I've successfully tested and verified this on kinetic and jammy as part of
LP#1996069.
Now tested on focal on top:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
$ uname -a
Linux hwe0008 5.4.0-136-generic #153-Ubuntu SMP Thu Nov 24 15:57:18 UTC 2022
s390x s390x s390x GNU/Linux
ubuntu@hwe0008:~$ ls
check_sb_trailer.sh
$ sudo ./check_sb_trailer.sh /boot/vmlinuz-5.4.0-136-generic
Checking secure boot trailer of file /boot/vmlinuz-5.4.0-136-generic
* Read 32 bytes at offset 0091f218:
000002107e4d6f64756c65207369676e617475726520617070656e6465647e0a
* Found signature marker - skipping 568 bytes
* Read 32 bytes at offset 0091efe0:
000000000000000000000000000000000000000000000000000000207a49504c
* Success - Linux kernel trailer found
$
I'm adjusting the tags accordingly ...
** Tags removed: verification-needed-focal verification-needed-jammy
verification-needed-kinetic
** Tags added: verification-done-focal verification-done-jammy
verification-done-kinetic
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996071
Title:
[UBUNTU 20.04] boot: Add s390x secure boot trailer
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Jammy:
Fix Committed
Status in linux source package in Kinetic:
Fix Committed
Bug description:
SRU Justification:
==================
[Impact]
* Secure boot of Linux on s390x will no longer be possible
with an upcoming IBM zSystems firmware update.
[Fix]
* aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add
secure boot trailer"
for kinetic and jammy
*
https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch
backport for focal
[Test Plan]
* An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is
required.
* Ensure that 'Enable Secure Boot for Linux' is marked in case
'SCSI Load' is selected at the HMCs Load task and Activation Profile.
* Perform an Ubuntu Server installation, either 20.04 or 22.04
(latest ISO).
It will be a secure boot installation by default in case
'Enable Secure Boot for Linux' was marked.
* Check sysfs:
/sys/firmware/ipl/has_secure
'1' indicates hw support for secure boot, otherwise '0'
/sys/firmware/ipl/secure
'1' indicates that secure IPL was successful, otherwise '0'
* Navigate to the HMC task 'System information'
and check the active firmware release.
* Ensure that Ubuntu is still bootable in secure-boot mode
with the updated firmware active,
by for example doing a reboot after the firmware upgrade.
* There is also a way to test the trailer on systems that do not
have the updated firmware yet - in this case use the following script:
https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
[Where problems could occur]
* The 'trailer' might be broken, invalid or in a wrong format
and can't be identified or read properly,
or may cause issues while compressing/decompressing the kernel.
* In worst case secure boot might become broken,
even on systems that are still on the unpatched firmware level.
* Or secure boot will become broken in general.
[Other Info]
* The above commit was upstream accepted with v6.1-rc3.
* And it got tagged for upstream stable with:
"Cc: <[email protected]> # 5.2+"
* But since this bug is marked as critical, and the patch is relatively
short, traceable and s390x-specific, I'll go ahead and submit this
patch for Jammy and Focal ahead of upstream stable.
* Since on focal file 'vmlinux.lds.S' is at a different location
'arch/s390/boot/compressed/' instead of 'arch/s390/boot/'
and the context is slightly different, the backport is needed.
* It's planned to have kernel 6.2 in lunar (23.04), hence it will have
the patch incl. when at the planned target level.
__________
Description: boot: Add secure boot trailer
Symptom: Secure boot of Linux will no longer be possible with an
upcoming
IBM Z firmware update.
Problem: New IBM Z firmware requires signed bootable images to contain a
trailing data block with a specific format.
Solution: Add the trailing data block to the Linux kernel image.
Reproduction: Apply latest firmware, perform IPL with Secure Boot
enabled.
Fix: available upstream with
Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7
Preventive: yes
Date: 2022-10-27
Author: Peter Oberparleiter <[email protected]>
Component: kernel
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
