1. Installed an Eoan guest on Xenial/Bionic/Disco hosts In the Guest 2. set secure = 1 in /etc/zipl.conf
3. unfortunately xnox refreshed his PPA and it has no pre-signed kernel anymore :-/ I tried to follow https://ubuntu.com/blog/how-to-sign-things-for-secure-boot in various ways, but I assume things are just different for s390x here. After a while I found this old build [1] of which I used [2] Install that and drop the ramdisk line change: image = /boot/vmlinuz-5.2.0-1-generic remove: ramdisk = /boot/initrd.img 4. run zipl verbosely, which should have: Adding IPL section 'ubuntu' (default) signature for.....: /lib/s390-tools/stage3.bin kernel image......: /boot/vmlinuz-5.2.0-1-generic signature for.....: /boot/vmlinuz-5.2.0-1-generic 5. shut down guest 6. back in the Host, start the guest (fails without the update). Check the console - the error messages differ per version: Xenial: $ virsh start --console test-secureboot-x Domain test-secureboot-x started Connected to domain test-secureboot-x Escape character is ^] .. ! No EXEC entry ! Bionic: Domain test-secureboot-b started error: The domain is not running Disco: seems to work but complains about validations 7. Upgrade to proposed and check again. qemu-system-s390x/disco-proposed 1:3.1+dfsg-2ubuntu3.3 s390x [upgradable from: 1:3.1+dfsg-2ubuntu3.2] qemu-kvm/bionic-proposed 1:2.11+dfsg-1ubuntu7.16 s390x [upgradable from: 1:2.11+dfsg-1ubuntu7.15] qemu-system-s390x/bionic-proposed 1:2.11+dfsg-1ubuntu7.16 s390x [upgradable from: 1:2.11+dfsg-1ubuntu7.15] qemu-system-s390x/xenial-proposed 1:2.5+dfsg-5ubuntu10.41 s390x [upgradable from: 1:2.5+dfsg-5ubuntu10.40] With the upgrade from proposed they all can start fine (well I stole the initrd, so they fail mounting the root disk, but we passed hat we wanted to check). Setting verified [1]: https://launchpad.net/~xnox/+archive/ubuntu/scratch/+build/16859505 [2]: https://launchpad.net/~xnox/+archive/ubuntu/scratch/+build/16859505/+files/linux-image-5.2.0-1-generic_5.2.0-1.2_s390x.deb ** Tags removed: verification-needed verification-needed-bionic verification-needed-disco verification-needed-xenial ** Tags added: verification-done verification-done-bionic verification-done-disco verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1830243 Title: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs