------- Comment From <email address hidden> 2020-01-22 05:29 EDT-------
addl. description:
"Operating system messages" output
Test on a z15 LPAR: Checking the combinations of the /etc/zipl.conf "secure" keyword and the HMC "Enable Secure Boot for Linux" option on the HMC SCSI load panel.
Result: the system always performs a successful IPL regardless of the
settings of the zipl.conf "secure" keyword and and the HMC "Enable Secure Boot
for Linux" option.
Problem: No IPL should be performed for the combination of "secure=0" in /etc/zipl.conf and the selection of "Enable Secure Boot for Linux" option in the HMC SCSI load panel.
------- Comment From <email address hidden> 2020-01-22 05:30 EDT-------
Solution:
As can be seen from the zipl output, secure boot signatures have been written despite secure=0, so successful IPL is expected. This boils down to the secure=0 setting not being recognized by zipl.
------- Comment From <email address hidden> 2020-01-22 05:29 EDT-------
addl. description:
"Operating system messages" output
Test on a z15 LPAR: Checking the combinations of the /etc/zipl.conf "secure" keyword and the HMC "Enable Secure Boot for Linux" option on the HMC SCSI load panel.
Result: the system always performs a successful IPL regardless of the
settings of the zipl.conf "secure" keyword and and the HMC "Enable Secure Boot
for Linux" option.
Problem: No IPL should be performed for the combination of "secure=0" in /etc/zipl.conf and the selection of "Enable Secure Boot for Linux" option in the HMC SCSI load panel.
Scenario
--------
root@t35lp36:~# cat /etc/os-release /www.ubuntu. com/" /help.ubuntu. com/" /bugs.launchpad .net/ubuntu/" POLICY_ URL="https:/ /www.ubuntu. com/legal/ terms-and- policies/ privacy- policy" CODENAME= focal CODENAME= focal
NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Focal Fossa (development branch)"
VERSION_ID="20.04"
HOME_URL="https:/
SUPPORT_URL="https:/
BUG_REPORT_URL="https:/
PRIVACY_
VERSION_
UBUNTU_
root@t35lp36:~# uname -a
Linux t35lp36 5.4.0-9-generic #12-Ubuntu SMP Mon Dec 16 22:31:38 UTC 2019 s390x s390x s390x GNU/Linux
Setting secure=0 in /etc/zipl.conf
root@t35lp36:~# cat /etc/zipl.conf
[defaultboot]
defaultmenu = menu
secure=0
:menu
target = /boot
1 = ubuntu
2 = old
default = 1
prompt = 1
timeout = 10
[ubuntu] dc6b7633- 49f0-4095- 8c35-678cbc212c a5 crashkernel=196M
target = /boot
image = /boot/vmlinuz
ramdisk = /boot/initrd.img
parameters = root=UUID=
[old] img.old dc6b7633- 49f0-4095- 8c35-678cbc212c a5 crashkernel=196M
target = /boot
image = /boot/vmlinuz.old
ramdisk = /boot/initrd.
parameters = root=UUID=
optional = 1
root@t35lp36:~# zipl -V tools/zipl_ helper. device- mapper /boot ....... ....... ....... ....: fd:00 *) ....... ....... ....... .: fd:01 ....... ....... ....: dm-0 ....... ....... ....... ....: disk partition ....... ....... ......: SCSI disk layout *) ....... ....... : 2048 *) tools/stage3. bin dc6b7633- 49f0-4095- 8c35-678cbc212c a5 crashkernel=196M' 0x00005fff 0x0000ffff 0x0000dfff 0x000091ff 0x007d7fff 0x007d91ff 0x01a73bff img.old tools/stage3. bin dc6b7633- 49f0-4095- 8c35-678cbc212c a5 crashkernel=196M' 0x00005fff 0x0000ffff 0x0000dfff 0x000091ff 0x007d7fff 0x007d91ff 0x01a73bff
Using config file '/etc/zipl.conf'
Run /lib/s390-
Target device information
Device.
Partition.
Device name...
Device driver name..............: device-mapper
Type...
Disk layout.
Geometry - start..
File system block size..........: 4096
Physical block size.............: 512 *)
Device size in physical blocks..: 37746688
*) Data provided by script.
Building bootmap in '/boot'
Building menu 'menu'
Adding #1: IPL section 'ubuntu' (default)
initial ramdisk...: /boot/initrd.img
signature for.....: /lib/s390-
kernel image......: /boot/vmlinuz
signature for.....: /boot/vmlinuz
kernel parmline...: 'root=UUID=
component address:
heap area.......: 0x00002000-
stack area......: 0x0000f000-
internal loader.: 0x0000a000-
parameters......: 0x00009000-
kernel image....: 0x00010000-
parmline........: 0x007d9000-
initial ramdisk.: 0x007e0000-
Adding #2: IPL section 'old'
initial ramdisk...: /boot/initrd.
signature for.....: /lib/s390-
kernel image......: /boot/vmlinuz.old
signature for.....: /boot/vmlinuz.old
kernel parmline...: 'root=UUID=
component address:
heap area.......: 0x00002000-
stack area......: 0x0000f000-
internal loader.: 0x0000a000-
parameters......: 0x00009000-
kernel image....: 0x00010000-
parmline........: 0x007d9000-
initial ramdisk.: 0x007e0000-
Preparing boot device: dm-0.
Detected SCSI PCBIOS disk layout.
Writing SCSI master boot record.
Syncing disks...
Done.
root@t35lp36:~#
Then the system was shut down and a new IPL was triggered from the HMC SCSI load panel. The system IPL'd successfully.
Excerpt from the "Operating System Messages" output:
Preparing system. bos02-s390x- 011) (gcc versi
Starting system.
System version 8.
Watchdog enabled.
Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'.
ZBootLoader 2.0.0.
OK00000000 Success
[ 0.317598] Linux version 5.4.0-9-generic (buildd@
on 9.2.1 20191130 (Ubuntu 9.2.1-21ubuntu1)) #12-Ubuntu SMP Mon Dec 16 22:31:38 U
TC 2019 (Ubuntu 5.4.0-9.12-generic 5.4.3)
[ 0.317600] setup.6bac7a: Linux is running natively in 64-bit mode
[ 0.317601] setup.433296: Linux is running with Secure-IPL enabled
[ 0.317602] setup.6482e5: The IPL report contains the following components:
[ 0.317603] setup.4da44b: 0000000000002000 - 0000000000006000 (not signed)
[ 0.317605] setup.4da44b: 000000000000f000 - 0000000000010000 (not signed)
[ 0.317606] setup.4da44b: 000000000000a000 - 000000000000e000 (signed, verified)
[ 0.317607] setup.4da44b: 0000000000009000 - 0000000000009200 (not signed)
[ 0.317608] setup.4da44b: 0000000000010000 - 00000000007d8000 (signed, verified)
[ 0.317609] setup.4da44b: 00000000007d9000 - 00000000007d9200 (not signed)
[ 0.317610] setup.4da44b: 00000000007e0000 - 0000000001a73c00 (not signed)
[ 0.317611] Kernel is locked down from Secure IPL; see man kernel_lockdown.7
[ 0.317624] setup.b050d0: The maximum memory size is 4096MB
[ 0.317627] setup.dae2e8: Reserving 196MB of memory at 3900MB for crashkernel (System RAM: 3900MB)
.
.
The full console log is added as an attachment.
When the system IPL had finished, the secure-boot related flags in sysfs had the following settings:
root@t35lp36:~# cat /sys/firmware/ ipl/has_ secure ipl/secure
1
root@t35lp36:~# cat /sys/firmware/
1
------- Comment From <email address hidden> 2020-01-22 05:30 EDT-------
Solution:
As can be seen from the zipl output, secure boot signatures have been written despite secure=0, so successful IPL is expected. This boils down to the secure=0 setting not being recognized by zipl.
This is likely fixed with upstream commit https:/ /github. com/ibm- s390-tools/ s390-tools/ commit/ 6f9337d1016e00f 360cf4a81d39a42 df5184b3a2
Which need to be added on top of s390-tools 2.12 which will be integrated into 20.04.
And also applied to 2.11 for Ubuntu 19.10...