[UBUNTU 20.04] boot: Add s390x secure boot trailer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Critical
|
Skipper Bug Screeners | ||
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Canonical Kernel Team | ||
Jammy |
Fix Released
|
Medium
|
Canonical Kernel Team | ||
Kinetic |
Fix Released
|
Medium
|
Canonical Kernel Team |
Bug Description
SRU Justification:
==================
[Impact]
* Secure boot of Linux on s390x will no longer be possible
with an upcoming IBM zSystems firmware update.
[Fix]
* aa127a069ef3 aa127a069ef312a
for kinetic and jammy
* https:/
backport for focal
[Test Plan]
* An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required.
* Ensure that 'Enable Secure Boot for Linux' is marked in case
'SCSI Load' is selected at the HMCs Load task and Activation Profile.
* Perform an Ubuntu Server installation, either 20.04 or 22.04
(latest ISO).
It will be a secure boot installation by default in case
'Enable Secure Boot for Linux' was marked.
* Check sysfs:
/sys/
'1' indicates hw support for secure boot, otherwise '0'
/sys/
'1' indicates that secure IPL was successful, otherwise '0'
* Navigate to the HMC task 'System information'
and check the active firmware release.
* Ensure that Ubuntu is still bootable in secure-boot mode
with the updated firmware active,
by for example doing a reboot after the firmware upgrade.
* There is also a way to test the trailer on systems that do not
have the updated firmware yet - in this case use the following script:
https:/
[Where problems could occur]
* The 'trailer' might be broken, invalid or in a wrong format
and can't be identified or read properly,
or may cause issues while compressing/
* In worst case secure boot might become broken,
even on systems that are still on the unpatched firmware level.
* Or secure boot will become broken in general.
[Other Info]
* The above commit was upstream accepted with v6.1-rc3.
* And it got tagged for upstream stable with:
"Cc: <email address hidden> # 5.2+"
* But since this bug is marked as critical, and the patch is relatively
short, traceable and s390x-specific, I'll go ahead and submit this
patch for Jammy and Focal ahead of upstream stable.
* Since on focal file 'vmlinux.lds.S' is at a different location
'arch/
and the context is slightly different, the backport is needed.
* It's planned to have kernel 6.2 in lunar (23.04), hence it will have
the patch incl. when at the planned target level.
__________
Description: boot: Add secure boot trailer
Symptom: Secure boot of Linux will no longer be possible with an upcoming
IBM Z firmware update.
Problem: New IBM Z firmware requires signed bootable images to contain a
Solution: Add the trailing data block to the Linux kernel image.
Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled.
Fix: available upstream with
Upstream-ID: aa127a069ef312a
Preventive: yes
Date: 2022-10-27
Author: Peter Oberparleiter <email address hidden>
Component: kernel
tags: | added: architecture-s39064 bugnameltc-200452 severity-critical targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
summary: |
- [UBUNTU 20.04] boot: Add secure boot trailer + [UBUNTU 20.04] boot: Add s390x secure boot trailer |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Kinetic): | |
importance: | Undecided → Medium |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: targetmilestone-inin2004 removed: targetmilestone-inin--- |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
tags: |
added: verification-done-kinetic removed: verification-needed-kinetic |
tags: |
added: verification-done-focal removed: verification-needed-focal |
tags: |
added: verification-done-focal removed: verification-needed-focal |
tags: |
added: verification-done-jammy removed: verification-needed-jammy |
tags: |
added: verification-done-focal removed: verification-needed-focal |
tags: |
added: verification-done-focal verification-done-jammy removed: verification-needed-focal verification-needed-jammy |
So commit aa127a069ef312a ca02b730d5137e1 778d0c3ba7 "s390/boot: add secure boot trailer" was just upstream accepted with v6.1-rc3.
And it got tagged for upstream stable with:
"Cc: <email address hidden> # 5.2+"
That means that it will ideally automatically land over time in all Ubuntu kernels, down to focal's 5.4.
But since this bug is marked as critical, the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable.
It's planned to have kernel 6.2 in lunar (23.04), hence it will get the patch automatically when at the planned target level.