1. Installed an Eoan guest on Xenial/Bionic/Disco hosts
In the Guest
2. set secure = 1 in /etc/zipl.conf
3. unfortunately xnox refreshed his PPA and it has no pre-signed kernel anymore :-/
I tried to follow https://ubuntu.com/blog/how-to-sign-things-for-secure-boot in various ways,
but I assume things are just different for s390x here.
After a while I found this old build [1] of which I used [2]
Install that and drop the ramdisk line
change:
image = /boot/vmlinuz-5.2.0-1-generic
remove:
ramdisk = /boot/initrd.img
4. run zipl verbosely, which should have:
Adding IPL section 'ubuntu' (default)
signature for.....: /lib/s390-tools/stage3.bin
kernel image......: /boot/vmlinuz-5.2.0-1-generic
signature for.....: /boot/vmlinuz-5.2.0-1-generic
5. shut down guest
6. back in the Host, start the guest (fails without the update).
Check the console - the error messages differ per version:
Xenial:
$ virsh start --console test-secureboot-x
Domain test-secureboot-x started
Connected to domain test-secureboot-x
Escape character is ^]
..
! No EXEC entry !
Bionic:
Domain test-secureboot-b started
error: The domain is not running
Disco:
seems to work but complains about validations
With the upgrade from proposed they all can start fine (well I stole the initrd, so they fail mounting the root disk, but we passed hat we wanted to check).
1. Installed an Eoan guest on Xenial/Bionic/Disco hosts
In the Guest
2. set secure = 1 in /etc/zipl.conf
3. unfortunately xnox refreshed his PPA and it has no pre-signed kernel anymore :-/ /ubuntu. com/blog/ how-to- sign-things- for-secure- boot in various ways, 5.2.0-1- generic
I tried to follow https:/
but I assume things are just different for s390x here.
After a while I found this old build [1] of which I used [2]
Install that and drop the ramdisk line
change:
image = /boot/vmlinuz-
remove:
ramdisk = /boot/initrd.img
4. run zipl verbosely, which should have: tools/stage3. bin 5.2.0-1- generic 5.2.0-1- generic
Adding IPL section 'ubuntu' (default)
signature for.....: /lib/s390-
kernel image......: /boot/vmlinuz-
signature for.....: /boot/vmlinuz-
5. shut down guest
6. back in the Host, start the guest (fails without the update).
Check the console - the error messages differ per version:
Xenial:
$ virsh start --console test-secureboot-x
Domain test-secureboot-x started
Connected to domain test-secureboot-x
Escape character is ^]
..
! No EXEC entry !
Bionic:
Domain test-secureboot-b started
error: The domain is not running
Disco:
seems to work but complains about validations
7. Upgrade to proposed and check again.
qemu-system- s390x/disco- proposed 1:3.1+dfsg- 2ubuntu3. 3 s390x [upgradable from: 1:3.1+dfsg- 2ubuntu3. 2] bionic- proposed 1:2.11+ dfsg-1ubuntu7. 16 s390x [upgradable from: 1:2.11+ dfsg-1ubuntu7. 15] s390x/bionic- proposed 1:2.11+ dfsg-1ubuntu7. 16 s390x [upgradable from: 1:2.11+ dfsg-1ubuntu7. 15] s390x/xenial- proposed 1:2.5+dfsg- 5ubuntu10. 41 s390x [upgradable from: 1:2.5+dfsg- 5ubuntu10. 40]
qemu-kvm/
qemu-system-
qemu-system-
With the upgrade from proposed they all can start fine (well I stole the initrd, so they fail mounting the root disk, but we passed hat we wanted to check).
Setting verified
[1]: https:/ /launchpad. net/~xnox/ +archive/ ubuntu/ scratch/ +build/ 16859505 /launchpad. net/~xnox/ +archive/ ubuntu/ scratch/ +build/ 16859505/ +files/ linux-image- 5.2.0-1- generic_ 5.2.0-1. 2_s390x. deb
[2]: https:/