[Bug 1996069] Re: [UBUNTU 20.04] zipl: Add secure boot trailer (s390-tools part)

Frank Heimes 1996069 at bugs.launchpad.net
Thu Dec 1 14:05:58 UTC 2022 

** Description changed:

- SRU Bug Template:
- =================
+ SRU Justification:
+ ==================
  
  [ Impact ]
  
-  * Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
-    will no longer be possible with an upcoming IBM zSystems firmware update.
+  * Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
+    will no longer be possible with an upcoming IBM zSystems firmware update.
  
-  * New IBM zSystems firmware requires all signed boot images to contain a
-    trailing data block with a specific format.
+  * New IBM zSystems firmware requires all signed boot images to contain a
+    trailing data block with a specific format.
  
-  * Solution: Add trailing data block to the zipl stage 3 boot loader
+  * Solution: Add trailing data block to the zipl stage 3 boot loader
  image.
  
  [ Fix ]
  
-  * 5768d55a08e163f718bd87498b9e763687ae7137 5768d55a08e1
-    "zipl/boot: add secure boot trailer"
+  * 5768d55a08e163f718bd87498b9e763687ae7137 5768d55a08e1
+    "zipl/boot: add secure boot trailer"
  
  [ Test Plan ]
  
-  * Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
-    with Secure Boot enabled (in the LPAR activation profile).
+  * Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
+    with Secure Boot enabled (in the LPAR activation profile).
  
-  * Without having the new firmware in place, or on systems that do not support
-    secureboot on s390x, the boot trailer can be tested with this script:
-    https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
-    $ check_sb_trailer.sh arch/s390/boot/bzImage
-    Checking secure boot trailer of file arch/s390/boot/bzImage
-    * Read 32 bytes at offset 00777fe0:
-    000000000000000000000000000000000000000000000000000000207a49504c
-    * Success - Linux kernel trailer found
+  * Without having the new firmware in place, or on systems that do not support
+    secureboot on s390x, the boot trailer can be tested with this script:
+    https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
+    $ check_sb_trailer.sh arch/s390/boot/bzImage
+    Checking secure boot trailer of file arch/s390/boot/bzImage
+    * Read 32 bytes at offset 00777fe0:
+    000000000000000000000000000000000000000000000000000000207a49504c
+    * Success - Linux kernel trailer found
  
  [ Where problems could occur ]
  
-  * Problems could occur if build tools still use '--pad-to=0xe000'
+  * Problems could occur if build tools still use '--pad-to=0xe000'
  
-  * or if the trailer is not generated the right way (according to
-    the trailer spec),
+  * or if the trailer is not generated the right way (according to
+    the trailer spec),
  
-  * or the kernel is not able to detect the trailer properly
-    (maybe because the trailer is generated in a wrong way,
-    or the detection mechanism is wrong).
+  * or the kernel is not able to detect the trailer properly
+    (maybe because the trailer is generated in a wrong way,
+    or the detection mechanism is wrong).
  
-  * But this can be tested by using the script mentioned above,
-    and was already tested (kernel part) based on LP#1996071.
+  * But this can be tested by using the script mentioned above,
+    and was already tested (kernel part) based on LP#1996071.
  
  [ Other Info ]
  
-  * This bug also has a Kernel part which is addressed in a separate
-    ticket: https://bugs.launchpad.net/bugs/1996071
+  * This bug also has a Kernel part which is addressed in a separate
+    ticket: https://bugs.launchpad.net/bugs/1996071
  
-  * The kernel part is addressed in the current cycle, hence Fix Committed.
-  
-  * The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
-    see at the bug header of this ticket.
+  * The kernel part is addressed in the current cycle, hence Fix
+ Committed.
  
-  * Lunar will get a brand new s390-tools package later in the cycle,
-    that will have this fix included.
+  * The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
+    see at the bug header of this ticket.
+ 
+  * Lunar will get a brand new s390-tools package later in the cycle,
+    that will have this fix included.
  __________
  
  Description:   zipl: Add secure boot trailer
  
  Symptom:       Secure boot of Linux will no longer be possible with an upcoming
                 IBM Z firmware update.
  
  Problem:       New IBM Z firmware requires all signed boot images to contain a
                 trailing data block with a specific format.
  
  Solution:      Add trailing data block to the zipl stage 3 boot loader image.
  Reproduction:  Apply latest firmware, perform IPL with Secure Boot enabled.
  
  Fix:           Available upstream with
  Upstream-ID:   5768d55a08e163f718bd87498b9e763687ae7137
  
  Upstream-Description:
  
                zipl/boot: add secure boot trailer
  
                This patch enhances the zipl stage3 loader image adding a trailer as
                required for secure boot by future firmware versions.
  
                Note: with the change in this patch the padding via objcopy command line
                options is replaced by padding via linker script directives with the
                same effect.
  
                Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
                Signed-off-by: Jan Hoeppner <hoeppner at linux.ibm.com>
  
  Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1996069

Title:
  [UBUNTU 20.04] zipl: Add secure boot trailer  (s390-tools part)

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress
Status in s390-tools source package in Focal:
  New
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Jammy:
  New
Status in s390-tools-signed source package in Jammy:
  New
Status in s390-tools source package in Kinetic:
  New
Status in s390-tools-signed source package in Kinetic:
  New

Bug description:
  SRU Justification:
  ==================

  [ Impact ]

   * Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
     will no longer be possible with an upcoming IBM zSystems firmware update.

   * New IBM zSystems firmware requires all signed boot images to contain a
     trailing data block with a specific format.

   * Solution: Add trailing data block to the zipl stage 3 boot loader
  image.

  [ Fix ]

   * 5768d55a08e163f718bd87498b9e763687ae7137 5768d55a08e1
     "zipl/boot: add secure boot trailer"

  [ Test Plan ]

   * Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
     with Secure Boot enabled (in the LPAR activation profile).

   * Without having the new firmware in place, or on systems that do not support
     secureboot on s390x, the boot trailer can be tested with this script:
     https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
     $ check_sb_trailer.sh arch/s390/boot/bzImage
     Checking secure boot trailer of file arch/s390/boot/bzImage
     * Read 32 bytes at offset 00777fe0:
     000000000000000000000000000000000000000000000000000000207a49504c
     * Success - Linux kernel trailer found

  [ Where problems could occur ]

   * Problems could occur if build tools still use '--pad-to=0xe000'

   * or if the trailer is not generated the right way (according to
     the trailer spec),

   * or the kernel is not able to detect the trailer properly
     (maybe because the trailer is generated in a wrong way,
     or the detection mechanism is wrong).

   * But this can be tested by using the script mentioned above,
     and was already tested (kernel part) based on LP#1996071.

  [ Other Info ]

   * This bug also has a Kernel part which is addressed in a separate
     ticket: https://bugs.launchpad.net/bugs/1996071

   * The kernel part is addressed in the current cycle, hence Fix
  Committed.

   * The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
     see at the bug header of this ticket.

   * Lunar will get a brand new s390-tools package later in the cycle,
     that will have this fix included.
  __________

  Description:   zipl: Add secure boot trailer

  Symptom:       Secure boot of Linux will no longer be possible with an upcoming
                 IBM Z firmware update.

  Problem:       New IBM Z firmware requires all signed boot images to contain a
                 trailing data block with a specific format.

  Solution:      Add trailing data block to the zipl stage 3 boot loader image.
  Reproduction:  Apply latest firmware, perform IPL with Secure Boot enabled.

  Fix:           Available upstream with
  Upstream-ID:   5768d55a08e163f718bd87498b9e763687ae7137

  Upstream-Description:

                zipl/boot: add secure boot trailer

                This patch enhances the zipl stage3 loader image adding a trailer as
                required for secure boot by future firmware versions.

                Note: with the change in this patch the padding via objcopy command line
                options is replaced by padding via linker script directives with the
                same effect.

                Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>
                Signed-off-by: Jan Hoeppner <hoeppner at linux.ibm.com>

  Signed-off-by: Peter Oberparleiter <oberpar at linux.ibm.com>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996069/+subscriptions

More information about the foundations-bugs mailing list