Ubuntu on IBM z Systems

Emulate s390x secureboot / sipl in qemu

Bug #1852541 reported by Dimitri John Ledkov on 2019-11-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu on IBM z Systems	Opinion	Wishlist	bugproxy
	qemu (Ubuntu)	Opinion	Wishlist	Unassigned

Bug Description

It would be nice if s390x qemu VMs could be "tricked" into booting as if they are sipl booted.

I.e. fake whichever calls needed in the firmware to hint to linux kernel that SIPL is available and was performed.

This would facilitate testing SIPL/lockdown kernel behaviour, versus not. At least for the initial boot.

Tags:

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2019-11-14:

It seems like we want something like

# IPL_PL_FLAG_SIPL
bytes[4] |= 0x40
# IPL_PL_FLAG_IPLSR
bytes[4] |= 0x20

to be set by diag308 subcode 6 in the IPL parameter block

affects:

ubuntu → qemu (Ubuntu)

Frank Heimes (fheimes) on 2019-11-14

Changed in ubuntu-z-systems:
assignee:	nobody → bugproxy (bugproxy)

Frank Heimes (fheimes) on 2019-11-14

summary:

- "fake" s390x sipl
+ Emulate s390x secureboot / sipl in qemu

Revision history for this message

Frank Heimes (fheimes) wrote on 2019-11-14:

After discussing with IBM I've created the following RFE:
Emulate s390x secureboot / sipl in qemu
https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=138164

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2019-11-19:

sipl-trick.patch Edit (368 bytes, text/plain)

In ppa:xnox/scratch there is qemu that forces "secure" to be 1 always on boot. And kernel locks itself down.

[ 0.068890] Kernel is locked down from Secure IPL; see man kernel_lockdown.7

Ubuntu Foundations Team Bug Bot (crichton) on 2019-11-19

tags:

added: patch

bugproxy (bugproxy) on 2019-11-20

tags:

added: architecture-s39064 bugnameltc-182539 severity-high targetmilestone-inin2004

Revision history for this message

bugproxy (bugproxy) wrote on 2019-12-04: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2019-12-04 13:54 EDT-------
OK, so we have discussed this internally and we do not see a reason why this would be an issue as we do not have any measurement with TPM and attestation anyway.

Could you maybe send your private patch to the upstream qemu mailing list (qemu-devel and qemu-s390x) to drive the discussion?

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-17:

------- Comment From <email address hidden> 2020-03-17 09:09 EDT-------
@Canonical: Can someone answer the question from comment #4. Many thanks in advance

Revision history for this message

bugproxy (bugproxy) wrote on 2021-03-19:

------- Comment From <email address hidden> 2021-03-19 08:45 EDT-------
Updated RFE with following comment:

This was now translated as a planned Candidate for a future release.
Will be addressed via a feature request by BZ/LP once committed.

Revision history for this message

Frank Heimes (fheimes) wrote on 2021-03-19:

Ok, good that the idea was picked up and is under consideration.
Since you are going to open a new BZ once available, I'm setting this to Opinion/Wishlist for now ...

Changed in qemu (Ubuntu):
importance:	Undecided → Wishlist
status:	New → Opinion
Changed in ubuntu-z-systems:
importance:	Undecided → Wishlist
status:	New → Opinion