[Bug 1996069] Re: [UBUNTU 20.04] zipl: Add secure boot trailer (s390-tools part)
Frank Heimes
1996069 at bugs.launchpad.net
Fri Nov 25 15:07:10 UTC 2022
** Description changed:
+ SRU Bug Template:
+ =================
+
+ [ Impact ]
+
+ * Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
+ will no longer be possible with an upcoming IBM zSystems firmware update.
+
+ * New IBM zSystems firmware requires all signed boot images to contain a
+ trailing data block with a specific format.
+
+ * Solution: Add trailing data block to the zipl stage 3 boot loader
+ image.
+
+ [ Fix ]
+
+ * 5768d55a08e163f718bd87498b9e763687ae7137 5768d55a08e1
+ "zipl/boot: add secure boot trailer"
+
+ [ Test Plan ]
+
+ * Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
+ with Secure Boot enabled (in the LPAR activation profile).
+
+ * Without having the new firmware in place, or on systems that do not support
+ secureboot on s390x, the boot trailer can be tested with this script:
+ https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
+ $ check_sb_trailer.sh arch/s390/boot/bzImage
+ Checking secure boot trailer of file arch/s390/boot/bzImage
+ * Read 32 bytes at offset 00777fe0:
+ 000000000000000000000000000000000000000000000000000000207a49504c
+ * Success - Linux kernel trailer found
+
+ [ Where problems could occur ]
+
+ * Problems could occur if build tools still use '--pad-to=0xe000'
+
+ * or if the trailer is not generated the right way (according to
+ the trailer spec),
+
+ * or the kernel is not able to detect the trailer properly
+ (maybe because the trailer is generated in a wrong way,
+ or the detection mechanism is wrong).
+
+ * But this can be tested by using the script mentioned above,
+ and was already tested (kernel part) based on LP#1996071.
+
+ [ Other Info ]
+
+ * This bug also has a Kernel part which is addressed in a separate
+ ticket: https://bugs.launchpad.net/bugs/1996071
+
+ * The kernel part is addressed in the current cycle, hence Fix Committed.
+
+ * The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
+ see at the bug header of this ticket.
+
+ * Lunar will get a brand new s390-tools package later in the cycle,
+ that will have this fix included.
+ __________
+
Description: zipl: Add secure boot trailer
Symptom: Secure boot of Linux will no longer be possible with an upcoming
- IBM Z firmware update.
+ IBM Z firmware update.
Problem: New IBM Z firmware requires all signed boot images to contain a
- trailing data block with a specific format.
+ trailing data block with a specific format.
Solution: Add trailing data block to the zipl stage 3 boot loader image.
Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled.
Fix: Available upstream with
Upstream-ID: 5768d55a08e163f718bd87498b9e763687ae7137
Upstream-Description:
- zipl/boot: add secure boot trailer
+ zipl/boot: add secure boot trailer
- This patch enhances the zipl stage3 loader image adding a trailer as
- required for secure boot by future firmware versions.
+ This patch enhances the zipl stage3 loader image adding a trailer as
+ required for secure boot by future firmware versions.
- Note: with the change in this patch the padding via objcopy command line
- options is replaced by padding via linker script directives with the
- same effect.
+ Note: with the change in this patch the padding via objcopy command line
+ options is replaced by padding via linker script directives with the
+ same effect.
- Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
- Signed-off-by: Jan Hoeppner <hoeppner at linux.ibm.com>
-
+ Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
+ Signed-off-by: Jan Hoeppner <hoeppner at linux.ibm.com>
Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1996069
Title:
[UBUNTU 20.04] zipl: Add secure boot trailer (s390-tools part)
Status in Ubuntu on IBM z Systems:
In Progress
Status in s390-tools package in Ubuntu:
In Progress
Status in s390-tools-signed package in Ubuntu:
In Progress
Status in s390-tools source package in Focal:
New
Status in s390-tools-signed source package in Focal:
New
Status in s390-tools source package in Jammy:
New
Status in s390-tools-signed source package in Jammy:
New
Status in s390-tools source package in Kinetic:
New
Status in s390-tools-signed source package in Kinetic:
New
Bug description:
SRU Bug Template:
=================
[ Impact ]
* Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
will no longer be possible with an upcoming IBM zSystems firmware update.
* New IBM zSystems firmware requires all signed boot images to contain a
trailing data block with a specific format.
* Solution: Add trailing data block to the zipl stage 3 boot loader
image.
[ Fix ]
* 5768d55a08e163f718bd87498b9e763687ae7137 5768d55a08e1
"zipl/boot: add secure boot trailer"
[ Test Plan ]
* Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
with Secure Boot enabled (in the LPAR activation profile).
* Without having the new firmware in place, or on systems that do not support
secureboot on s390x, the boot trailer can be tested with this script:
https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
$ check_sb_trailer.sh arch/s390/boot/bzImage
Checking secure boot trailer of file arch/s390/boot/bzImage
* Read 32 bytes at offset 00777fe0:
000000000000000000000000000000000000000000000000000000207a49504c
* Success - Linux kernel trailer found
[ Where problems could occur ]
* Problems could occur if build tools still use '--pad-to=0xe000'
* or if the trailer is not generated the right way (according to
the trailer spec),
* or the kernel is not able to detect the trailer properly
(maybe because the trailer is generated in a wrong way,
or the detection mechanism is wrong).
* But this can be tested by using the script mentioned above,
and was already tested (kernel part) based on LP#1996071.
[ Other Info ]
* This bug also has a Kernel part which is addressed in a separate
ticket: https://bugs.launchpad.net/bugs/1996071
* The kernel part is addressed in the current cycle, hence Fix Committed.
* The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
see at the bug header of this ticket.
* Lunar will get a brand new s390-tools package later in the cycle,
that will have this fix included.
__________
Description: zipl: Add secure boot trailer
Symptom: Secure boot of Linux will no longer be possible with an upcoming
IBM Z firmware update.
Problem: New IBM Z firmware requires all signed boot images to contain a
trailing data block with a specific format.
Solution: Add trailing data block to the zipl stage 3 boot loader image.
Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled.
Fix: Available upstream with
Upstream-ID: 5768d55a08e163f718bd87498b9e763687ae7137
Upstream-Description:
zipl/boot: add secure boot trailer
This patch enhances the zipl stage3 loader image adding a trailer as
required for secure boot by future firmware versions.
Note: with the change in this patch the padding via objcopy command line
options is replaced by padding via linker script directives with the
same effect.
Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner at linux.ibm.com>
Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996069/+subscriptions
More information about the foundations-bugs
mailing list