APPLIED/Cmnt: [SRU][K][J][F][PATCH 0/1] boot: Add s390x secure boot trailer (LP: 1996071)

Stefan Bader stefan.bader at canonical.com
Fri Nov 11 11:09:17 UTC 2022 

On 11.11.22 09:43, frank.heimes at canonical.com wrote:
> BugLink: https://bugs.launchpad.net/bugs/1996071
> 
> SRU Justification:
> 
> [Impact]
> 
>   * Secure boot of Linux on s390x will no longer be possible
>     with an upcoming IBM zSystems firmware update.
> 
> [Fix]
> 
>   * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer"
>     for kinetic and jammy
> 
>   * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch
>     backport for focal
> 
> [Test Plan]
> 
>   * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required.
> 
>   * Ensure that 'Enable Secure Boot for Linux' is marked in case
>     'SCSI Load' is selected at the HMCs Load task and Activation Profile.
> 
>   * Perform an Ubuntu Server installation, either 20.04 or 22.04
>     (latest ISO).
>     It will be a secure boot installation by default in case
>     'Enable Secure Boot for Linux' was marked.
> 
>   * Check sysfs:
>     /sys/firmware/ipl/has_secure
>        '1' indicates hw support for secure boot, otherwise '0'
>     /sys/firmware/ipl/secure
>        '1' indicates that secure IPL was successful, otherwise '0'
> 
>   * Navigate to the HMC task 'System information'
>     and check the active firmware release.
> 
>   * Ensure that Ubuntu is still bootable in secure-boot mode
>     with the updated firmware active,
>     by for example doing a reboot after the firmware upgrade.
> 
> [Where problems could occur]
> 
>   * The 'trailer' might be broken, invalid or in a wrong format
>     and can't be identified or read properly,
>     or may cause issues while compressing/decompressing the kernel.
> 
>   * In worst case secure boot might become broken,
>     even on systems that are still on the unpatched firmware level.
> 
>   * Or secure boot will become broken in general.
> 
> [Other Info]
> 
>   * The above commit was upstream accepted with v6.1-rc3.
> 
>   * And it got tagged for upstream stable with:
>     "Cc: <stable at vger.kernel.org> # 5.2+"
> 
>   * But since this bug is marked as critical, and the patch is relatively
>     short, traceable and s390x-specific, I'll go ahead and submit this
>     patch for Jammy and Focal ahead of upstream stable.
> 
>   * Since on focal file 'vmlinux.lds.S' is at a different location
>     'arch/s390/boot/compressed/' instead of 'arch/s390/boot/'
>     and the context is slightly different, the backport is needed.
> 
>   * It's planned to have kernel 6.2 in lunar (23.04), hence it will have
>     the patch incl. when at the planned target level.
> 
> Peter Oberparleiter (1):
>    s390/boot: add secure boot trailer
> 
>   arch/s390/boot/compressed/vmlinux.lds.S | 13 +++++++++++--
>   1 file changed, 11 insertions(+), 2 deletions(-)
> 

Applied to kinetic,jammy,focal:linux/master-next. For Kinetic this had to be 
adjusted to the upstream location (making it a real cherry-pick), for Jammy the 
K/J patch sent was applied but s-o-b adjusted to make it a backport (different 
file location). Focal was applied as sent. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20221111/7ffcd68e/attachment-0001.sig>

More information about the kernel-team mailing list