Ubuntu
qemu package

Comment 28 for bug 1830243

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-07-17:

#28

1. Installed an Eoan guest on Xenial/Bionic/Disco hosts
In the Guest
2. set secure = 1 in /etc/zipl.conf

3. unfortunately xnox refreshed his PPA and it has no pre-signed kernel anymore :-/
   I tried to follow https://ubuntu.com/blog/how-to-sign-things-for-secure-boot in various ways,
   but I assume things are just different for s390x here.
   After a while I found this old build [1] of which I used [2]
   Install that and drop the ramdisk line
  change:
    image = /boot/vmlinuz-5.2.0-1-generic
  remove:
    ramdisk = /boot/initrd.img

4. run zipl verbosely, which should have:
  Adding IPL section 'ubuntu' (default)
  signature for.....: /lib/s390-tools/stage3.bin
  kernel image......: /boot/vmlinuz-5.2.0-1-generic
  signature for.....: /boot/vmlinuz-5.2.0-1-generic

5. shut down guest

6. back in the Host, start the guest (fails without the update).
Check the console - the error messages differ per version:

Xenial:
$ virsh start --console test-secureboot-x
Domain test-secureboot-x started
Connected to domain test-secureboot-x
Escape character is ^]
..
! No EXEC entry !

Bionic:
Domain test-secureboot-b started
error: The domain is not running

Disco:
seems to work but complains about validations

7. Upgrade to proposed and check again.

qemu-system-s390x/disco-proposed 1:3.1+dfsg-2ubuntu3.3 s390x [upgradable from: 1:3.1+dfsg-2ubuntu3.2]
qemu-kvm/bionic-proposed 1:2.11+dfsg-1ubuntu7.16 s390x [upgradable from: 1:2.11+dfsg-1ubuntu7.15]
qemu-system-s390x/bionic-proposed 1:2.11+dfsg-1ubuntu7.16 s390x [upgradable from: 1:2.11+dfsg-1ubuntu7.15]
qemu-system-s390x/xenial-proposed 1:2.5+dfsg-5ubuntu10.41 s390x [upgradable from: 1:2.5+dfsg-5ubuntu10.40]

With the upgrade from proposed they all can start fine (well I stole the initrd, so they fail mounting the root disk, but we passed hat we wanted to check).

Setting verified

[1]: https://launchpad.net/~xnox/+archive/ubuntu/scratch/+build/16859505
[2]: https://launchpad.net/~xnox/+archive/ubuntu/scratch/+build/16859505/+files/linux-image-5.2.0-1-generic_5.2.0-1.2_s390x.deb

1. Installed an Eoan guest on Xenial/Bionic/Disco hosts
In the Guest
2. set secure = 1 in /etc/zipl.conf

3. unfortunately xnox refreshed his PPA and it has no pre-signed kernel anymore :-/
   I tried to follow https://ubuntu.com/blog/how-to-sign-things-for-secure-boot in various ways, 
   but I assume things are just different for s390x here.
   After a while I found this old build [1] of which I used [2]
   Install that and drop the ramdisk line
  change:
    image = /boot/vmlinuz-5.2.0-1-generic
  remove:
    ramdisk = /boot/initrd.img