[23.10] Please test secure-boot and lockdown on the early 6.5 kernel (s390x)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
bugproxy |
Bug Description
The Canonical kernel team is working on a kernel 6.5 for 'mantic' (23.10) and has some first kernel builds ready for secure-boot and lockdown testing (version 6.5.0-1.1).
To avoid potential negative implications that a broken secure-boot lockdown functionality, shipped with a new major kernel version, would cause (esp. using the production key), we ask as usual to get secure-boot lockdown tested (with every new major kernel release) early in the cycle, based on the following test kernel in the kernel team's PPA, using a test key for the signature.
The early test build is available in: ppa:canonical-
(https:/
The PPA key used for signing can be found in the tarball available here:
https:/
(Please note that this kernel is coming from the 'canonical-
Changed in ubuntu-z-systems: | |
status: | New → Confirmed |
tags: | added: reverse-proxy-bugzilla s390x |
Changed in ubuntu-z-systems: | |
assignee: | nobody → bugproxy (bugproxy) |
importance: | Undecided → High |
tags: | added: architecture-s39064 bugnameltc-203085 severity-high targetmilestone-inin--- |
Changed in ubuntu-z-systems: | |
status: | Confirmed → Fix Released |
tags: | removed: verification-needed-jammy-linux-oem-6.5 |
------- Comment From <email address hidden> 2023-07-27 05:46 EDT------- kernel- team/unstable:
we installed from ppa:canonical-
cat /etc/os-release CODENAME= mantic
PRETTY_NAME="Ubuntu Mantic Minotaur (development branch)"
NAME="Ubuntu"
VERSION_ID="23.10"
VERSION="23.10 (Mantic Minotaur)"
VERSION_
...
# uname -r
6.5.0-1-generic
and used 6.5.0-1. 1+1/control/ sipl.x509 signature and 6.5.0-1. 1+1/boot/ vmlinuz- 6.5.0-1- generic. sipl from the tar file from https:/ /ppa.launchpad. net/canonical- kernel- team/unstable/ ubuntu/ dists/devel/ main/signed/ linux-generate- unstable- s390x/current/
signed.tar.gz
ls -l /boot/vmlinuz 6.5.0-1- generic. sipl
lrwxrwxrwx 1 root root 28 Jul 26 11:32 /boot/vmlinuz -> vmlinuz-
load with kernel vmlinuz- 6.5.0-1- generic. sipl
- without secure boot enable
- without adding the signature
==> as expected:
IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.2' level 'D51C.D51C_328.16'.
OK00000000 Success
load with kernel vmlinuz- 6.5.0-1- generic 1900,WWPN: 500507630710572 C,LUN:4020404E0 0000000. 1900,WWPN: 500507630710572 C,LUN:4020404E0 0000000.
- with secure boot enable
- with adding the signature
==> not expected:
IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.2' level 'D51C.D51C_328.16'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 3 in program
0 loaded from device HBA:0.0.
--- Audit message summary end ---
MLOLOA6269321F A security violation error was encountered when loading from devi
ce HBA:0.0.
IPL failed (110).
LdiplStructureP rocessor. cpp:processComp onentTable: 75: Found IMAGE component @0x156d1630 w LOAD ADDRESS 0xa000. fication. cpp:verifySigna ture:237: Failed to verify image component @0x156d1630 w associated signature component @0x156d19b0 and certificate #0 w vc_index 1. rocessor. cpp:checkSignat ure:288: Audit: Signature verification failed for component #3 @0x156d1630. rocessor. cpp:processComp onentTable: 91: Found Image Component @0x156d1630 w SCLAB @0x156cde10. rocessor. cpp:processComp onentTable: 98: Found the 'global' SCLAB (1) @0x156d1630 ype02Image. cpp:checkSigned CodeLoadingAttr ibutesFacilityR ules:235: Audit summary 2a: Error indicators for the SCLAB of component 3 is 0x0.
CertificateVeri
LdiplStructureP
LdiplStructureP
LdiplStructureP
LdiplComponentT
but load for component 5 worked: rocessor. cpp:processComp onentTable: 75: Found IMAGE component @0x156fcd90 w LOAD ADDRESS 0x10000. fication. cpp:verifySigna ture:227: Successfully verified image component @0x156fcd90 w associated signature component @0x156fef00 and certificate #0 w vc_index 1. rocessor. cpp:processComp onentTable: 91: Found Image Component @0x156fcd90 w SCLAB @0x156fcd50.
LdiplStructureP
CertificateVeri
LdiplStructureP