[MIR] Please add support for SIPL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Launchpad itself |
High
|
Andy Whitcroft | ||
| linux (Ubuntu) |
Undecided
|
Unassigned | ||
| linux-signed (Ubuntu) |
High
|
Unassigned | ||
| s390-tools (Ubuntu) |
High
|
Dimitri John Ledkov | ||
| s390-tools-signed (Ubuntu) |
High
|
Dimitri John Ledkov |
Bug Description
Please add support for zipl ("z/ecureBoot") signing.
It should be similar to opal signing, but using the new zipl signing key.
I am expecting to sign s390-tools stage3.bin and kernel images using this key.
s390-tools -> can be signed already
kernels -> should only sign v5.2+
Related branches
- Colin Watson: Approve on 2019-06-04
-
Diff: 575 lines (+237/-23)2 files modifiedlib/lp/archivepublisher/signing.py (+39/-17)
lib/lp/archivepublisher/tests/test_signing.py (+198/-6)
description: | updated |
Dimitri John Ledkov (xnox) wrote : | #1 |
Changed in launchpad: | |
assignee: | nobody → Andy Whitcroft (apw) |
importance: | Undecided → High |
status: | New → Fix Committed |
Andy Whitcroft (apw) wrote : | #2 |
Worked with ~cjwatson to add Secure Initial Program Load signing to launchpad. Changes deployed to dogfood and test packages uploaded. This results in a vmlinuz.sipl gaining a vmlinuz.sipl.sig, and an appropriate control/sipl.x509 file. The signed binary validates correctly using the public key. Looks good.
Dimitri John Ledkov (xnox) wrote : | #3 |
tested s390-tools packages on dogfood which look correct.
Changed in s390-tools (Ubuntu): | |
status: | New → In Progress |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Changed in s390-tools (Ubuntu): | |
status: | In Progress → Fix Committed |
Dimitri John Ledkov (xnox) wrote : | #4 |
s390-tools in UNAPPROVED
https:/
s390-tools-signed in source NEW
https:/
summary: |
- Please add support for zipl signing + Please add support for sipl |
Reviewed and accepted the s390-tools custom upload. Watched while it was processed which happened without incident:
2019-06-14 09:43:09 DEBUG Publishing custom s390-tools, s390-tools_
Fri, 14 Jun 2019 09:43:09 +0000: (re-)signing /srv/launchpad.
/eoan-proposed/
2019-06-14 09:43:10 DEBUG Publishing custom s390-tools, s390-tools_
2019-06-14 09:43:09 DEBUG Publishing custom s390-tools, s390-tools_
Fri, 14 Jun 2019 09:43:09 +0000: (re-)signing /srv/launchpad.
/eoan-proposed/
2019-06-14 09:43:10 DEBUG Publishing custom s390-tools, s390-tools_
Downloaded the signed artifacts from ports.ubuntu.com, these correctly contain the signature component and the public key. I am also able to validate the resulting signature.
Andy Whitcroft (apw) wrote : | #6 |
Reviewed and iterated on the s390-tools-signed source package; now accepted.
Changed in s390-tools-signed (Ubuntu): | |
status: | New → Fix Committed |
Changed in s390-tools (Ubuntu): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
Changed in s390-tools-signed (Ubuntu): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
Changed in s390-tools (Ubuntu): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu): | |
importance: | Undecided → High |
Changed in linux-signed (Ubuntu): | |
importance: | Undecided → High |
summary: |
- Please add support for sipl + Please add support for SIPL |
Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package s390-tools-signed - 2.9.0-0ubuntu2
---------------
s390-tools-signed (2.9.0-0ubuntu2) eoan; urgency=medium
* Initial Release LP: #1829749
-- Dimitri John Ledkov <email address hidden> Tue, 28 May 2019 18:28:34 +0100
Changed in s390-tools-signed (Ubuntu): | |
status: | Fix Committed → Fix Released |
summary: |
- Please add support for SIPL + [MIR] Please add support for SIPL |
Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package s390-tools - 2.9.0-0ubuntu3
---------------
s390-tools (2.9.0-0ubuntu3) eoan; urgency=medium
* Fix FTBFS LP: #1833238
-- Dimitri John Ledkov <email address hidden> Wed, 19 Jun 2019 14:28:12 +0100
Changed in s390-tools (Ubuntu): | |
status: | Fix Committed → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1829749
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
Dimitri John Ledkov (xnox) wrote : | #10 |
Changed in linux (Ubuntu): | |
status: | Incomplete → Fix Committed |
Changed in linux-signed (Ubuntu): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in linux-signed (Ubuntu): | |
status: | Fix Committed → Fix Released |
I do wonder, if we can somehow arch-specify opal signing.
Cause it's opal for power, zipl for s390x, yet both just use kmodsign. Just a different key.
Not sure if i want to copy&paste all the methods, and tests.