[Bug 1996069] Re: [UBUNTU 20.04] zipl: Add secure boot trailer (s390-tools part)

Launchpad Bug Tracker 1996069 at bugs.launchpad.net
Tue Jan 10 19:46:49 UTC 2023 

This bug was fixed in the package s390-tools-signed - 2.20.0-0ubuntu3.2

---------------
s390-tools-signed (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Rebuild against 2.20.0-0ubuntu3.2:
    LP: #1974109, LP: #1959987, LP: #1990520,
    LP: #1990524, LP: #1996069, LP: #1996477

 -- Frank Heimes <frank.heimes at canonical.com>  Wed, 16 Nov 2022 18:27:10
+0200

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1996069

Title:
  [UBUNTU 20.04] zipl: Add secure boot trailer  (s390-tools part)

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in s390-tools package in Ubuntu:
  Fix Committed
Status in s390-tools-signed package in Ubuntu:
  Fix Committed
Status in s390-tools source package in Focal:
  Fix Committed
Status in s390-tools-signed source package in Focal:
  Fix Committed
Status in s390-tools source package in Jammy:
  Fix Released
Status in s390-tools-signed source package in Jammy:
  Fix Released
Status in s390-tools source package in Kinetic:
  Fix Released
Status in s390-tools-signed source package in Kinetic:
  Fix Released

Bug description:
  SRU Justification:
  ==================

  [ Impact ]

   * Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
     will no longer be possible with an upcoming IBM zSystems firmware update.

   * New IBM zSystems firmware requires all signed boot images to contain a
     trailing data block with a specific format.

   * Solution: Add trailing data block to the zipl stage 3 boot loader
  image.

  [ Fix ]

   * 5768d55a08e163f718bd87498b9e763687ae7137 5768d55a08e1
     "zipl/boot: add secure boot trailer"

  [ Test Plan ]

   * Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
     with Secure Boot enabled (in the LPAR activation profile).

   * Without having the new firmware in place, or on systems that do not support
     secureboot on s390x, the boot trailer can be tested with this script:
     https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
     $ check_sb_trailer.sh arch/s390/boot/bzImage
     Checking secure boot trailer of file arch/s390/boot/bzImage
     * Read 32 bytes at offset 00777fe0:
     000000000000000000000000000000000000000000000000000000207a49504c
     * Success - Linux kernel trailer found

  [ Where problems could occur ]

   * Problems could occur if build tools still use '--pad-to=0xe000'

   * or if the trailer is not generated the right way (according to
     the trailer spec),

   * or the kernel is not able to detect the trailer properly
     (maybe because the trailer is generated in a wrong way,
     or the detection mechanism is wrong).

   * But this can be tested by using the script mentioned above,
     and was already tested (kernel part) based on LP#1996071.

  [ Other Info ]

   * This bug also has a Kernel part which is addressed in a separate
     ticket: https://bugs.launchpad.net/bugs/1996071

   * The kernel part is addressed in the current cycle, hence Fix
  Committed.

   * The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
     see at the bug header of this ticket.

   * Lunar will get a brand new s390-tools package later in the cycle,
     that will have this fix included.
  __________

  Description:   zipl: Add secure boot trailer

  Symptom:       Secure boot of Linux will no longer be possible with an upcoming
                 IBM Z firmware update.

  Problem:       New IBM Z firmware requires all signed boot images to contain a
                 trailing data block with a specific format.

  Solution:      Add trailing data block to the zipl stage 3 boot loader image.
  Reproduction:  Apply latest firmware, perform IPL with Secure Boot enabled.

  Fix:           Available upstream with
  Upstream-ID:   5768d55a08e163f718bd87498b9e763687ae7137

  Upstream-Description:

                zipl/boot: add secure boot trailer

                This patch enhances the zipl stage3 loader image adding a trailer as
                required for secure boot by future firmware versions.

                Note: with the change in this patch the padding via objcopy command line
                options is replaced by padding via linker script directives with the
                same effect.

                Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
                Signed-off-by: Jan Hoeppner <hoeppner at linux.ibm.com>

  Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996069/+subscriptions

More information about the foundations-bugs mailing list