[MIR] Please add support for SIPL

Bug #1829749 reported by Dimitri John Ledkov on 2019-05-20
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Andy Whitcroft
linux (Ubuntu)
Undecided
Unassigned
linux-signed (Ubuntu)
High
Unassigned
s390-tools (Ubuntu)
High
Dimitri John Ledkov
s390-tools-signed (Ubuntu)
High
Dimitri John Ledkov

Bug Description

Please add support for zipl ("z/ecureBoot") signing.

It should be similar to opal signing, but using the new zipl signing key.

I am expecting to sign s390-tools stage3.bin and kernel images using this key.

s390-tools -> can be signed already
kernels -> should only sign v5.2+

Related branches

description: updated
Dimitri John Ledkov (xnox) wrote :

I do wonder, if we can somehow arch-specify opal signing.

Cause it's opal for power, zipl for s390x, yet both just use kmodsign. Just a different key.

Not sure if i want to copy&paste all the methods, and tests.

Colin Watson (cjwatson) on 2019-06-10
Changed in launchpad:
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → High
status: New → Fix Committed
Andy Whitcroft (apw) wrote :

Worked with ~cjwatson to add Secure Initial Program Load signing to launchpad. Changes deployed to dogfood and test packages uploaded. This results in a vmlinuz.sipl gaining a vmlinuz.sipl.sig, and an appropriate control/sipl.x509 file. The signed binary validates correctly using the public key. Looks good.

Dimitri John Ledkov (xnox) wrote :

tested s390-tools packages on dogfood which look correct.

Changed in s390-tools (Ubuntu):
status: New → In Progress
Colin Watson (cjwatson) on 2019-06-13
Changed in launchpad:
status: Fix Committed → Fix Released
Changed in s390-tools (Ubuntu):
status: In Progress → Fix Committed
Dimitri John Ledkov (xnox) wrote :
summary: - Please add support for zipl signing
+ Please add support for sipl

Reviewed and accepted the s390-tools custom upload. Watched while it was processed which happened without incident:

2019-06-14 09:43:09 DEBUG Publishing custom s390-tools, s390-tools_2.9.0-0ubuntu2_s390x.tar.gz, s390-tools_2.9.0-0ubuntu2_s390x_translations.tar.gz to ubuntu/eoan
Fri, 14 Jun 2019 09:43:09 +0000: (re-)signing /srv/launchpad.net/ubuntu-archive/ubuntu/dists/eoan-proposed/main/signed/s390-tools-s390x/2.9.0-0ubuntu2/SHA256SUMS as /srv/launchpad.net/ubuntu-archive/ubuntu/dists
/eoan-proposed/main/signed/s390-tools-s390x/2.9.0-0ubuntu2/SHA256SUMS.gpg (-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512)
2019-06-14 09:43:10 DEBUG Publishing custom s390-tools, s390-tools_2.9.0-0ubuntu2_s390x.tar.gz, s390-tools_2.9.0-0ubuntu2_s390x_translations.tar.gz to ubuntu/eoan
2019-06-14 09:43:09 DEBUG Publishing custom s390-tools, s390-tools_2.9.0-0ubuntu2_s390x.tar.gz, s390-tools_2.9.0-0ubuntu2_s390x_translations.tar.gz to ubuntu/eoan
Fri, 14 Jun 2019 09:43:09 +0000: (re-)signing /srv/launchpad.net/ubuntu-archive/ubuntu/dists/eoan-proposed/main/signed/s390-tools-s390x/2.9.0-0ubuntu2/SHA256SUMS as /srv/launchpad.net/ubuntu-archive/ubuntu/dists
/eoan-proposed/main/signed/s390-tools-s390x/2.9.0-0ubuntu2/SHA256SUMS.gpg (-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512)
2019-06-14 09:43:10 DEBUG Publishing custom s390-tools, s390-tools_2.9.0-0ubuntu2_s390x.tar.gz, s390-tools_2.9.0-0ubuntu2_s390x_translations.tar.gz to ubuntu/eoan

Downloaded the signed artifacts from ports.ubuntu.com, these correctly contain the signature component and the public key. I am also able to validate the resulting signature.

Andy Whitcroft (apw) wrote :

Reviewed and iterated on the s390-tools-signed source package; now accepted.

Changed in s390-tools-signed (Ubuntu):
status: New → Fix Committed
Changed in s390-tools (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in s390-tools-signed (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in s390-tools (Ubuntu):
importance: Undecided → High
Changed in s390-tools-signed (Ubuntu):
importance: Undecided → High
Changed in linux-signed (Ubuntu):
importance: Undecided → High
summary: - Please add support for sipl
+ Please add support for SIPL
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools-signed - 2.9.0-0ubuntu2

---------------
s390-tools-signed (2.9.0-0ubuntu2) eoan; urgency=medium

  * Initial Release LP: #1829749

 -- Dimitri John Ledkov <email address hidden> Tue, 28 May 2019 18:28:34 +0100

Changed in s390-tools-signed (Ubuntu):
status: Fix Committed → Fix Released
summary: - Please add support for SIPL
+ [MIR] Please add support for SIPL
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.9.0-0ubuntu3

---------------
s390-tools (2.9.0-0ubuntu3) eoan; urgency=medium

  * Fix FTBFS LP: #1833238

 -- Dimitri John Ledkov <email address hidden> Wed, 19 Jun 2019 14:28:12 +0100

Changed in s390-tools (Ubuntu):
status: Fix Committed → Fix Released

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1829749

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers