[Bug 1860531] Comment bridged from LTC Bugzilla

bugproxy bugproxy at us.ibm.com
Thu Feb 6 08:50:04 UTC 2020 

------- Comment From Juergen.Lobert1 at ibm.com 2020-02-06 03:44 EDT-------
Retested with the secure entry moved to the menu section:

[defaultboot]
defaultmenu = menu

:menu
target = /boot
1 = ubuntu
2 = old
default = 1
prompt = 1
timeout = 10
secure=1
.
.

root at t35lp36:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Focal Fossa (development branch)"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

root at t35lp36:~# uname -a
Linux t35lp36 5.4.0-12-generic #15-Ubuntu SMP Tue Jan 21 17:56:00 UTC 2020 s390x s390x s390x GNU/Linux

root at t35lp36:~# apt list s390-tools
Listing... Done
s390-tools/focal,now 2.12.0-0ubuntu1 s390x [installed]
root at t35lp36:~#

With the new placement of the "secure" keyword, secure boot works as
expected:

(1) IPL always possible with the "Enable secure boot for Linux" HMC checkbox
disabled for secure=1/0/auto. /sys/firmware/ipl/secure shows value 0 after IPL.

(2) IPL successful with the "Enable secure boot for Linux" HMC checkbox
enabled for secure=1/auto. /sys/firmware/ipl/secure shows value 1 after IPL.

(3) No IPL with the "Enable secure boot for Linux" checkbox enabled for secure=0.
Console messages in this case

Preparing system.
Starting system.
System version 8.
Watchdog enabled.
Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'.
ZBootLoader 2.0.0.
MLOLOA6269050E Secure IPL: Execute entry does not point to the beginning of a signed component on device HBA=0.0.1900, WWPN=500507630B01C320, LUN=4050404700000000.
IPL failed.

But for the secure IPLs (2) the console shows about 1800 messages (or more)
that look like:

[    2.485469] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7
[    2.485471] Could not create tracefs 'available_events' entry

with occasional intersections like these:

[    2.487994] ------------[ cut here ]------------
[    2.487995] Could not register function stat for cpu 0
[    2.488004] WARNING: CPU: 0 PID: 1 at kernel/trace/ftrace.c:987 ftrace_init_tracefs_toplevel+0x160/0x1b8
[    2.488005] Modules linked in:
[    2.488007] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.0-12-generic #15-Ubuntu
[    2.488008] Hardware name: IBM 8561 T01 703 (LPAR)
[    2.488009] Krnl PSW : 0704f00180000000 00000000c886b0d0 (ftrace_init_tracefs_toplevel+0x160/0x1b8)
[    2.488011]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3
[    2.488013] Krnl GPRS: 000000000000000a 00000000c8794110 000000000000002a 0000000000000001
[    2.488014]            0000000000000f3b 000000007fe06000 0000000000000000 00000000c88fedb8
[    2.488015]            00000000c8958000 0000000000000000 00000000f1081e70 0000000000000000
[    2.488015]            00000000f093b300 00000000f19d2000 00000000c886b0cc 000003e00000bcd8
[    2.488020] Krnl Code: 00000000c886b0c0: c020ffeb5dd3        larl    %r2,00000000c85d6c66
00000000c886b0c6: c0e5ff9a87e5        brasl   %r14,00000000c7bbc090
#00000000c886b0cc: a7f40001            brc     15,00000000c886b0ce
>00000000c886b0d0: b904002a            lgr     %r2,%r10
00000000c886b0d4: eb6ff0a00004        lmg     %r6,%r15,160(%r15)
00000000c886b0da: c0f4ffabc9f3        brcl    15,00000000c7de44c0
00000000c886b0e0: b9040049            lgr     %r4,%r9
00000000c886b0e4: c060fff7d602        larl    %r6,00000000c8765ce8
[    2.488030] Call Trace:
[    2.488031] ([<00000000c886b0cc>] ftrace_init_tracefs_toplevel+0x15c/0x1b8)
[    2.488033]  [<00000000c886bb4e>] tracer_init_tracefs+0xae/0x200
[    2.488034]  [<00000000c7b448bc>] do_one_initcall+0x3c/0x200
[    2.488036]  [<00000000c8854090>] kernel_init_freeable+0x1f8/0x2a8
[    2.488038]  [<00000000c8429f32>] kernel_init+0x22/0x150
[    2.488040]  [<00000000c8433e4c>] ret_from_fork+0x28/0x30
[    2.488041]  [<00000000c8433e54>] kernel_thread_starter+0x0/0x10
[    2.488042] Last Breaking-Event-Address:
[    2.488043]  [<00000000c886b0cc>] ftrace_init_tracefs_toplevel+0x15c/0x1b8
[    2.488044] ---[ end trace c4f019b5774fd101 ]---

An example output of the dmesg command is added as an attachment.

Another issue is the wrong documentation of the zipl.conf syntax in the man pages.
It is stated here, that "secure" is a "configuration only" section keyword only:

.
.
secure = auto/1/0 (configuration only)

Configuration section:
Control the zIPL secure boot support.  Set this option to one of the following values:
.
.

As it works now it seems to be a "menu only" configuration keyword.

Also a question arises about the zipl -S parameter as it is described
now:

root at t35lp36:~# zipl --help
Usage: zipl [OPTIONS] [SECTION]

Prepare a device for initial program load. Use OPTIONS described below or
provide the name of a SECTION defined in the zIPL configuration file.
.
.
-S, --secure SWITCH             Control the zIPL secure boot support.
auto (default):
Write signatures if available and supported
1: Write signatures regardless of support
0: Do not write signatures

With multiple menus in zipl.conf: how does zipl -S work?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1860531

Title:
  IPL on z15 always performed regardless of the secure-boot related
  settings

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools source package in Eoan:
  New
Status in s390-tools source package in Focal:
  Fix Released

Bug description:
  Description will follow

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1860531/+subscriptions

More information about the foundations-bugs mailing list