Thank you Nick, I now rebuild the packages with -v2.37.0-0ubuntu2 (plucky) respectively -v2.31.0-0ubuntu5.1 (noble) to include the changelog entries of the version that are currently in -proposed into the .changes file and re-uploaded. New version (of s390-tools and s390-tools-signed) are now in unapproved queue: https://launchpad.net/ubuntu/plucky/+queue?queue_state=1&queue_text=s390-tools https://launchpad.net/ubuntu/noble/+queue?queue_state=1&queue_text=s390-tools
-- You received this bug notification because you are a member of Debcrafters packages, which is subscribed to s390-tools in Ubuntu. https://bugs.launchpad.net/bugs/2118762 Title: [UBUNTU 25.04] genprotimg fails on Ubuntu 25.04 Status in Ubuntu on IBM z Systems: In Progress Status in s390-tools package in Ubuntu: Fix Released Status in s390-tools-signed package in Ubuntu: Fix Released Status in s390-tools source package in Plucky: Triaged Status in s390-tools-signed source package in Plucky: Triaged Status in s390-tools source package in Questing: Fix Released Status in s390-tools-signed source package in Questing: Fix Released Bug description: SRU Justification: [ Impact ] * Starting with Ubuntu Server 25.04 genprotimg (part of s390-tools 2.37.0) fails with: "error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin" * However, the needed file is located /usr/share/s390-tools/pvimg/boot, so just in the wrong folder. The genprotimg tool expects them 'one up' in /usr/share/s390-tools/pvimg, the same folder where the genprotimg tool itself is located in. * Prior to 25.04 the Makefile build and placed the stage3*.bin files at /usr/share/s390-tools/pvimg/ and the debian helper installed it in the same folder. * With s390-tools 2.37.0 the Makefile builds them in /usr/share/s390-tools/pvimg/boot hence installing them there (in the same folder) is no longer correct. * The solution is simply to move them again one up (or let's better say: explicitly install them to the correct folder) using/modifying d/s390-tools-data.install. [ Test Plan ] * An Ubuntu Server 25.04 installation with s390-tools installed is required. * A (dummy) host key is needed - which can be for example obtained by IBM. Here assuming it's named HKD.crt and placed in the user's home directory. * On a system without the package modification (that is discussed here), means with having the stage3* files in /usr/share/s390-tools/pvimg/boot), the genprotimg tool will fail with the the error that was reported: $ genprotimg --kernel /boot/vmlinuz-$(uname -r) --output se.img -k ~/HKD.crt --no-verify Host-key document verification is disabled. \ The Secure Execution image may not be protected. error: Cannot read stage3a at `/usr/share/s390-tools/pvimg/stage3a.bin` * However, on a system with the updated package installed, means with having the stage3* files in /usr/share/s390-tools/pvimg), the genprotimg tool will successfully work: $ genprotimg --kernel /boot/-$(uname -r) --output se.img -k ~/HKD.crt --no-verify Host-key document verification is disabled. \ The Secure Execution image may not be protected. Successfully generated the Secure Execution image. * This is a step of the creation of secure execution images for s390x (confidential computing). The entire end-to-end setup for secure execution is described here in more detail, also uses Ubuntu Server as an example: https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf (esp. genprotimg, page 60ff) [ Where problems could occur ] * The s390-tools code itself was not touched, just the packaging meta data d/s390-tools-data.install file. * Since this issue is in plucky only, an interim release, but the vast majority of secure execution use cases is on LTS releases, not many users will be affected. * And if a user is affected, the obvious solution/workaround is to either copy or link the needed, files, so that they can be found by genprotimg. And that is exactly what the modification here does. * However, regressions and issues could have been introduced: in case the syntax in the d/s390-tools-data.install file is wrong, or it has wrong permissions or is not properly recognized and/or evaluated (for whatever reason) in the Debian package build process. To mitigate this a test build in PPA was done. * Since the files were always in the same folder than the genprotimg tool, they should also be there in plucky. [ Other Info ] * The modification has already landed in questing. * With that, other than plucky, no other Ubuntu release is affected. __________ ---Problem Description--- On Ubuntu 25.04 genprotimg fails with error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin The file is located /usr/share/s390-tools/pvimg/boot however Machine Type = n/a ---Debugger--- A debugger is not configured ---Steps to Reproduce--- install s390-tools, try to use genprotimg ---uname output--- n/a Userspace rpm: s390-tools Userspace tool common name: genprotimg Userspace tool obtained from project website: na The userspace tool has the following bit modes: both *Additional Instructions for [email protected]: -Attach ltrace and strace of userspace application. == Comment by <[email protected]> ========= The issue is with the packager, see https://git.launchpad.net/ubuntu/+source/s390-tools/tree/debian/s390-tools- data.install?h=ubuntu/plucky Instead of what is expected '.../pvimg/', Ubuntu installs the file to the path '.../pvimg/boot/'. So the s390-tools-data.install file needs to be changed from ``` rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/boot/ rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/boot/ ``` to ``` rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/ rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/ ``` FYI, I've already talked to Frank. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2118762/+subscriptions -- Mailing list: https://launchpad.net/~debcrafters-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~debcrafters-packages More help : https://help.launchpad.net/ListHelp
