------- Comment From peter.oberparlei...@de.ibm.com 2022-11-10 10:24 EDT-------
(In reply to comment #8)
> In the focal master-next tree file 'vmlinux.lds.S' is at a different
> location: 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/'
> and the context is also slightly different.
>
> Would you please have a look at the attached backport for focal and confirm
> that it's correct?
> Since it has this add. block:
> "
> . = ALIGN(256);
> .bss : {
> _bss = . ;
> *(.bss)
> *(.bss.*)
> *(COMMON)
> . = ALIGN(8); /* For convenience during zeroing */
> _ebss = .;
> }
> "
The sb_trailer block needs to move to before the .bss definition, and
replaces the ALIGN(256) line. Otherwise kernel image sizes will be
unnecessarily increased by the size of the discarded bss section. It
should look something like this:
_compressed_start = .;
*(.vmlinux.bin.compressed)
_compressed_end = .;
- FILL(0xff);
- . = ALIGN(4096);
}
- . = ALIGN(256);
+
+#define SB_TRAILER_SIZE 32
+ /* Trailer needed for Secure Boot */
+ . += SB_TRAILER_SIZE; /* make sure .sb.trailer does not overwrite the
previous section */
+ . = ALIGN(4096) - SB_TRAILER_SIZE;
+ .sb.trailer : {
+ QUAD(0)
+ QUAD(0)
+ QUAD(0)
+ QUAD(0x000000207a49504c)
+ }
+
.bss : {
_bss = . ;
*(.bss)
> Looks like we commented in parallel.
> Yes, backport will be helpful.
Ok, will try to work on that.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996071
Title:
[UBUNTU 20.04] boot: Add secure boot trailer
Status in Ubuntu on IBM z Systems:
New
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Focal:
New
Status in linux source package in Jammy:
New
Status in linux source package in Kinetic:
New
Bug description:
Description: boot: Add secure boot trailer
Symptom: Secure boot of Linux will no longer be possible with an
upcoming
IBM Z firmware update.
Problem: New IBM Z firmware requires signed bootable images to contain a
trailing data block with a specific format.
Solution: Add the trailing data block to the Linux kernel image.
Reproduction: Apply latest firmware, perform IPL with Secure Boot
enabled.
Fix: available upstream with
Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7
Preventive: yes
Date: 2022-10-27
Author: Peter Oberparleiter <ober...@linux.ibm.com>
Component: kernel
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
