[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug only affected s390x, updating all other verification requests to done (to unblock potential processes). ** Tags removed: verification-needed-jammy verification-needed-jammy-linux-mtk ** Tags added: verification-done-jammy verification-done-jammy-linux-mtk -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-mtk/5.15.0-1030.34 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-mtk' to 'verification-done-jammy- linux-mtk'. If the problem still exists, change the tag 'verification- needed-jammy-linux-mtk' to 'verification-failed-jammy-linux-mtk'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-mtk-v2 verification-needed-jammy-linux-mtk -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-lowlatency- hwe-5.19/5.19.0-1017.18~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-lowlatency-hwe-5.19 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux- aws-5.19/5.19.0-1019.20~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-jammy ** Tags added: kernel-spammed-jammy-linux-aws-5.19 verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Tags removed: verification-needed-focal verification-needed-jammy ** Tags added: verification-done-focal verification-done-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux- aws-5.15/5.15.0-1030.34~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-focal ** Tags added: kernel-spammed-focal-linux-aws-5.15 verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux- bluefield/5.15.0-1012.14 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification- done-jammy'. If the problem still exists, change the tag 'verification- needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-jammy ** Tags added: kernel-spammed-jammy-linux-bluefield verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux- azure-5.15/5.15.0-1033.40~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-focal ** Tags added: kernel-spammed-focal-linux-azure-5.15 verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Tags removed: verification-needed-jammy ** Tags added: verification-done-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-aws/5.15.0-1029.33 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-jammy ** Tags added: kernel-spammed-jammy-linux-aws verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-azure/5.4.0-1102.108 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-focal ** Tags added: kernel-spammed-focal-linux-azure verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-aws/5.4.0-1095.103 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-focal ** Tags added: kernel-spammed-focal-linux-aws verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
No further verifications needed on these custom kernels mentioned above. ** Tags removed: verification-needed-focal verification-needed-jammy verification-needed-kinetic ** Tags added: verification-done-focal verification-done-jammy verification-done-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-azure/5.15.0-1032.39 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-jammy ** Tags added: kernel-spammed-jammy-linux-azure verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-azure/5.19.0-1017.18 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-kinetic' to 'verification-done-kinetic'. If the problem still exists, change the tag 'verification-needed-kinetic' to 'verification-failed-kinetic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-kinetic ** Tags added: kernel-spammed-kinetic-linux-azure verification-needed-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux- gke-5.15/5.15.0-1025.30~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-focal ** Tags added: kernel-spammed-focal-linux-gke-5.15 verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Tags removed: verification-needed-kinetic ** Tags added: verification-done-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-aws/5.19.0-1018.19 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-kinetic' to 'verification-done-kinetic'. If the problem still exists, change the tag 'verification-needed-kinetic' to 'verification-failed-kinetic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-kinetic ** Tags added: kernel-spammed-kinetic-linux-aws verification-needed-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug was not opened against linux-ibm or linux-iot, hence the new request for verification is not valid. I'm updating the verification tags just to unblock the further process... ** Tags removed: verification-needed-focal verification-needed-kinetic ** Tags added: verification-done-focal verification-done-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-iot/5.4.0-1011.13 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-focal ** Tags added: kernel-spammed-focal-linux-iot verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-ibm/5.19.0-1015.16 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-kinetic' to 'verification-done-kinetic'. If the problem still exists, change the tag 'verification-needed-kinetic' to 'verification-failed-kinetic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-kinetic ** Tags added: kernel-spammed-kinetic-linux-ibm verification-needed-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Changed in: ubuntu-z-systems Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Released Status in linux source package in Jammy: Fix Released Status in linux source package in Kinetic: Fix Released Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug was fixed in the package linux - 5.19.0-28.29 --- linux (5.19.0-28.29) kinetic; urgency=medium * kinetic/linux: 5.19.0-28.29 -proposed tracker (LP: #1999746) * mm:vma05 in ubuntu_ltp fails with '[vdso] bug not patched' on kinetic/linux 5.19.0-27.28 (LP: #1999094) - fix coredump breakage linux (5.19.0-27.28) kinetic; urgency=medium * kinetic/linux: 5.19.0-27.28 -proposed tracker (LP: #1997794) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2022.11.14) * selftests/.../nat6to4 breaks the selftests build (LP: #1996536) - [Config] Disable selftests/net/bpf/nat6to4 * Expose built-in trusted and revoked certificates (LP: #1996892) - [Packaging] Expose built-in trusted and revoked certificates * support for same series backports versioning numbers (LP: #1993563) - [Packaging] sameport -- add support for sameport versioning * Add cs35l41 firmware loading support (LP: #1995957) - ASoC: cs35l41: Move cs35l41 exit hibernate function into shared code - ASoC: cs35l41: Add common cs35l41 enter hibernate function - ASoC: cs35l41: Do not print error when waking from hibernation - ALSA: hda: cs35l41: Don't dereference fwnode handle - ALSA: hda: cs35l41: Allow compilation test on non-ACPI configurations - ALSA: hda: cs35l41: Drop wrong use of ACPI_PTR() - ALSA: hda: cs35l41: Consolidate selections under SND_HDA_SCODEC_CS35L41 - ALSA: hda: hda_cs_dsp_ctl: Add Library to support CS_DSP ALSA controls - ALSA: hda: hda_cs_dsp_ctl: Add apis to write the controls directly - ALSA: hda: cs35l41: Save codec object inside component struct - ALSA: hda: cs35l41: Add initial DSP support and firmware loading - ALSA: hda: cs35l41: Save Subsystem ID inside CS35L41 Driver - ALSA: hda: cs35l41: Support reading subsystem id from ACPI - ALSA: hda: cs35l41: Support multiple load paths for firmware - ALSA: hda: cs35l41: Support Speaker ID for laptops - ALSA: hda: cs35l41: Support Hibernation during Suspend - ALSA: hda: cs35l41: Read Speaker Calibration data from UEFI variables - ALSA: hda: hda_cs_dsp_ctl: Add fw id strings - ALSA: hda: cs35l41: Add defaulted values into dsp bypass config sequence - ALSA: hda: cs35l41: Support Firmware switching and reloading - ALSA: hda: cs35l41: Add module parameter to control firmware load - Revert "ALSA: hda: cs35l41: Allow compilation test on non-ACPI configurations" - ALSA: hda/realtek: More robust component matching for CS35L41 - [Config] updateconfigs for SND_HDA_CS_DSP_CONTROLS * Fibocom WWAN FM350-GL suspend error (notebook not suspend) (LP: #1990700) - net: wwan: t7xx: Add AP CLDMA * Screen cannot turn on after screen off with Matrox G200eW3 [102b:0536] (LP: #1995573) - drm/mgag200: Optimize damage clips - drm/mgag200: Add FB_DAMAGE_CLIPS support - drm/mgag200: Enable atomic gamma lut update * TEE Support for CCP driver (LP: #1991608) - crypto: ccp: Add support for TEE for PCI ID 0x14CA * AMD Cezanne takes 5 minutes to wake up from suspend (LP: #1993715) - platform/x86/amd: pmc: Read SMU version during suspend on Cezanne systems * Fix ath11k deadlock on WCN6855 (LP: #1995041) - wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update() * intel_pmc_core not load on Raptor Lake (LP: #1988461) - x86/cpu: Add new Raptor Lake CPU model number - platform/x86/intel: pmc/core: Add Raptor Lake support to pmc core driver * [UBUNTU 20.04] boot: Add s390x secure boot trailer (LP: #1996071) - s390/boot: add secure boot trailer * Fix rfkill causing soft blocked wifi (LP: #1996198) - platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi * Support Icicle Kit reference design v2022.10 (LP: #1993148) - riscv: dts: microchip: icicle: re-jig fabric peripheral addresses - riscv: dts: microchip: reduce the fic3 clock rate - riscv: dts: microchip: update memory configuration for v2022.10 - riscv: dts: microchip: fix fabric i2c reg size - SAUCE: riscv: dts: microchip: Disable PCIe on the Icicle Kit * Fix Turbostat is not working for fam: 6 model: 191: stepping: 2 CPU (LP: #1991365) - tools/power turbostat: Add support for RPL-S * armhf kernel compiled with gcc-12 fails to boot on pi 3/2 (LP: #1993120) - [Packaging] Support arch-specific compilers in updateconfigs * Kinetic update: v5.19.17 upstream stable release (LP: #1994179) - Revert "fs: check FMODE_LSEEK to control internal pipe splicing" - ALSA: oss: Fix potential deadlock at unregistration - ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() - ALSA: usb-audio: Fix potential memory leaks - ALSA: usb-audio: Fix NULL dererence at error path - ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 - ALSA: hda/realtek: Correct pin configs for ASUS G533Z - ALSA:
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug was fixed in the package linux - 5.15.0-57.63
---
linux (5.15.0-57.63) jammy; urgency=medium
* jammy/linux: 5.15.0-57.63 -proposed tracker (LP: #1997737)
* Packaging resync (LP: #1786013)
- [Packaging] update variants
- debian/dkms-versions -- update from kernel-versions (main/2022.11.14)
* Expose built-in trusted and revoked certificates (LP: #1996892)
- [Packaging] Expose built-in trusted and revoked certificates
* TEE Support for CCP driver (LP: #1991608)
- crypto: ccp: Add support for TEE for PCI ID 0x14CA
* alsa: soc: the kernel print UBSAN calltrace on the machine with cs35l41
codec (LP: #1996121)
- ASoC: cs35l41: Add one more variable in the debug log
- ASoC: cs35l41: Fix an out-of-bounds access in otp_packed_element_t
* Fix ath11k deadlock on WCN6855 (LP: #1995041)
- wifi: ath11k: avoid deadlock during regulatory update in
ath11k_regd_update()
* [UBUNTU 20.04] boot: Add s390x secure boot trailer (LP: #1996071)
- s390/boot: add secure boot trailer
* Fix rfkill causing soft blocked wifi (LP: #1996198)
- platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi
* Fix Thunderbolt device hotplug fail when connect via thunderbolt dock
(LP: #1991366)
- PCI: Fix used_buses calculation in pci_scan_child_bus_extend()
- PCI: Pass available buses even if the bridge is already configured
- PCI: Move pci_assign_unassigned_root_bus_resources()
- PCI: Distribute available resources for root buses, too
- PCI: Fix whitespace and indentation
- PCI: Fix typo in pci_scan_child_bus_extend()
* md: Replace snprintf with scnprintf (LP: #1993315)
- md: Replace snprintf with scnprintf
* input/keyboard: the keyboard on some Asus laptops can't work (LP: #1992266)
- ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA
- ACPI: resource: Add ASUS model S5402ZA to quirks
* Fix Turbostat is not working for fam: 6 model: 191: stepping: 2 CPU
(LP: #1991365)
- tools/power turbostat: Add support for RPL-S
* pcieport :00:1b.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal),
type=Transaction Layer, (Requester ID) (LP: #1988797)
- PCI/PTM: Cache PTM Capability offset
- PCI/PTM: Add pci_upstream_ptm() helper
- PCI/PTM: Separate configuration and enable
- PCI/PTM: Add pci_suspend_ptm() and pci_resume_ptm()
- PCI/PTM: Move pci_ptm_info() body into its only caller
- PCI/PTM: Preserve RsvdP bits in PTM Control register
- PCI/PTM: Reorder functions in logical order
- PCI/PTM: Consolidate PTM interface declarations
- PCI/PM: Always disable PTM for all devices during suspend
- PCI/PM: Simplify pci_pm_suspend_noirq()
* Fix RPL-S support on powercap/intel_rapl (LP: #1990161)
- x86/cpu: Drop spurious underscore from RAPTOR_LAKE #define
- x86/cpu: Add new Alderlake and Raptorlake CPU model numbers
- x86/cpu: Add new Raptor Lake CPU model number
- powercap: intel_rapl: add support for RaptorLake
- powercap: intel_rapl: Add support for RAPTORLAKE_P
- powercap: intel_rapl: Add support for RAPTORLAKE_S
* AMD Yellow Carp system hang on HDMI plug in/out over HP hook2 docking
(LP: #1991974)
- drm/amd/display: Fix for link encoder access for MST.
- drm/amd/display: Fix MST link encoder availability check.
- drm/amd/display: FEC configuration for dpia links
- drm/amd/display: FEC configuration for dpia links in MST mode
- drm/amd/display: Add work around for tunneled MST.
* Jammy update: v5.15.74 upstream stable release (LP: #1995638)
- nilfs2: fix use-after-free bug of struct nilfs_root
- nilfs2: fix leak of nilfs_root in case of writer thread creation failure
- nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure
- ceph: don't truncate file in atomic_open
- random: restore O_NONBLOCK support
- random: clamp credited irq bits to maximum mixed
- ALSA: hda: Fix position reporting on Poulsbo
- efi: Correct Macmini DMI match in uefi cert quirk
- USB: serial: qcserial: add new usb-id for Dell branded EM7455
- Revert "powerpc/rtas: Implement reentrant rtas call"
- Revert "crypto: qat - reduce size of mapped region"
- random: avoid reading two cache lines on irq randomness
- random: use expired timer rather than wq for mixing fast pool
- Input: xpad - add supported devices as contributed on github
- Input: xpad - fix wireless 360 controller breaking after suspend
- misc: pci_endpoint_test: Aggregate params checking for xfer
- misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic
- Linux 5.15.74
* Jammy update: v5.15.73 upstream stable release (LP: #1995637)
- Makefile.extrawarn: Move -Wcast-function-type-strict to W=1
- docs: update mediator information in CoC docs
- xsk: Inherit need_wakeup flag for shared sockets
- mm: gup: fix the fast GUP race against THP
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug was fixed in the package linux - 5.4.0-136.153 --- linux (5.4.0-136.153) focal; urgency=medium * focal/linux: 5.4.0-136.153 -proposed tracker (LP: #1997835) * Expose built-in trusted and revoked certificates (LP: #1996892) - [Packaging] Expose built-in trusted and revoked certificates * [UBUNTU 20.04] KVM: PV: ext call delivered twice when receiver in PSW wait (LP: #1995941) - KVM: s390: pv: don't present the ecall interrupt twice * [UBUNTU 20.04] boot: Add s390x secure boot trailer (LP: #1996071) - s390/boot: add secure boot trailer * Fix rfkill causing soft blocked wifi (LP: #1996198) - platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi * md: Replace snprintf with scnprintf (LP: #1993315) - md: Replace snprintf with scnprintf * input/keyboard: the keyboard on some Asus laptops can't work (LP: #1992266) - ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA - ACPI: resource: Add ASUS model S5402ZA to quirks * Focal update: v5.4.218 upstream stable release (LP: #1995530) - mm: pagewalk: Fix race between unmap and page walker - perf tools: Fixup get_current_dir_name() compilation - firmware: arm_scmi: Add SCMI PM driver remove routine - dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property - dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure - ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer - scsi: qedf: Fix a UAF bug in __qedf_probe() - net/ieee802154: fix uninit value bug in dgram_sendmsg - um: Cleanup syscall_handler_t cast in syscalls_32.h - um: Cleanup compiler warning in arch/x86/um/tls_32.c - arch: um: Mark the stack non-executable to fix a binutils warning - usb: mon: make mmapped memory read only - USB: serial: ftdi_sio: fix 300 bps rate for SIO - mmc: core: Replace with already defined values for readability - mmc: core: Terminate infinite loop in SD-UHS voltage switch - rpmsg: qcom: glink: replace strncpy() with strscpy_pad() - nilfs2: fix leak of nilfs_root in case of writer thread creation failure - nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure - ceph: don't truncate file in atomic_open - random: clamp credited irq bits to maximum mixed - ALSA: hda: Fix position reporting on Poulsbo - efi: Correct Macmini DMI match in uefi cert quirk - USB: serial: qcserial: add new usb-id for Dell branded EM7455 - random: restore O_NONBLOCK support - random: avoid reading two cache lines on irq randomness - random: use expired timer rather than wq for mixing fast pool - Input: xpad - add supported devices as contributed on github - Input: xpad - fix wireless 360 controller breaking after suspend - Linux 5.4.218 * Focal update: v5.4.217 upstream stable release (LP: #1995528) - xfs: fix misuse of the XFS_ATTR_INCOMPLETE flag - xfs: introduce XFS_MAX_FILEOFF - xfs: truncate should remove all blocks, not just to the end of the page cache - xfs: fix s_maxbytes computation on 32-bit kernels - xfs: fix IOCB_NOWAIT handling in xfs_file_dio_aio_read - xfs: refactor remote attr value buffer invalidation - xfs: fix memory corruption during remote attr value buffer invalidation - xfs: move incore structures out of xfs_da_format.h - xfs: streamline xfs_attr3_leaf_inactive - xfs: fix uninitialized variable in xfs_attr3_leaf_inactive - xfs: remove unused variable 'done' - Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 - docs: update mediator information in CoC docs - Linux 5.4.217 * Focal update: v5.4.216 upstream stable release (LP: #1995526) - uas: add no-uas quirk for Hiksemi usb_disk - usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS - uas: ignore UAS for Thinkplus chips - net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 - clk: ingenic-tcu: Properly enable registers before accessing timers - ARM: dts: integrator: Tag PCI host with device_type - ntfs: fix BUG_ON in ntfs_lookup_inode_by_name() - libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 - mmc: moxart: fix 4-bit bus width and remove 8-bit bus width - mm/page_alloc: fix race condition between build_all_zonelists and page allocation - mm: prevent page_frag_alloc() from corrupting the memory - mm/migrate_device.c: flush TLB while holding PTL - mm: fix madivse_pageout mishandling on non-LRU page - media: dvb_vb2: fix possible out of bound access - ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver - ARM: dts: am33xx: Fix MMCHS0 dma properties - soc: sunxi: sram: Actually claim SRAM regions - soc: sunxi: sram: Prevent the driver from being unbound - soc: sunxi_sram: Make use of the helper function devm_platform_ioremap_resource() - soc: sunxi: sram: Fix
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug was not opened against linux-xilinx-zynqmp. So I'm updating the verification tag just to unblock the further process. ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-xilinx- zynqmp/5.4.0-1020.24 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification- done-focal'. If the problem still exists, change the tag 'verification- needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-focal ** Tags added: kernel-spammed-focal-linux-xilinx-zynqmp verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug was not opened against linux-nvidia/5.15.0-1011.11 and is also not relevant for this kernel. However, I'm setting the tag to done to unblock the process. ** Tags removed: verification-needed-jammy ** Tags added: verification-done-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux-nvidia/5.15.0-1011.11 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-jammy ** Tags added: kernel-spammed-jammy-linux-nvidia verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
I've successfully tested and verified this on kinetic and jammy as part of LP#1996069. Now tested on focal on top: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 20.04.5 LTS Release:20.04 Codename: focal $ uname -a Linux hwe0008 5.4.0-136-generic #153-Ubuntu SMP Thu Nov 24 15:57:18 UTC 2022 s390x s390x s390x GNU/Linux ubuntu@hwe0008:~$ ls check_sb_trailer.sh $ sudo ./check_sb_trailer.sh /boot/vmlinuz-5.4.0-136-generic Checking secure boot trailer of file /boot/vmlinuz-5.4.0-136-generic * Read 32 bytes at offset 0091f218: 02107e4d6f64756c65207369676e617475726520617070656e6465647e0a * Found signature marker - skipping 568 bytes * Read 32 bytes at offset 0091efe0: 00207a49504c * Success - Linux kernel trailer found $ I'm adjusting the tags accordingly ... ** Tags removed: verification-needed-focal verification-needed-jammy verification-needed-kinetic ** Tags added: verification-done-focal verification-done-jammy verification-done-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to:
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux/5.15.0-57.63 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux/5.19.0-27.28 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-kinetic' to 'verification-done-kinetic'. If the problem still exists, change the tag 'verification-needed-kinetic' to 'verification-failed-kinetic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-kinetic-linux verification-needed-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
This bug is awaiting verification that the linux/5.4.0-136.153 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-focal-linux verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Tags removed: targetmilestone-inin--- ** Tags added: targetmilestone-inin2004 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Changed in: ubuntu-z-systems Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Changed in: linux (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Jammy) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Kinetic) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Kinetic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Jammy) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Focal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: In Progress Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in linux source package in Jammy: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. * There is also a way to test the trailer on systems that do not have the updated firmware yet - in this case use the following script: https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Description changed: SRU Justification: == [Impact] - * Secure boot of Linux on s390x will no longer be possible -with an upcoming IBM zSystems firmware update. + * Secure boot of Linux on s390x will no longer be possible + with an upcoming IBM zSystems firmware update. [Fix] - * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" -for kinetic and jammy + * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" + for kinetic and jammy - * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch -backport for focal + * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch + backport for focal [Test Plan] - * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is + * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. - * Ensure that 'Enable Secure Boot for Linux' is marked in case -'SCSI Load' is selected at the HMCs Load task and Activation Profile. + * Ensure that 'Enable Secure Boot for Linux' is marked in case + 'SCSI Load' is selected at the HMCs Load task and Activation Profile. - * Perform an Ubuntu Server installation, either 20.04 or 22.04 -(latest ISO). -It will be a secure boot installation by default in case -'Enable Secure Boot for Linux' was marked. + * Perform an Ubuntu Server installation, either 20.04 or 22.04 + (latest ISO). + It will be a secure boot installation by default in case + 'Enable Secure Boot for Linux' was marked. - * Check sysfs: -/sys/firmware/ipl/has_secure - '1' indicates hw support for secure boot, otherwise '0' -/sys/firmware/ipl/secure - '1' indicates that secure IPL was successful, otherwise '0' + * Check sysfs: + /sys/firmware/ipl/has_secure + '1' indicates hw support for secure boot, otherwise '0' + /sys/firmware/ipl/secure + '1' indicates that secure IPL was successful, otherwise '0' - * Navigate to the HMC task 'System information' -and check the active firmware release. + * Navigate to the HMC task 'System information' + and check the active firmware release. - * Ensure that Ubuntu is still bootable in secure-boot mode -with the updated firmware active, -by for example doing a reboot after the firmware upgrade. + * Ensure that Ubuntu is still bootable in secure-boot mode + with the updated firmware active, + by for example doing a reboot after the firmware upgrade. + + * There is also a way to test the trailer on systems that do not +have the updated firmware yet - in this case use the following script: +https://launchpadlibrarian.net/633126861/check_sb_trailer.sh [Where problems could occur] - * The 'trailer' might be broken, invalid or in a wrong format -and can't be identified or read properly, -or may cause issues while compressing/decompressing the kernel. + * The 'trailer' might be broken, invalid or in a wrong format + and can't be identified or read properly, + or may cause issues while compressing/decompressing the kernel. - * In worst case secure boot might become broken, -even on systems that are still on the unpatched firmware level. + * In worst case secure boot might become broken, + even on systems that are still on the unpatched firmware level. - * Or secure boot will become broken in general. + * Or secure boot will become broken in general. [Other Info] - * The above commit was upstream accepted with v6.1-rc3. + * The above commit was upstream accepted with v6.1-rc3. - * And it got tagged for upstream stable with: -"Cc: # 5.2+" + * And it got tagged for upstream stable with: + "Cc: # 5.2+" - * But since this bug is marked as critical, and the patch is relatively -short, traceable and s390x-specific, I'll go ahead and submit this -patch for Jammy and Focal ahead of upstream stable. + * But since this bug is marked as critical, and the patch is relatively + short, traceable and s390x-specific, I'll go ahead and submit this + patch for Jammy and Focal ahead of upstream stable. - * Since on focal file 'vmlinux.lds.S' is at a different location -'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' -and the context is slightly different, the backport is needed. + * Since on focal file 'vmlinux.lds.S' is at a different location + 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' + and the context is slightly different, the backport is needed. - * It's planned to have kernel 6.2 in lunar (23.04), hence it will have -the patch incl. when at the planned target level. + * It's planned to have kernel 6.2 in lunar (23.04), hence it will have + the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
SRU request submitted to the Ubuntu kernel team mailing list for kinetic, jammy and focal. https://lists.ubuntu.com/archives/kernel-team/2022-November/thread.html#134685 It's a cherrypick for K and J, but a backport for F. Changing status to 'In Progress' for kinetic, jammy and focal. ** Changed in: linux (Ubuntu Kinetic) Status: New => In Progress ** Changed in: linux (Ubuntu Jammy) Status: New => In Progress ** Changed in: linux (Ubuntu Focal) Status: New => In Progress ** Changed in: ubuntu-z-systems Status: New => In Progress ** Changed in: linux (Ubuntu Kinetic) Assignee: (unassigned) => Canonical Kernel Team (canonical-kernel-team) ** Changed in: linux (Ubuntu Jammy) Assignee: (unassigned) => Canonical Kernel Team (canonical-kernel-team) ** Changed in: linux (Ubuntu Focal) Assignee: (unassigned) => Canonical Kernel Team (canonical-kernel-team) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: In Progress Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: In Progress Status in linux source package in Jammy: In Progress Status in linux source package in Kinetic: In Progress Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
Test packages were build for F, J and K and are available via this PPA: https://launchpad.net/~fheimes/+archive/ubuntu/lp1996071 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: New Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: New Status in linux source package in Jammy: New Status in linux source package in Kinetic: New Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the updated firmware active, by for example doing a reboot after the firmware upgrade. [Where problems could occur] * The 'trailer' might be broken, invalid or in a wrong format and can't be identified or read properly, or may cause issues while compressing/decompressing the kernel. * In worst case secure boot might become broken, even on systems that are still on the unpatched firmware level. * Or secure boot will become broken in general. [Other Info] * The above commit was upstream accepted with v6.1-rc3. * And it got tagged for upstream stable with: "Cc: # 5.2+" * But since this bug is marked as critical, and the patch is relatively short, traceable and s390x-specific, I'll go ahead and submit this patch for Jammy and Focal ahead of upstream stable. * Since on focal file 'vmlinux.lds.S' is at a different location 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' and the context is slightly different, the backport is needed. * It's planned to have kernel 6.2 in lunar (23.04), hence it will have the patch incl. when at the planned target level. __ Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Description changed: + SRU Justification: + == + + [Impact] + + * Secure boot of Linux on s390x will no longer be possible +with an upcoming IBM zSystems firmware update. + + [Fix] + + * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" +for kinetic and jammy + + * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch +backport for focal + + [Test Plan] + + * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is + required. + + * Ensure that 'Enable Secure Boot for Linux' is marked in case +'SCSI Load' is selected at the HMCs Load task and Activation Profile. + + * Perform an Ubuntu Server installation, either 20.04 or 22.04 +(latest ISO). +It will be a secure boot installation by default in case +'Enable Secure Boot for Linux' was marked. + + * Check sysfs: +/sys/firmware/ipl/has_secure + '1' indicates hw support for secure boot, otherwise '0' +/sys/firmware/ipl/secure + '1' indicates that secure IPL was successful, otherwise '0' + + * Navigate to the HMC task 'System information' +and check the active firmware release. + + * Ensure that Ubuntu is still bootable in secure-boot mode +with the updated firmware active, +by for example doing a reboot after the firmware upgrade. + + [Where problems could occur] + + * The 'trailer' might be broken, invalid or in a wrong format +and can't be identified or read properly, +or may cause issues while compressing/decompressing the kernel. + + * In worst case secure boot might become broken, +even on systems that are still on the unpatched firmware level. + + * Or secure boot will become broken in general. + + [Other Info] + + * The above commit was upstream accepted with v6.1-rc3. + + * And it got tagged for upstream stable with: +"Cc: # 5.2+" + + * But since this bug is marked as critical, and the patch is relatively +short, traceable and s390x-specific, I'll go ahead and submit this +patch for Jammy and Focal ahead of upstream stable. + + * Since on focal file 'vmlinux.lds.S' is at a different location +'arch/s390/boot/compressed/' instead of 'arch/s390/boot/' +and the context is slightly different, the backport is needed. + + * It's planned to have kernel 6.2 in lunar (23.04), hence it will have +the patch incl. when at the planned target level. + + __ + Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming -IBM Z firmware update. + IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a -trailing data block with a specific format. + trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: New Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: New Status in linux source package in Jammy: New Status in linux source package in Kinetic: New Bug description: SRU Justification: == [Impact] * Secure boot of Linux on s390x will no longer be possible with an upcoming IBM zSystems firmware update. [Fix] * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure boot trailer" for kinetic and jammy * https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch backport for focal [Test Plan] * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is required. * Ensure that 'Enable Secure Boot for Linux' is marked in case 'SCSI Load' is selected at the HMCs Load task and Activation Profile. * Perform an Ubuntu Server installation, either 20.04 or 22.04 (latest ISO). It will be a secure boot installation by default in case 'Enable Secure Boot for Linux' was marked. * Check sysfs: /sys/firmware/ipl/has_secure '1' indicates hw support for secure boot, otherwise '0' /sys/firmware/ipl/secure '1' indicates that secure IPL was successful, otherwise '0' * Navigate to the HMC task 'System information' and check the active firmware release. * Ensure that Ubuntu is still bootable in secure-boot mode with the
[Kernel-packages] [Bug 1996071] Re: [UBUNTU 20.04] boot: Add s390x secure boot trailer
** Summary changed: - [UBUNTU 20.04] boot: Add secure boot trailer + [UBUNTU 20.04] boot: Add s390x secure boot trailer -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996071 Title: [UBUNTU 20.04] boot: Add s390x secure boot trailer Status in Ubuntu on IBM z Systems: New Status in linux package in Ubuntu: Invalid Status in linux source package in Focal: New Status in linux source package in Jammy: New Status in linux source package in Kinetic: New Bug description: Description: boot: Add secure boot trailer Symptom: Secure boot of Linux will no longer be possible with an upcoming IBM Z firmware update. Problem: New IBM Z firmware requires signed bootable images to contain a trailing data block with a specific format. Solution: Add the trailing data block to the Linux kernel image. Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled. Fix: available upstream with Upstream-ID: aa127a069ef312aca02b730d5137e1778d0c3ba7 Preventive:yes Date: 2022-10-27 Author:Peter Oberparleiter Component: kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
