[Acked/CMT] [PATCH][EOAN] UBUNTU: [Config] enable secureboot signing on s390x

Dimitri John Ledkov xnox at ubuntu.com
Fri Jul 19 02:03:29 UTC 2019 

On Thu, 18 Jul 2019 at 15:32, Andy Whitcroft <apw at canonical.com> wrote:
>
> On Tue, Jul 16, 2019 at 01:02:04AM +0100, Dimitri John Ledkov wrote:
> > Bug-Link: https://bugs.launchpad.net/bugs/1829749
> >
> > Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
> > ---
> >  debian.master/rules.d/s390x.mk  | 2 +-
> >  debian/rules                    | 2 +-
> >  debian/rules.d/1-maintainer.mk  | 1 +
> >  debian/rules.d/2-binary-arch.mk | 5 +++++
> >  4 files changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/debian.master/rules.d/s390x.mk b/debian.master/rules.d/s390x.mk
> > index dad66b1a674f..14e58db17d27 100644
> > --- a/debian.master/rules.d/s390x.mk
> > +++ b/debian.master/rules.d/s390x.mk
> > @@ -11,7 +11,7 @@ vdso                = vdso_install
> >  no_dumpfile  = true
> >
> >  do_extras_package = true
> > -
> > +sipl_signed       = true
> >  do_tools_usbip    = true
> >  do_tools_cpupower = true
> >  do_tools_perf     = true
> > diff --git a/debian/rules b/debian/rules
> > index 0953195f5ab1..80205f30b265 100755
> > --- a/debian/rules
> > +++ b/debian/rules
> > @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
> >  endif
> >
> >  # Are any of the kernel signing options enabled.
> > -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed)))
> > +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed)))
> >  ifeq ($(any_signed),true)
> >  bin_pkg_name=$(bin_pkg_name_unsigned)
> >  else
> > diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk
> > index e71bf3c281ef..efc5e50841c9 100644
> > --- a/debian/rules.d/1-maintainer.mk
> > +++ b/debian/rules.d/1-maintainer.mk
> > @@ -92,6 +92,7 @@ printenv:
> >       @echo "any_signed                = $(any_signed)"
> >       @echo " uefi_signed               = $(uefi_signed)"
> >       @echo " opal_signed               = $(opal_signed)"
> > +     @echo " sipl_signed               = $(sipl_signed)"
> >       @echo "full_build                = $(full_build)"
> >       @echo "libc_dev_version          = $(libc_dev_version)"
> >       @echo "DEB_HOST_GNU_TYPE         = $(DEB_HOST_GNU_TYPE)"
> > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> > index f3ab06748cf6..083b64772439 100644
> > --- a/debian/rules.d/2-binary-arch.mk
> > +++ b/debian/rules.d/2-binary-arch.mk
> > @@ -151,6 +151,11 @@ ifeq ($(opal_signed),true)
> >       cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> >               $(signingv)/$(instfile)-$(abi_release)-$*.opal;
> >  endif
> > +ifeq ($(sipl_signed),true)
> > +     install -d $(signingv)
> > +     cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> > +             $(signingv)/$(instfile)-$(abi_release)-$*.sipl;
> > +endif
> >
> >       install -d $(pkgdir)/boot
> >       install -m644 $(builddir)/build-$*/.config \
> > --
> > 2.20.1
>
> Looks in the ball-park.
>
> Acked-by: Andy Whitcroft <apw at canonical.com>
>
> Was there something we were waiting for before allowing the kernel to be
> signed, making sure it was appropriately locked down as is done in x86 I
> think.  Xnox has that landed?
>
> -apw

As discussed on irc, there are currently no appropriately locked down
as is done in x86. Opened case to confirm with IBM if further locking
down is to be expected or not.
Thus this is on hold, pending further information.

-- 
Regards,

Dimitri.

More information about the kernel-team mailing list