Please test secure-boot and lockdown on the early 5.19 and 6.0 kernel (ppc64le)

Do we have any news for this? At the moment this is the only blocker to release a 5.18 kernel in Kinetic.

Moreover, in the meantime we've also made some progress with 5.19. In the same ppa (https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/) there's a new kernel called linux-unstable 5.19.0-4-generic, that would require the same secure boot test. We've already tested secure boot / lockdown with this new linux-unstable 5.19 kernel with positive results on amd64 and arm.

Ultimately the plan is to go with 5.19 in Kinetic, but since 5.19 is still an -rc kernel we would like to play safe and release a 5.18 first, then move to 5.19. That means we need to test secure boot with both of them...

Let me know if there's any problem with this or if there's anything we can do to help. Thanks!

Thanks for your continued patience on this request. I will be completing the testing and I am working with our Linux security team to get up to speed with the task flow.

I have built a witherspoon.pnor image from https://github.com/open-power/op-build

Next we cross our fingers and flash ...

My witherspoon openpower firmware successfully boots. The next roadblock is that I need a secure boot override jumper opened on the planar of the test system. An internal lab ticket has been opened for that. I will test both the 5.18 and 5.19-rc ppc64el kernels above.

https://developer.ibm.com/articles/protect-system-firmware-openpower/

"Secure boot is enabled by means of a secure mode override jumper on the system board. When the jumper is removed, secure mode is in force and the secure boot code in each component is activated. When the jumper is in place, secure mode is disabled, in which case the boot process will ignore the container metadata and load any image from PNOR, signed or unsigned."

hello, please could you also include testing secure boot with the new 6.0 (Package: `linux-image-6.0.0-5-generic`)
kinetic/linux-unstable kernel on ppc64le?

It is available in ppa:canonical-kernel-team/unstable:

https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/

Thanks

Kinetic BETA ISO unlikely to be released for ppc64le architecture, Ubuntu Server product, using v5.19 kernel.

Kinetic GA ISO is now at risk of being released for ppc64le architecture without secureboot signatures, meaning it will be only usable without secureboot.

Secureboot testing is a blocking issue for ppc64le Ubuntu Server product.

Please note, at the moment there is available Ubuntu Server ISO with regular signatures on the kernel, which should be possible to test without jumper overrides.

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
https://iso.qa.ubuntu.com/qatracker/reports/bugs/1973375

------- Comment From <email address hidden> 2022-10-02 22:10 EDT-------
I think the final kernel for Kinetic release is 6.0.0. Please confirm if I misunderstood because that is the kernel I installed for testing secureboot on ppc64le.

Also, I have got into some technical issues while testing unrelated to secureboot or ubuntu. Will try to have that fixed and close on testing.

Thanks & Regards,
- Nayna

Hi Nayna, no the target kernel for kinetic is still 5.19.
So this one would be ideal to test: https://people.canonical.com/~xnox/ppc64el/kinetic-live-server-ppc64el.iso (here with a std. system, setup and key).
The 6.0 idealy on top from the URL below:
https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/
(but this with the test/dev key).

It was decided in one of the recent and joint calls that this will be dropped,
since secureboot lockdown for bare-metal is phasing out with P9
and the future is secureboot lockdown with P10 on PowerVM
which is planned for 24.04 (and addressed by LP#1903288 and LP#1903289).