Ubuntu
linux-signed package

[MIR] Please add support for SIPL

Bug #1829749 reported by Dimitri John Ledkov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Andy Whitcroft
linux (Ubuntu)
Fix Released
Undecided
Unassigned
linux-signed (Ubuntu)
Fix Released
High
Unassigned
s390-tools (Ubuntu)
Fix Released
High
Dimitri John Ledkov
s390-tools-signed (Ubuntu)
Fix Released
High
Dimitri John Ledkov

Bug Description

Please add support for zipl ("z/ecureBoot") signing.

It should be similar to opal signing, but using the new zipl signing key.

I am expecting to sign s390-tools stage3.bin and kernel images using this key.

s390-tools -> can be signed already
kernels -> should only sign v5.2+

See original description

Related branches

lp:~apw/launchpad/signing-sipl
Colin Watson (community): Approve
Diff: 575 lines (+237/-23)
2 files modified
lib/lp/archivepublisher/signing.py (+39/-17)
lib/lp/archivepublisher/tests/test_signing.py (+198/-6)
Dimitri John Ledkov (xnox)
description: updated
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I do wonder, if we can somehow arch-specify opal signing.

Cause it's opal for power, zipl for s390x, yet both just use kmodsign. Just a different key.

Not sure if i want to copy&paste all the methods, and tests.

Colin Watson (cjwatson)
Changed in launchpad:
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → High
status: New → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Worked with ~cjwatson to add Secure Initial Program Load signing to launchpad. Changes deployed to dogfood and test packages uploaded. This results in a vmlinuz.sipl gaining a vmlinuz.sipl.sig, and an appropriate control/sipl.x509 file. The signed binary validates correctly using the public key. Looks good.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

tested s390-tools packages on dogfood which look correct.

Changed in s390-tools (Ubuntu):
status: New → In Progress
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
Dimitri John Ledkov (xnox)
Changed in s390-tools (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

s390-tools in UNAPPROVED
https://launchpad.net/ubuntu/eoan/+queue?queue_state=1&queue_text=s390-tools

s390-tools-signed in source NEW
https://launchpad.net/ubuntu/eoan/+queue?queue_state=0&queue_text=s390-tools-signed

summary: - Please add support for zipl signing
+ Please add support for sipl
Revision history for this message
Andy Whitcroft (apw) wrote : Re: Please add support for sipl

Reviewed and accepted the s390-tools custom upload. Watched while it was processed which happened without incident:

2019-06-14 09:43:09 DEBUG Publishing custom s390-tools, s390-tools_2.9.0-0ubuntu2_s390x.tar.gz, s390-tools_2.9.0-0ubuntu2_s390x_translations.tar.gz to ubuntu/eoan
Fri, 14 Jun 2019 09:43:09 +0000: (re-)signing /srv/launchpad.net/ubuntu-archive/ubuntu/dists/eoan-proposed/main/signed/s390-tools-s390x/2.9.0-0ubuntu2/SHA256SUMS as /srv/launchpad.net/ubuntu-archive/ubuntu/dists
/eoan-proposed/main/signed/s390-tools-s390x/2.9.0-0ubuntu2/SHA256SUMS.gpg (-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512)
2019-06-14 09:43:10 DEBUG Publishing custom s390-tools, s390-tools_2.9.0-0ubuntu2_s390x.tar.gz, s390-tools_2.9.0-0ubuntu2_s390x_translations.tar.gz to ubuntu/eoan
2019-06-14 09:43:09 DEBUG Publishing custom s390-tools, s390-tools_2.9.0-0ubuntu2_s390x.tar.gz, s390-tools_2.9.0-0ubuntu2_s390x_translations.tar.gz to ubuntu/eoan
Fri, 14 Jun 2019 09:43:09 +0000: (re-)signing /srv/launchpad.net/ubuntu-archive/ubuntu/dists/eoan-proposed/main/signed/s390-tools-s390x/2.9.0-0ubuntu2/SHA256SUMS as /srv/launchpad.net/ubuntu-archive/ubuntu/dists
/eoan-proposed/main/signed/s390-tools-s390x/2.9.0-0ubuntu2/SHA256SUMS.gpg (-u 0x790BC7277767219C42C86F933B4FE6ACC0B21F32 -u 0xF6ECB3762474EDA9D21B7022871920D1991BC93C --digest-algo SHA512)
2019-06-14 09:43:10 DEBUG Publishing custom s390-tools, s390-tools_2.9.0-0ubuntu2_s390x.tar.gz, s390-tools_2.9.0-0ubuntu2_s390x_translations.tar.gz to ubuntu/eoan

Downloaded the signed artifacts from ports.ubuntu.com, these correctly contain the signature component and the public key. I am also able to validate the resulting signature.

Revision history for this message
Andy Whitcroft (apw) wrote :

Reviewed and iterated on the s390-tools-signed source package; now accepted.

Changed in s390-tools-signed (Ubuntu):
status: New → Fix Committed
Changed in s390-tools (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in s390-tools-signed (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in s390-tools (Ubuntu):
importance: Undecided → High
Changed in s390-tools-signed (Ubuntu):
importance: Undecided → High
Changed in linux-signed (Ubuntu):
importance: Undecided → High
summary: - Please add support for sipl
+ Please add support for SIPL
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools-signed - 2.9.0-0ubuntu2

---------------
s390-tools-signed (2.9.0-0ubuntu2) eoan; urgency=medium

  * Initial Release LP: #1829749

 -- Dimitri John Ledkov <email address hidden> Tue, 28 May 2019 18:28:34 +0100

Changed in s390-tools-signed (Ubuntu):
status: Fix Committed → Fix Released
Dimitri John Ledkov (xnox)
summary: - Please add support for SIPL
+ [MIR] Please add support for SIPL
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.9.0-0ubuntu3

---------------
s390-tools (2.9.0-0ubuntu3) eoan; urgency=medium

  * Fix FTBFS LP: #1833238

 -- Dimitri John Ledkov <email address hidden> Wed, 19 Jun 2019 14:28:12 +0100

Changed in s390-tools (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1829749

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

https://lists.ubuntu.com/archives/kernel-team/2019-July/102204.html

https://lists.ubuntu.com/archives/kernel-team/2019-July/102205.html

Seth Forshee (sforshee)
Changed in linux (Ubuntu):
status: Incomplete → Fix Committed
Seth Forshee (sforshee)
Changed in linux-signed (Ubuntu):
status: New → Fix Committed
Dimitri John Ledkov (xnox)
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Changed in linux-signed (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.