[Bug 1996069] Re: [UBUNTU 20.04] zipl: Add secure boot trailer (s390-tools part)

Fri Dec 2 00:46:27 UTC 2022

Hello bugproxy, or anyone else affected,

Accepted s390-tools into jammy-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/s390-tools/2.20.0-0ubuntu3.2 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: s390-tools (Ubuntu Jammy)
       Status: New => Fix Committed

** Tags added: verification-needed-jammy

** Changed in: s390-tools-signed (Ubuntu Jammy)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1996069

Title:
  [UBUNTU 20.04] zipl: Add secure boot trailer  (s390-tools part)

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress
Status in s390-tools source package in Focal:
  Fix Committed
Status in s390-tools-signed source package in Focal:
  Fix Committed
Status in s390-tools source package in Jammy:
  Fix Committed
Status in s390-tools-signed source package in Jammy:
  Fix Committed
Status in s390-tools source package in Kinetic:
  Fix Committed
Status in s390-tools-signed source package in Kinetic:
  Fix Committed

Bug description:
  SRU Justification:
  ==================

  [ Impact ]

   * Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
     will no longer be possible with an upcoming IBM zSystems firmware update.

   * New IBM zSystems firmware requires all signed boot images to contain a
     trailing data block with a specific format.

   * Solution: Add trailing data block to the zipl stage 3 boot loader
  image.

  [ Fix ]

   * 5768d55a08e163f718bd87498b9e763687ae7137 5768d55a08e1
     "zipl/boot: add secure boot trailer"

  [ Test Plan ]

   * Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
     with Secure Boot enabled (in the LPAR activation profile).

   * Without having the new firmware in place, or on systems that do not support
     secureboot on s390x, the boot trailer can be tested with this script:
     https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
     $ check_sb_trailer.sh arch/s390/boot/bzImage
     Checking secure boot trailer of file arch/s390/boot/bzImage
     * Read 32 bytes at offset 00777fe0:
     000000000000000000000000000000000000000000000000000000207a49504c
     * Success - Linux kernel trailer found

  [ Where problems could occur ]

   * Problems could occur if build tools still use '--pad-to=0xe000'

   * or if the trailer is not generated the right way (according to
     the trailer spec),

   * or the kernel is not able to detect the trailer properly
     (maybe because the trailer is generated in a wrong way,
     or the detection mechanism is wrong).

   * But this can be tested by using the script mentioned above,
     and was already tested (kernel part) based on LP#1996071.

  [ Other Info ]

   * This bug also has a Kernel part which is addressed in a separate
     ticket: https://bugs.launchpad.net/bugs/1996071

   * The kernel part is addressed in the current cycle, hence Fix
  Committed.

   * The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
     see at the bug header of this ticket.

   * Lunar will get a brand new s390-tools package later in the cycle,
     that will have this fix included.
  __________

  Description:   zipl: Add secure boot trailer

  Symptom:       Secure boot of Linux will no longer be possible with an upcoming
                 IBM Z firmware update.

  Problem:       New IBM Z firmware requires all signed boot images to contain a
                 trailing data block with a specific format.

  Solution:      Add trailing data block to the zipl stage 3 boot loader image.
  Reproduction:  Apply latest firmware, perform IPL with Secure Boot enabled.

  Fix:           Available upstream with
  Upstream-ID:   5768d55a08e163f718bd87498b9e763687ae7137

  Upstream-Description:

                zipl/boot: add secure boot trailer

                This patch enhances the zipl stage3 loader image adding a trailer as
                required for secure boot by future firmware versions.

                Note: with the change in this patch the padding via objcopy command line
                options is replaced by padding via linker script directives with the
                same effect.

                Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
                Signed-off-by: Jan Hoeppner <hoeppner at linux.ibm.com>

  Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996069/+subscriptions