[UBUNTU 20.04] zipl boot loader should check for secure IPL feature before looking up data (was: PV: guest fails to reboot from a disk)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
s390-tools (Ubuntu) |
Fix Released
|
Undecided
|
Canonical Foundations Team | ||
Focal |
Fix Released
|
Undecided
|
Canonical Foundations Team | ||
Groovy |
Fix Released
|
Undecided
|
Canonical Foundations Team |
Bug Description
[Impact]
* Sometimes a PV guest fails to reboot from a disk.
* Backporting newer zipl functionality to focal fixes the reboot of protected VMs on IBM Z by checking for the secure IPL feature before looking up data
* This bug was fixed in s390-tools 2.14.0 (which depends on a newer kernel), therefore we cherry-pick just the fixes to zipl, while keeping s390-tools at 2.12.0
[Test Case]
* Secure boot (s390-tools-signed) can only be tested on specific IBM hardware
* Try to reboot a PV guest multiple times.
* Or using hades (bb/mhartmay/pv branch):
$ for i in $(seq 1 100); do nose2 -v --early-debug tests.test_
[Regression Potential]
* regressions in the initial program loader for Z (zipl) could break the creation of new boot devices for s390x
* the package is only available on s390x and thus could only affect IBM Z machines
* Existing boot devices / IPL would not be affected
[Other Info]
* Needs to be tested/verified by IBM internally
* In addition to the patches/
* Related to LP: #1888231 and LP: #1893027
=== Original Description ===
Problem description:
Sometimes a PV guest fails to reboot from a disk.
# How to reproduce?
Try to reboot a PV guest multiple times.
Or using hades (bb/mhartmay/pv branch):
$ for i in $(seq 1 100); do nose2 -v --early-debug tests.test_
# Host kernel used:
5.6.0-rc2-
# Host cmdline used:
kvm.nested=1 nokaslr crashkernel=196M selinux=0 root=/dev/
# QEMU used:
QEMU emulator version 4.2.50 (v4.2.0-
# Guest kernel used:
5.6.0-rc2-
# Guest cmdline used:
enforcing=0 console=ttyS0 swiotlb=256000 STARTUP=sshd.sh PV
This is a list of commits that are required to entirely resolve this bug
on top of s390tools-2.12
These commits are zipl related only.
c91d8bd5f9102cb
fb62cc9e14591c7
f4f2220693ffe2e
e0ffb3c584f5778
e67f6300862d939
c4a0933165c7093
cb11d6baec41f14
6c04f977734f55b
ce65c39e18a6274
19f747847ffb39c
eb4e806cdc08017
93a0cb254efe45b
2fe5f27975785a3
cc069af26d1c35e
0843b7db36af3e3
1a150b2fe05627a
9a68a25ab609146
4eea67cd6f100e7
0ac7ce964ed089a
0c583ec1a68e998
1b65b23b43985cb
454f1427d3edcd9
71b36d17f019c9e
41fae58ecd8d009
3217e0438fd8ba6
ae66f795124fb3b
d7b816ff58baed4
c367a6bb6529f04
943c5dc51d493fd
tags: | added: architecture-s39064 bugnameltc-187747 severity-high targetmilestone-inin2004 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → s390-tools (Ubuntu) |
summary: |
- [UBUNTU 20.04]zipl boot loader should check for secure IPL feature + [UBUNTU 20.04] zipl boot loader should check for secure IPL feature before looking up data (was: PV: guest fails to reboot from a disk) |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
Changed in s390-tools (Ubuntu Groovy): | |
status: | Triaged → In Progress |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
tags: | added: id-5f3e969561488979e4dce5fc |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in s390-tools (Ubuntu Focal): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: | added: fr-587 |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
The list of commits is included in s390-tools 2.14, hence if s390-tools gets updated to 2.14 (see LP 1884721), the groovy entry will be done.h
But SRU to focal is needed.
I think it will not be easy to get all commit IDs SRUed to focal - even if I've heard that the fix is only one of them and the rest are depending commits to get the fix applied ...