Ubuntu
linux package

[24.10] Please test secure-boot and lockdown on the 6.10 kernel (s390x) for Oracular

Bug #2069035 reported by Paolo Pisati
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
bugproxy
linux (Ubuntu)
Fix Released
High
Unassigned

Bug Description

The Canonical kernel team is working on a new 6.10 kernel for 'oracular' (24.10) and has an early build ready for secure-boot and lockdown testing (version 6.10.0-4.4).

To avoid potentially negative implications that a broken secure-boot lockdown functionality would cause (esp. using the production key), we ask to get secure-boot tested early in the cycle using Canonical kernel team's PPA key for signature.

The early test build is available at: ppa:canonical-kernel-team/unstable
(https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/)

The PPA key used for signing can be found in the tarball available here:
https://ppa.launchpad.net/canonical-kernel-team/unstable/ubuntu/dists/devel/main/signed/linux-generate-unstable-s390x/current/

(Please note that this kernel is coming from the 'canonical-kernel-team' PPA, hence it is NOT signed with the regular archive/release/production key, instead with the above PPA's key!)

See original description
Paolo Pisati (p-pisati)
description: updated
description: updated
description: updated
description: updated
description: updated
description: updated
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
assignee: nobody → bugproxy (bugproxy)
importance: Undecided → High
Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: reverse-proxy-bugzilla s390x
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-206857 severity-high targetmilestone-inin---
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla
Download full text (3.3 KiB)

------- Comment From <email address hidden> 2024-06-12 04:31 EDT-------
We installed from ppa:canonical-kernel-team/unstable:
# cat /etc/os-release
PRETTY_NAME="Ubuntu Oracular Oriole (development branch)"
NAME="Ubuntu"
VERSION_ID="24.10"
VERSION="24.10 (Oracular Oriole)"
VERSION_CODENAME=oracular
...
...
# uname -r
6.10.0-4-generic
# grep [0-9] /sys/firmware/ipl/*sec*
/sys/firmware/ipl/has_secure:1
/sys/firmware/ipl/secure:0

# ls -l /boot/vmlinuz /boot/initrd.img
lrwxrwxrwx 1 root root 27 Jun 12 07:30 /boot/initrd.img -> initrd.img-6.10.0-4-generic
lrwxrwxrwx 1 root root 24 Jun 12 07:30 /boot/vmlinuz -> vmlinuz-6.10.0-4-generic

load with kernel vmlinuz-6.10.0-4-generic
- without secure boot enable
- without adding the signature

System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 5 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572c,LUN:4021402c00000000.
--- Audit message summary end ---
OK00000000 Success

load with kernel vmlinuz-6.8.0-2-generic
- with secure boot enable
- without adding the signature

IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 5 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572C,LUN:4021402C00000000.
--- Audit message summary end ---
MLOLOA6269321F A security violation error was encountered when loading from devi
ce HBA:0.0.1900,WWPN:500507630710572C,LUN:4021402C00000000.
IPL failed (110).

load with kernel vmlinuz-6.8.0-2-generic
- with secure boot enable
- with adding the signature

IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
OK00000000 Success
[ 0.082046] Linux version 6.10.0-4-generic (buildd@bos01-s390x-019) (s390x-linux-gnu-gcc-13 (Ubuntu 13.2.0-25ubuntu1) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #4-Ubuntu SMP Mon Jun 3 10:28:36 UTC 2024 (Ubuntu 6.10.0-4.4-generic 6.10.0-rc2)
[ 0.082048] setup: Linux is running natively in 64-bit mode
[ 0.082048] setup: Linux is running with Secure-IPL enabled

After secure boot load
# grep [0-9] /sys/firmware/ipl/*sec*
/sys/firmware/ipl/has_secure:1
/sys/firmware/ipl/secure:1

we used these Certificate:
# openssl x509 -text -in sipl1.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:b6:a0:75:09:df:f4:18
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = PPA canonical-kernel-team unstable SIPL
Validity
Not Before: Aug 23 20:47:25 2019 GMT
Not After : Aug 20 20:47:25 2029 GMT
Subject: CN = PPA canonical-kernel-team unstable SIPL
...
...
# openssl x509 -text -in sipl2.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ee:61:db:02:41:ef:d1:06
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (ZIPL, 2019)"
Validity
Not Before: May 16 13:50:05 2019 GMT
Not After : May 14 13:50:05 2049 GMT
Subjec...

Read more...

Revision history for this message
Frank Heimes (fheimes) wrote :

Many thanks Grgo for the test, and the blazing fast turnaround !

Changed in linux (Ubuntu):
status: New → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Fix Released
bugproxy (bugproxy)
tags: added: targetmilestone-inin2410
removed: targetmilestone-inin---
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.