Ubuntu
linux package

  1. Bug #2069035
  2. Comment #1

Comment 1 for bug 2069035

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2024-06-12 04:31 EDT-------
We installed from ppa:canonical-kernel-team/unstable:
# cat /etc/os-release
PRETTY_NAME="Ubuntu Oracular Oriole (development branch)"
NAME="Ubuntu"
VERSION_ID="24.10"
VERSION="24.10 (Oracular Oriole)"
VERSION_CODENAME=oracular
...
...
# uname -r
6.10.0-4-generic
# grep [0-9] /sys/firmware/ipl/*sec*
/sys/firmware/ipl/has_secure:1
/sys/firmware/ipl/secure:0

# ls -l /boot/vmlinuz /boot/initrd.img
lrwxrwxrwx 1 root root 27 Jun 12 07:30 /boot/initrd.img -> initrd.img-6.10.0-4-generic
lrwxrwxrwx 1 root root 24 Jun 12 07:30 /boot/vmlinuz -> vmlinuz-6.10.0-4-generic

load with kernel vmlinuz-6.10.0-4-generic
- without secure boot enable
- without adding the signature

System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 5 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572c,LUN:4021402c00000000.
--- Audit message summary end ---
OK00000000 Success

load with kernel vmlinuz-6.8.0-2-generic
- with secure boot enable
- without adding the signature

IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 5 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572C,LUN:4021402C00000000.
--- Audit message summary end ---
MLOLOA6269321F A security violation error was encountered when loading from devi
ce HBA:0.0.1900,WWPN:500507630710572C,LUN:4021402C00000000.
IPL failed (110).

load with kernel vmlinuz-6.8.0-2-generic
- with secure boot enable
- with adding the signature

IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
OK00000000 Success
[ 0.082046] Linux version 6.10.0-4-generic (buildd@bos01-s390x-019) (s390x-linux-gnu-gcc-13 (Ubuntu 13.2.0-25ubuntu1) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #4-Ubuntu SMP Mon Jun 3 10:28:36 UTC 2024 (Ubuntu 6.10.0-4.4-generic 6.10.0-rc2)
[ 0.082048] setup: Linux is running natively in 64-bit mode
[ 0.082048] setup: Linux is running with Secure-IPL enabled

After secure boot load
# grep [0-9] /sys/firmware/ipl/*sec*
/sys/firmware/ipl/has_secure:1
/sys/firmware/ipl/secure:1

we used these Certificate:
# openssl x509 -text -in sipl1.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:b6:a0:75:09:df:f4:18
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = PPA canonical-kernel-team unstable SIPL
Validity
Not Before: Aug 23 20:47:25 2019 GMT
Not After : Aug 20 20:47:25 2029 GMT
Subject: CN = PPA canonical-kernel-team unstable SIPL
...
...
# openssl x509 -text -in sipl2.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ee:61:db:02:41:ef:d1:06
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (ZIPL, 2019)"
Validity
Not Before: May 16 13:50:05 2019 GMT
Not After : May 14 13:50:05 2049 GMT
Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (ZIPL, 2019)"
..

this was tested on our Z16 machine

No problems detected. Secure boot works as expected.