With the new placement of the "secure" keyword, secure boot works as expected:
(1) IPL always possible with the "Enable secure boot for Linux" HMC checkbox
disabled for secure=1/0/auto. /sys/firmware/ipl/secure shows value 0 after IPL.
(2) IPL successful with the "Enable secure boot for Linux" HMC checkbox
enabled for secure=1/auto. /sys/firmware/ipl/secure shows value 1 after IPL.
(3) No IPL with the "Enable secure boot for Linux" checkbox enabled for secure=0.
Console messages in this case
Preparing system.
Starting system.
System version 8.
Watchdog enabled.
Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'.
ZBootLoader 2.0.0.
MLOLOA6269050E Secure IPL: Execute entry does not point to the beginning of a signed component on device HBA=0.0.1900, WWPN=500507630B01C320, LUN=4050404700000000.
IPL failed.
But for the secure IPLs (2) the console shows about 1800 messages (or more)
that look like:
[ 2.485469] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7
[ 2.485471] Could not create tracefs 'available_events' entry
An example output of the dmesg command is added as an attachment.
Another issue is the wrong documentation of the zipl.conf syntax in the man pages.
It is stated here, that "secure" is a "configuration only" section keyword only:
.
.
secure = auto/1/0 (configuration only)
Configuration section:
Control the zIPL secure boot support. Set this option to one of the following values:
.
.
As it works now it seems to be a "menu only" configuration keyword.
Also a question arises about the zipl -S parameter as it is described now:
Prepare a device for initial program load. Use OPTIONS described below or
provide the name of a SECTION defined in the zIPL configuration file.
.
.
-S, --secure SWITCH Control the zIPL secure boot support.
auto (default):
Write signatures if available and supported
1: Write signatures regardless of support
0: Do not write signatures
With multiple menus in zipl.conf: how does zipl -S work?
------- Comment From <email address hidden> 2020-02-06 03:44 EDT-------
Retested with the secure entry moved to the menu section:
[defaultboot]
defaultmenu = menu
:menu
target = /boot
1 = ubuntu
2 = old
default = 1
prompt = 1
timeout = 10
secure=1
.
.
root@t35lp36:~# cat /etc/os-release /www.ubuntu. com/" /help.ubuntu. com/" /bugs.launchpad .net/ubuntu/" POLICY_ URL="https:/ /www.ubuntu. com/legal/ terms-and- policies/ privacy- policy" CODENAME= focal CODENAME= focal
NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Focal Fossa (development branch)"
VERSION_ID="20.04"
HOME_URL="https:/
SUPPORT_URL="https:/
BUG_REPORT_URL="https:/
PRIVACY_
VERSION_
UBUNTU_
root@t35lp36:~# uname -a
Linux t35lp36 5.4.0-12-generic #15-Ubuntu SMP Tue Jan 21 17:56:00 UTC 2020 s390x s390x s390x GNU/Linux
root@t35lp36:~# apt list s390-tools focal,now 2.12.0-0ubuntu1 s390x [installed]
Listing... Done
s390-tools/
root@t35lp36:~#
With the new placement of the "secure" keyword, secure boot works as expected:
(1) IPL always possible with the "Enable secure boot for Linux" HMC checkbox ipl/secure shows value 0 after IPL.
disabled for secure=1/0/auto. /sys/firmware/
(2) IPL successful with the "Enable secure boot for Linux" HMC checkbox ipl/secure shows value 1 after IPL.
enabled for secure=1/auto. /sys/firmware/
(3) No IPL with the "Enable secure boot for Linux" checkbox enabled for secure=0.
Console messages in this case
Preparing system. 01C320, LUN=40504047000 00000.
Starting system.
System version 8.
Watchdog enabled.
Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'.
ZBootLoader 2.0.0.
MLOLOA6269050E Secure IPL: Execute entry does not point to the beginning of a signed component on device HBA=0.0.1900, WWPN=500507630B
IPL failed.
But for the secure IPLs (2) the console shows about 1800 messages (or more)
that look like:
[ 2.485469] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7
[ 2.485471] Could not create tracefs 'available_events' entry
with occasional intersections like these:
[ 2.487994] ------------[ cut here ]------------ trace/ftrace. c:987 ftrace_ init_tracefs_ toplevel+ 0x160/0x1b8 init_tracefs_ toplevel+ 0x160/0x1b8) d6c66 bbc090 65ce8 b0cc>] ftrace_ init_tracefs_ toplevel+ 0x15c/0x1b8) b4e>] tracer_ init_tracefs+ 0xae/0x200 8bc>] do_one_ initcall+ 0x3c/0x200 090>] kernel_ init_freeable+ 0x1f8/0x2a8 f32>] kernel_ init+0x22/ 0x150 e4c>] ret_from_ fork+0x28/ 0x30 e54>] kernel_ thread_ starter+ 0x0/0x10 Event-Address: 0cc>] ftrace_ init_tracefs_ toplevel+ 0x15c/0x1b8
[ 2.487995] Could not register function stat for cpu 0
[ 2.488004] WARNING: CPU: 0 PID: 1 at kernel/
[ 2.488005] Modules linked in:
[ 2.488007] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.0-12-generic #15-Ubuntu
[ 2.488008] Hardware name: IBM 8561 T01 703 (LPAR)
[ 2.488009] Krnl PSW : 0704f00180000000 00000000c886b0d0 (ftrace_
[ 2.488011] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3
[ 2.488013] Krnl GPRS: 000000000000000a 00000000c8794110 000000000000002a 0000000000000001
[ 2.488014] 0000000000000f3b 000000007fe06000 0000000000000000 00000000c88fedb8
[ 2.488015] 00000000c8958000 0000000000000000 00000000f1081e70 0000000000000000
[ 2.488015] 00000000f093b300 00000000f19d2000 00000000c886b0cc 000003e00000bcd8
[ 2.488020] Krnl Code: 00000000c886b0c0: c020ffeb5dd3 larl %r2,00000000c85
00000000c886b0c6: c0e5ff9a87e5 brasl %r14,00000000c7
#00000000c886b0cc: a7f40001 brc 15,00000000c886b0ce
>00000000c886b0d0: b904002a lgr %r2,%r10
00000000c886b0d4: eb6ff0a00004 lmg %r6,%r15,160(%r15)
00000000c886b0da: c0f4ffabc9f3 brcl 15,00000000c7de44c0
00000000c886b0e0: b9040049 lgr %r4,%r9
00000000c886b0e4: c060fff7d602 larl %r6,00000000c87
[ 2.488030] Call Trace:
[ 2.488031] ([<00000000c886
[ 2.488033] [<00000000c886b
[ 2.488034] [<00000000c7b44
[ 2.488036] [<00000000c8854
[ 2.488038] [<00000000c8429
[ 2.488040] [<00000000c8433
[ 2.488041] [<00000000c8433
[ 2.488042] Last Breaking-
[ 2.488043] [<00000000c886b
[ 2.488044] ---[ end trace c4f019b5774fd101 ]---
An example output of the dmesg command is added as an attachment.
Another issue is the wrong documentation of the zipl.conf syntax in the man pages.
It is stated here, that "secure" is a "configuration only" section keyword only:
.
.
secure = auto/1/0 (configuration only)
Configuration section:
Control the zIPL secure boot support. Set this option to one of the following values:
.
.
As it works now it seems to be a "menu only" configuration keyword.
Also a question arises about the zipl -S parameter as it is described now:
root@t35lp36:~# zipl --help
Usage: zipl [OPTIONS] [SECTION]
Prepare a device for initial program load. Use OPTIONS described below or
provide the name of a SECTION defined in the zIPL configuration file.
.
.
-S, --secure SWITCH Control the zIPL secure boot support.
auto (default):
Write signatures if available and supported
1: Write signatures regardless of support
0: Do not write signatures
With multiple menus in zipl.conf: how does zipl -S work?