[UBUNTU 20.04] zipl: Add secure boot trailer (s390-tools part)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
s390-tools (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned | ||
s390-tools-signed (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU Justification:
==================
[ Impact ]
* Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
will no longer be possible with an upcoming IBM zSystems firmware update.
* New IBM zSystems firmware requires all signed boot images to contain a
trailing data block with a specific format.
* Solution: Add trailing data block to the zipl stage 3 boot loader image.
[ Fix ]
* 5768d55a08e163f
"zipl/boot: add secure boot trailer"
[ Test Plan ]
* Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
with Secure Boot enabled (in the LPAR activation profile).
* Without having the new firmware in place, or on systems that do not support
secureboot on s390x, the boot trailer can be tested with this script:
https:/
$ check_sb_trailer.sh arch/s390/
Checking secure boot trailer of file arch/s390/
* Read 32 bytes at offset 00777fe0:
000000000000
* Success - Linux kernel trailer found
[ Where problems could occur ]
* Problems could occur if build tools still use '--pad-to=0xe000'
* or if the trailer is not generated the right way (according to
the trailer spec),
* or the kernel is not able to detect the trailer properly
(maybe because the trailer is generated in a wrong way,
or the detection mechanism is wrong).
* But this can be tested by using the script mentioned above,
and was already tested (kernel part) based on LP#1996071.
[ Other Info ]
* This bug also has a Kernel part which is addressed in a separate
ticket: https:/
* The kernel part is addressed in the current cycle, hence Fix Committed.
* The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
see at the bug header of this ticket.
* Lunar will get a brand new s390-tools package later in the cycle,
that will have this fix included.
__________
Description: zipl: Add secure boot trailer
Symptom: Secure boot of Linux will no longer be possible with an upcoming
IBM Z firmware update.
Problem: New IBM Z firmware requires all signed boot images to contain a
Solution: Add trailing data block to the zipl stage 3 boot loader image.
Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled.
Fix: Available upstream with
Upstream-ID: 5768d55a08e163f
Upstream-
This patch enhances the zipl stage3 loader image adding a trailer as
Note: with the change in this patch the padding via objcopy command line
same effect.
Signed-off-by: Peter Oberparleiter <email address hidden>
tags: | added: architecture-s39064 bugnameltc-200453 severity-high targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in linux (Ubuntu): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → nobody |
affects: | linux (Ubuntu) → s390-tools (Ubuntu) |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
description: | updated |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: targetmilestone-inin2004 removed: targetmilestone-inin--- |
tags: | added: verification-done-focal |
Changed in s390-tools-signed (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in s390-tools (Ubuntu): | |
status: | In Progress → Fix Committed |
Test packages are being build for K, J and F at these PPAs:
Kinetic: /launchpad. net/~fheimes/ +archive/ ubuntu/ lp1996069
https:/
Jammy: /launchpad. net/~fheimes/ +archive/ ubuntu/ lp1974109+ lp1959987+ lp1990520+ lp1990524+ lp1996069
https:/
Focal: /launchpad. net/~fheimes/ +archive/ ubuntu/ lp1987387+ lp1996069
https:/
The fix for this particular bug is combined with other bug fixes in a single package update.