[UBUNTU 20.04] zipl: Fix KVM IPL without bootindex

Bug #1888231 reported by bugproxy on 2020-07-20
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Undecided
Canonical Foundations Team
Focal
Undecided
Canonical Foundations Team
Groovy
Undecided
Canonical Foundations Team

Bug Description

[Impact]
 * Without bootindex specified there is no IPL parmblock on KVM which can be read by the stage3 loader.
 * Backported to allow IBM Z users to boot KVM machines without secure initial program loader (IPL) data and without bootindex= parameter specified

[Test Case]
 * prepare a new non-secure IPL and try booting via this IPL, without specifying the bootindex= parameter
 * check if stage3 loader runs successfully

[Regression Potential]

 * regressions in zipl/stage3 could break newly created IPLs
 * If an IPL is broken, the boot sequence on IBM Z machines could not work
 * the package is only available on s390x and thus could only affects IBM Z machines
 * Existing boot devices / IPLs would not be affected

[Other Info]
 * Needs to be tested/verified by IBM internally
 * Patch is included in upstream 2.14.0 release
 * Related to LP: #1892350 and LP: #1893027

=== Original Description ===
Description: zipl: Fix KVM IPL without bootindex
Symptom: Failed IPL on KVM when no bootindex is specified.
Problem: Without bootindex specified there is no IPL parmblock
               on KVM which can be read by the stage3 loader.
Solution: In case diag308 gives a response code 0x102 the stage3
               loader can safely assume that no secure IPL is required
               since no IPL report block exists.
Reproduction: IPL on KVM without 'bootindex=' attached.
Upstream-ID: c9066bf5497300db5e0ba11bf111683ea225d8c8
               b7f1977d3f9332f82e7f388fb18076b89b83944e

Component: s390-tools 2.14

Should also be integrated into 20.04, where secure boot is enabled.

bugproxy (bugproxy) on 2020-07-20
tags: added: architecture-s39064 bugnameltc-186967 severity-high targetmilestone-inin2010
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Frank Heimes (fheimes) wrote :

Changing to Incomplete until 2.14 is released:
https://github.com/ibm-s390-tools/s390-tools/releases/

Changed in ubuntu-z-systems:
status: New → Incomplete
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
importance: Undecided → High
Frank Heimes (fheimes) on 2020-08-24
Changed in ubuntu-z-systems:
status: Incomplete → Triaged
Frank Heimes (fheimes) wrote :

Since this fix is included in s390-tools 2.14, I'll mark the groovy entry as Triaged (it would technically even a kind of duplicate of LP 1884721, if the SRU req. to focal wouldn't be there).

Changed in s390-tools (Ubuntu Groovy):
status: New → Triaged
assignee: Skipper Bug Screeners (skipper-screen-team) → Canonical Foundations Team (canonical-foundations)
Changed in s390-tools (Ubuntu Focal):
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Changed in s390-tools (Ubuntu Groovy):
status: Triaged → In Progress
Frank Heimes (fheimes) on 2020-08-26
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.14.0-1ubuntu1

---------------
s390-tools (2.14.0-1ubuntu1) groovy; urgency=medium

  * Merge from Debian, remaining changes:
    - add libssl-dev, libglib2.0-dev build-deps
    - add support for signed zipl
    - package cpuplugd, osasnmpd, statd, zkey
    - update copyright file
    - fix kernel installer script integration, to skip calling zipl without initrd
    - load monwriter kernel module for mon_statd/mon_fsstatd
    - do not run dumpconf in lxc
    - ziomon change exit code to 0 for version and help
    - add zkey initramfs hook
    - change zkey default back to argon2i
    - drop patch that disables building osasnmpd
    - drop udevpath patch to init script, systemd units are used instead
    - enable hardening
    - enable initramfs & dracut integration
    - install more utilities and zdev initramfs integration
    - setup users/groups for mon_*, iucvterm, zkey
    - setup crashkernel integration
    - ship zdev in udeb
    - drop ziomon package, shipped in the main package

  * New upstream release fixes LP: #1892350, LP: #1888231, LP: #1884773,
    LP: #1884744, LP: #1884721

s390-tools (2.14.0-1) unstable; urgency=medium

  * New upstream release.

s390-tools (2.3.0-2) unstable; urgency=medium

  * Hardcode perl dependency instead of using ${perl:Depends}.
    The latter introduces a multi-arch dependency (perl:any) that the
    base installation environment cannot cope with.

 -- Dimitri John Ledkov <email address hidden> Wed, 26 Aug 2020 11:11:23 +0100

Changed in s390-tools (Ubuntu Groovy):
status: In Progress → Fix Released

For Focal, would a cherry pick of those 2 upstream checkings be enough?
Upstream-ID: c9066bf5497300db5e0ba11bf111683ea225d8c8
             b7f1977d3f9332f82e7f388fb18076b89b83944e

Lukas Märdian (slyon) wrote :

The relevant upstream commit seems to be this one, which already needs to be included as part of LP: #1892350

https://github.com/ibm-s390-tools/s390-tools/commit/943c5dc51d493fd89f8c1b0760656446d5653be6

Lukas Märdian (slyon) on 2020-10-01
description: updated
Frank Heimes (fheimes) on 2020-10-01
Changed in s390-tools (Ubuntu Focal):
status: New → In Progress

Hello bugproxy, or anyone else affected,

Accepted s390-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.12.0-0ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
tags: added: fr-665
Dimitri John Ledkov (xnox) wrote :

@hws / ibm

Have you had a chance to verify this yet?

------- Comment From <email address hidden> 2020-10-23 03:25 EDT-------
Verified by IBM: Verified that the code is correctly included in s390-tools_2.12.0-0ubuntu3.1

Frank Heimes (fheimes) wrote :

Thx for the verification! (I've adjusted the tags accordingly).

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers