** Description changed: + SRU Justification: + ================== + + [Impact] + + * Secure boot of Linux on s390x will no longer be possible + with an upcoming IBM zSystems firmware update. + + [Fix] + + * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" + for kinetic and jammy + + * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch + backport for focal + + [Test Plan] + + * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is + required. + + * Ensure that 'Enable Secure Boot for Linux' is marked in case + 'SCSI Load' is selected at the HMCs Load task and Activation Profile. + + * Perform an Ubuntu Server installation, either 20.04 or 22.04 + (latest ISO). + It will be a secure boot installation by default in case + 'Enable Secure Boot for Linux' was marked. + + * Check sysfs: + /sys/firmware/ipl/has_secure + '1' indicates hw support for secure boot, otherwise '0' + /sys/firmware/ipl/secure + '1' indicates that secure IPL was successful, otherwise '0' + + * Navigate to the HMC task 'System information' + and check the active firmware release. + + * Ensure that Ubuntu is still bootable in secure-boot mode + with the updated firmware active, + by for example doing a reboot after the firmware upgrade. + + [Where problems could occur] + + * The 'trailer' might be broken, invalid or in a wrong format + and can't be identified or read properly, + or may cause issues while compressing/decompressing the kernel. + + * In worst case secure boot might become broken, + even on systems that are still on the unpatched firmware level. + + * Or secure boot will become broken in general. + + [Other Info] + + * The above commit was upstream accepted with v6.1-rc3. + + * And it got tagged for upstream stable with: + "Cc: <sta...@vger.kernel.org> # 5.2+" + + * But since this bug is marked as critical, and the patch is relatively + short, traceable and s390x-specific, I'll go ahead and submit this + patch for Jammy and Focal ahead of upstream stable. + + * Since on focal file 'vmlinux.lds.S' is at a different location + 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' + and the context is slightly different, the backport is needed. + + * It's planned to have kernel 6.2 in lunar (23.04), hence it will have + the patch incl. when at the planned target level. + + __________ + Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming - IBM Z firmware update. + IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a - trailing data block with a specific format. + trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive: yes Date: 2022-10-27 Author: Peter Oberparleiter <ober...@linux.ibm.com> Component: kernel
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: New Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: New Status in linux source package in Jammy: New Status in linux source package in Kinetic: New Bug description: SRU Justification: ================== [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: <sta...@vger.kernel.org> # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __________ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive: yes Date: 2022-10-27 Author: Peter Oberparleiter <ober...@linux.ibm.com> Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
