[SRU][K][J][F][PATCH 0/1] boot: Add s390x secure boot trailer (LP: 1996071)

frank.heimes at canonical.com frank.heimes at canonical.com
Fri Nov 11 08:43:08 UTC 2022 

BugLink: https://bugs.launchpad.net/bugs/1996071

SRU Justification:

[Impact]

 * Secure boot of Linux on s390x will no longer be possible
   with an upcoming IBM zSystems firmware update.

[Fix]

 * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer"
   for kinetic and jammy

 * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch
   backport for focal

[Test Plan]

 * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required.

 * Ensure that 'Enable Secure Boot for Linux' is marked in case
   'SCSI Load' is selected at the HMCs Load task and Activation Profile.

 * Perform an Ubuntu Server installation, either 20.04 or 22.04
   (latest ISO).
   It will be a secure boot installation by default in case 
   'Enable Secure Boot for Linux' was marked.

 * Check sysfs:
   /sys/firmware/ipl/has_secure
      '1' indicates hw support for secure boot, otherwise '0'
   /sys/firmware/ipl/secure
      '1' indicates that secure IPL was successful, otherwise '0'

 * Navigate to the HMC task 'System information'
   and check the active firmware release.

 * Ensure that Ubuntu is still bootable in secure-boot mode
   with the updated firmware active,
   by for example doing a reboot after the firmware upgrade.

[Where problems could occur]

 * The 'trailer' might be broken, invalid or in a wrong format
   and can't be identified or read properly,
   or may cause issues while compressing/decompressing the kernel.

 * In worst case secure boot might become broken,
   even on systems that are still on the unpatched firmware level.

 * Or secure boot will become broken in general.

[Other Info]

 * The above commit was upstream accepted with v6.1-rc3.

 * And it got tagged for upstream stable with:
   "Cc: <stable at vger.kernel.org> # 5.2+"

 * But since this bug is marked as critical, and the patch is relatively
   short, traceable and s390x-specific, I'll go ahead and submit this
   patch for Jammy and Focal ahead of upstream stable.

 * Since on focal file 'vmlinux.lds.S' is at a different location
   'arch/s390/boot/compressed/' instead of 'arch/s390/boot/'
   and the context is slightly different, the backport is needed.

 * It's planned to have kernel 6.2 in lunar (23.04), hence it will have
   the patch incl. when at the planned target level.

Peter Oberparleiter (1):
  s390/boot: add secure boot trailer

 arch/s390/boot/compressed/vmlinux.lds.S | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

-- 
2.25.1

More information about the kernel-team mailing list