** Changed in: ubuntu-power-systems
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted
This bug was fixed in the package linux - 5.4.0-24.28
---
linux (5.4.0-24.28) focal; urgency=medium
* focal/linux: 5.4.0-24.28 -proposed tracker (LP: #1871939)
* getitimer returns it_value=0 erroneously (LP: #1349028)
- [Config] CONTEXT_TRACKING_FORCE policy should be unset
@naynjain thanks for the update.
Could you raise a new bug for the additional patch "powerpc/ima: fix secure
boot rules in ima arch policy"?
This one will be closed once the original patchsets have progressed into the
20.04 5.4 kernel.
Thanks.
--
You received this bug notification because you
** Changed in: ubuntu-power-systems
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted
Thanks for testing. I've applied the patches to focal/master-next.
** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
** Changed in: ubuntu-power-systems
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Test build is done now, in the same location. It has the above patch and
also the updated patch from bug 1855668.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Ubuntu Kernel Support
Oh but PPC_SECURE_BOOT depends on IMA_ARCH_POLICY. For now I'm going to
make it depend on that or LOCK_DOWN_IN_SECURE_BOOT to get the test build
going. I think this makes sense because lockdown enforces signatures for
module loading and kexec (plus a number of other restrictions), which I
think is
Um, off rather.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot
To manage notifications about this bug go to:
I'll get a test kernel uploaded with IMA_ARCH_POLICY up, will let you
know when it's ready for testing.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Ubuntu Kernel Support for
Afaict the ppc ima arch policy is about ensuring that signature
verification is done for module loading and kexec, which in our kernel
will be enforced by automatically turning on lockdown integrity mode
under secure boot. So my conclusion is that CONFIG_MODULE_SIG_FORCE
should stay off and
I'm suddenly having a major sense of deja vu about this. I think we hit
very similar issues on x86, and after discussions with Mimi we decided
that CONFIG_IMA_ARCH_POLICY should be disabled for us. I think this may
be the right solution here too.
--
You received this bug notification because you
Our policy is to require module signatures only under lockdown.
CONFIG_MODULE_SIG_FORCE requires modules to be signed unconditionally,
which makes dkms impossible on systems which have no mechanism for
importing keys from firmware.
--
You received this bug notification because you are a member
If we understood you correctly you want to have CONFIG_MODULE_SIG_FORCE
set (for Power only) - so we are considering that ...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Ubuntu
Yes, I had a quick look at the sources MODULE_SIG_FORCE is currently unset for
all architectures:
annotations:CONFIG_MODULE_SIG_FORCE policy<{'amd64':
'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 'riscv64': 'n',
's390x': 'n'}>
config.common.ubuntu:#
Build is done now, version 5.4.0-21.25+lp1866909v202004020814 in
https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909/+packages.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Note that it is still building, should be ready in a few hours. I'll
post an update when it is done.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Ubuntu Kernel Support for OpenPOWER
Yes, Seth was so kind to already trigger a new build - it has the config
ootions in (and I think also the patches from LP 1855668, comment #19 and #10).
If you refresh https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909
you should now see the newer version:
The test/dev key that was used to sign the kernel from this PPA is itself also
part of the PPA.
Find the PPA archive URL (aka 'deb-line') by browsing the landing page of this
PPA:
https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909
The URL ('deb-line') is:
The kernel team was so kind to create a test kernel in this PPA:
https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909
Please give it a thoroughly test on short notice!
Thank you
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi Nayna, we talked about that with Michael Ranweiler in a call today.
And we will also discuss with the Canonical kernel team about the options that
exist - stay tuned.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: ubuntu-power-systems
Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage
(ubuntu-power-triage)
** Changed in: linux (Ubuntu)
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) =>
Canonical Kernel Team (canonical-kernel-team)
--
You
"May I ask the kernel version that Ubuntu will be using for 20.04 ?"
I see this getting asked a lot on both Power and Z tickets, I thought
Ubuntu communicated way back in November 2019 to everyone that we will
ship linux-generic in 20.04 based on v5.4 kernel.
Is this not been clear? or are there
That is a significant list for patches - are they all > 5.4? (I'll look them up
...)
Ubuntu Server 20.04 will be shipped with a kernel 5.4 - and beta is planned to
be released on April 2nd (so next Thursday) - things are largely freezed
already.
--
You received this bug notification because
When I earlier looked-up the commits listed here in the bug description via
their 'commit name', I found some but not all of them. (I prefer looking up
commits via it's name rather than via their hash, since depending on the git
tree they come from [upstream, ubuntu, etc.] hashes can be
I had a first glimpse at the patches/commits, and found out that:
The following commits are already in 'focal' aka 20.04 (even in master, hence
they are in the current focal kernel):
8c655784e2cf "integrity: Define a trusted platform keyring"
f218a29c25ad "ima: Support platform keyring for
** Package changed: kernel-package (Ubuntu) => linux (Ubuntu)
** Also affects: ubuntu-power-systems
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
27 matches
Mail list logo