[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-16 Thread Frank Heimes
** Changed in: ubuntu-power-systems Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-16 Thread Launchpad Bug Tracker
This bug was fixed in the package linux - 5.4.0-24.28 --- linux (5.4.0-24.28) focal; urgency=medium * focal/linux: 5.4.0-24.28 -proposed tracker (LP: #1871939) * getitimer returns it_value=0 erroneously (LP: #1349028) - [Config] CONTEXT_TRACKING_FORCE policy should be unset

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-14 Thread Andrew Cloke
@naynjain thanks for the update. Could you raise a new bug for the additional patch "powerpc/ima: fix secure boot rules in ima arch policy"? This one will be closed once the original patchsets have progressed into the 20.04 5.4 kernel. Thanks. -- You received this bug notification because you

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-06 Thread Frank Heimes
** Changed in: ubuntu-power-systems Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-06 Thread Seth Forshee
Thanks for testing. I've applied the patches to focal/master-next. ** Changed in: linux (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-06 Thread Andrew Cloke
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed ** Changed in: ubuntu-power-systems Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-03 Thread Seth Forshee
Test build is done now, in the same location. It has the above patch and also the updated patch from bug 1855668. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-03 Thread Seth Forshee
Oh but PPC_SECURE_BOOT depends on IMA_ARCH_POLICY. For now I'm going to make it depend on that or LOCK_DOWN_IN_SECURE_BOOT to get the test build going. I think this makes sense because lockdown enforces signatures for module loading and kexec (plus a number of other restrictions), which I think is

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-03 Thread Seth Forshee
Um, off rather. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot To manage notifications about this bug go to:

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-03 Thread Seth Forshee
I'll get a test kernel uploaded with IMA_ARCH_POLICY up, will let you know when it's ready for testing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-03 Thread Seth Forshee
Afaict the ppc ima arch policy is about ensuring that signature verification is done for module loading and kexec, which in our kernel will be enforced by automatically turning on lockdown integrity mode under secure boot. So my conclusion is that CONFIG_MODULE_SIG_FORCE should stay off and

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-03 Thread Seth Forshee
I'm suddenly having a major sense of deja vu about this. I think we hit very similar issues on x86, and after discussions with Mimi we decided that CONFIG_IMA_ARCH_POLICY should be disabled for us. I think this may be the right solution here too. -- You received this bug notification because you

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-03 Thread Seth Forshee
Our policy is to require module signatures only under lockdown. CONFIG_MODULE_SIG_FORCE requires modules to be signed unconditionally, which makes dkms impossible on systems which have no mechanism for importing keys from firmware. -- You received this bug notification because you are a member

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-03 Thread Frank Heimes
If we understood you correctly you want to have CONFIG_MODULE_SIG_FORCE set (for Power only) - so we are considering that ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-02 Thread Frank Heimes
Yes, I had a quick look at the sources MODULE_SIG_FORCE is currently unset for all architectures: annotations:CONFIG_MODULE_SIG_FORCE policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 'riscv64': 'n', 's390x': 'n'}> config.common.ubuntu:#

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-02 Thread Seth Forshee
Build is done now, version 5.4.0-21.25+lp1866909v202004020814 in https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909/+packages. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title:

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-02 Thread Seth Forshee
Note that it is still building, should be ready in a few hours. I'll post an update when it is done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909 Title: Ubuntu Kernel Support for OpenPOWER

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-02 Thread Frank Heimes
Yes, Seth was so kind to already trigger a new build - it has the config ootions in (and I think also the patches from LP 1855668, comment #19 and #10). If you refresh https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909 you should now see the newer version:

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-04-02 Thread Frank Heimes
The test/dev key that was used to sign the kernel from this PPA is itself also part of the PPA. Find the PPA archive URL (aka 'deb-line') by browsing the landing page of this PPA: https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909 The URL ('deb-line') is:

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-03-30 Thread Frank Heimes
The kernel team was so kind to create a test kernel in this PPA: https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909 Please give it a thoroughly test on short notice! Thank you -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-03-30 Thread Frank Heimes
Hi Nayna, we talked about that with Michael Ranweiler in a call today. And we will also discuss with the Canonical kernel team about the options that exist - stay tuned. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-03-30 Thread Frank Heimes
** Changed in: ubuntu-power-systems Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) ** Changed in: linux (Ubuntu) Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) => Canonical Kernel Team (canonical-kernel-team) -- You

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-03-27 Thread Dimitri John Ledkov
"May I ask the kernel version that Ubuntu will be using for 20.04 ?" I see this getting asked a lot on both Power and Z tickets, I thought Ubuntu communicated way back in November 2019 to everyone that we will ship linux-generic in 20.04 based on v5.4 kernel. Is this not been clear? or are there

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-03-27 Thread Frank Heimes
That is a significant list for patches - are they all > 5.4? (I'll look them up ...) Ubuntu Server 20.04 will be shipped with a kernel 5.4 - and beta is planned to be released on April 2nd (so next Thursday) - things are largely freezed already. -- You received this bug notification because

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-03-23 Thread Frank Heimes
When I earlier looked-up the commits listed here in the bug description via their 'commit name', I found some but not all of them. (I prefer looking up commits via it's name rather than via their hash, since depending on the git tree they come from [upstream, ubuntu, etc.] hashes can be

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-03-11 Thread Frank Heimes
I had a first glimpse at the patches/commits, and found out that: The following commits are already in 'focal' aka 20.04 (even in master, hence they are in the current focal kernel): 8c655784e2cf "integrity: Define a trusted platform keyring" f218a29c25ad "ima: Support platform keyring for

[Bug 1866909] Re: Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot

2020-03-11 Thread Frank Heimes
** Package changed: kernel-package (Ubuntu) => linux (Ubuntu) ** Also affects: ubuntu-power-systems Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866909