[24.10] Please test secure-boot and lockdown on the 6.10 kernel (s390x) for Oracular
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
bugproxy | ||
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
The Canonical kernel team is working on a new 6.10 kernel for 'oracular' (24.10) and has an early build ready for secure-boot and lockdown testing (version 6.10.0-4.4).
To avoid potentially negative implications that a broken secure-boot lockdown functionality would cause (esp. using the production key), we ask to get secure-boot tested early in the cycle using Canonical kernel team's PPA key for signature.
The early test build is available at: ppa:canonical-
(https:/
The PPA key used for signing can be found in the tarball available here:
https:/
(Please note that this kernel is coming from the 'canonical-
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in ubuntu-z-systems: | |
assignee: | nobody → bugproxy (bugproxy) |
importance: | Undecided → High |
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
tags: | added: reverse-proxy-bugzilla s390x |
tags: | added: architecture-s39064 bugnameltc-206857 severity-high targetmilestone-inin--- |
Changed in ubuntu-z-systems: | |
status: | New → Fix Released |
tags: |
added: targetmilestone-inin2410 removed: targetmilestone-inin--- |
------- Comment From <email address hidden> 2024-06-12 04:31 EDT------- kernel- team/unstable: CODENAME= oracular ipl/*sec* ipl/has_ secure: 1 ipl/secure: 0
We installed from ppa:canonical-
# cat /etc/os-release
PRETTY_NAME="Ubuntu Oracular Oriole (development branch)"
NAME="Ubuntu"
VERSION_ID="24.10"
VERSION="24.10 (Oracular Oriole)"
VERSION_
...
...
# uname -r
6.10.0-4-generic
# grep [0-9] /sys/firmware/
/sys/firmware/
/sys/firmware/
# ls -l /boot/vmlinuz /boot/initrd.img img-6.10. 0-4-generic 6.10.0- 4-generic
lrwxrwxrwx 1 root root 27 Jun 12 07:30 /boot/initrd.img -> initrd.
lrwxrwxrwx 1 root root 24 Jun 12 07:30 /boot/vmlinuz -> vmlinuz-
load with kernel vmlinuz- 6.10.0- 4-generic
- without secure boot enable
- without adding the signature
System version 9. 1900,WWPN: 500507630710572 c,LUN:4021402c0 0000000.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 5 in program
0 loaded from device HBA:0.0.
--- Audit message summary end ---
OK00000000 Success
load with kernel vmlinuz- 6.8.0-2- generic
- with secure boot enable
- without adding the signature
IPB received. 1900,WWPN: 500507630710572 C,LUN:4021402C0 0000000. 1900,WWPN: 500507630710572 C,LUN:4021402C0 0000000.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 5 in program
0 loaded from device HBA:0.0.
--- Audit message summary end ---
MLOLOA6269321F A security violation error was encountered when loading from devi
ce HBA:0.0.
IPL failed (110).
load with kernel vmlinuz- 6.8.0-2- generic
- with secure boot enable
- with adding the signature
IPB received. bos01-s390x- 019) (s390x- linux-gnu- gcc-13 (Ubuntu 13.2.0-25ubuntu1) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #4-Ubuntu SMP Mon Jun 3 10:28:36 UTC 2024 (Ubuntu 6.10.0-4.4-generic 6.10.0-rc2)
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
OK00000000 Success
[ 0.082046] Linux version 6.10.0-4-generic (buildd@
[ 0.082048] setup: Linux is running natively in 64-bit mode
[ 0.082048] setup: Linux is running with Secure-IPL enabled
After secure boot load ipl/*sec* ipl/has_ secure: 1 ipl/secure: 1
# grep [0-9] /sys/firmware/
/sys/firmware/
/sys/firmware/
we used these Certificate: 75:09:df: f4:18 cryption kernel- team unstable SIPL kernel- team unstable SIPL 02:41:ef: d1:06 cryption
# openssl x509 -text -in sipl1.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:b6:a0:
Signature Algorithm: sha512WithRSAEn
Issuer: CN = PPA canonical-
Validity
Not Before: Aug 23 20:47:25 2019 GMT
Not After : Aug 20 20:47:25 2029 GMT
Subject: CN = PPA canonical-
...
...
# openssl x509 -text -in sipl2.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ee:61:db:
Signature Algorithm: sha512WithRSAEn
Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (ZIPL, 2019)"
Validity
Not Before: May 16 13:50:05 2019 GMT
Not After : May 14 13:50:05 2049 GMT
Subjec...