Ubuntu on IBM z Systems

  1. Bug #2026833
  2. Comment #5

Comment 5 for bug 2026833

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-08-17 03:32 EDT-------
we installed from ppa:canonical-kernel-team/unstable:
# cat /etc/os-release
PRETTY_NAME="Ubuntu Mantic Minotaur (development branch)"
NAME="Ubuntu"
VERSION_ID="23.10"
VERSION="23.10 (Mantic Minotaur)"
VERSION_CODENAME=mantic
...
...
# uname -r
6.5.0-4-generic
# grep [0-9] /sys/firmware/ipl/*sec*
/sys/firmware/ipl/has_secure:1
/sys/firmware/ipl/secure:0
# ls -l /boot/vmlinuz /boot/initrd.img
lrwxrwxrwx 1 root root 26 Aug 15 09:19 /boot/initrd.img -> initrd.img-6.5.0-4-generic
lrwxrwxrwx 1 root root 23 Aug 15 09:19 /boot/vmlinuz -> vmlinuz-6.5.0-4-generic

load with kernel vmlinuz-6.5.0-4-generic
- without secure boot enable
- without adding the signature

IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.2' level 'D51C.D51C_328.16'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 3 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572C,LUN:4020404E00000000.
--- Audit message summary end ---
OK00000000 Success

load with kernel vmlinuz-6.5.0-4-generic
- with secure boot enable
- without adding the signature

IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.2' level 'D51C.D51C_328.16'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 3 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572C,LUN:4020404E00000000.
--- Audit message summary end ---
MLOLOA6269321F A security violation error was encountered when loading from devi
ce HBA:0.0.1900,WWPN:500507630710572C,LUN:4020404E00000000.
IPL failed (110).

load with kernel vmlinuz-6.5.0-4-generic
- with secure boot enable
- with adding the signature

IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.2' level 'D51C.D51C_328.16'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 3 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572C,LUN:4020404E00000000.
--- Audit message summary end ---
MLOLOA6269321F A security violation error was encountered when loading from devi
ce HBA:0.0.1900,WWPN:500507630710572C,LUN:4020404E00000000.
IPL failed (110).

==> boot with secure boot enable and adding the certificate still didn't work

we used this Certificate:
openssl x509 -text -in sipl.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:b6:a0:75:09:df:f4:18
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = PPA canonical-kernel-team unstable SIPL
Validity
Not Before: Aug 23 20:47:25 2019 GMT
Not After : Aug 20 20:47:25 2029 GMT
Subject: CN = PPA canonical-kernel-team unstable SIPL
...
...

this was tested on our Z16 machine