) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2077540/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
