[Bug 1877089] Comment bridged from LTC Bugzilla
--- Comment From thorsten.di...@de.ibm.com 2020-12-11 03:37 EDT--- Hi Dimitri, now I understood. As mentioned in LP1876715 (LTC 185713) in my last recent comments, the naming problem is fixed with zfcpdump-kernel 5.4-0ubuntu1. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877089 Title: zfcpdump kernel can not be IPLed, wrong file name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877089] Comment bridged from LTC Bugzilla
--- Comment From thorsten.di...@de.ibm.com 2020-12-10 13:43 EDT--- I updated to https://launchpad.net/ubuntu/focal/+queue?queue_state=3_text=zfcpdump-kernel as of focal-proposed. Then I zipled the SCSI dump LUN: root@t35lp25:~# zipl -d /dev/disk/by-id/scsi-36005076303ffd3274609-part1 Building bootmap directly on partition '/dev/disk/by-id/scsi-36005076303ffd3274609-part1' Adding dump section kernel image..: /lib/s390-tools/zfcpdump/zfcpdump-image kernel parmline...: 'root=/dev/ram0 dump_mem=1 possible_cpus=1 cgroup_disable=memory ' component address: heap area...: 0x2000-0x5fff stack area..: 0xf000-0x internal loader.: 0xa000-0xdfff parameters..: 0x9000-0x91ff kernel image: 0x0001-0x001b7fff parmline: 0x001b8000-0x001b81ff Preparing boot device: sdi. Done. ... and dumped from LUN with secure boot enabled. But it still shows the same symptom: ... Running 'ZBootLoader' version '2.1.4' level 'D41C.D41C_0020'. MLOLOA6269064E Secure IPL: There are no signed components available on device HB A=0.0.1800, WWPN=500507630309D327, LUN=40464009. IPL failed (110). I zipled again with additional switch --secure=1, but that didn't help either. Please change the tag to verification-failed-focal. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877089 Title: zfcpdump kernel can not be IPLed, wrong file name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877089] Comment bridged from LTC Bugzilla
--- Comment From heinz-werner_se...@de.ibm.com 2020-08-26 09:14 EDT--- IBM Bugzilla status-> closed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877089 Title: zfcpdump kernel can not be IPLed when secure boot is requested To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877089] Comment bridged from LTC Bugzilla
--- Comment From stefan.haberl...@de.ibm.com 2020-07-31 07:14 EDT--- This is currently not supported. As of today there is no code in zipl that writes signature entries for a dump kernel. This was not part of the initial item. It might be addressed in the future. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877089 Title: zfcpdump kernel can not be IPLed when secure boot is requested To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877089] Comment bridged from LTC Bugzilla
--- Comment From pr...@de.ibm.com 2020-05-20 07:39 EDT--- (In reply to comment #14) > Thank you for those details. > > For example, if and when we bump ubuntu minimum abi to z15 we might be able > to kill the zfcpdump kernel. That's at least my hope. There's an other problem I keep forgetting. Currently only LPAR has the bigger HSA size. z/VM has to emulate the HSA and cannot cope with the bigger size yet. Not sure if/how KVM handles this. So simply bumping the ALS won't be enough. You still need to keep an eye on the hypervisors... > If there are no modules i guess any initrd will not be able to do much. Actually my hope is we find a way to get it work with the standad kernel + kdump initrd. So basically getting a firmware assisted kdump. --- Comment From pr...@de.ibm.com 2020-05-20 07:41 EDT--- I also played around a little bit more with zfcpdump + secure boot and I'm no longer sure that simply signing the zfcpdump kernel is enough. There might also be a bug in zipl. But that needs further investigation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877089 Title: zfcpdump kernel can not be IPLed when secure boot is requested To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877089] Comment bridged from LTC Bugzilla
--- Comment From pr...@de.ibm.com 2020-05-12 11:56 EDT--- Hi xnox, we need a separate flavor because zfcpdump kernels (on pre z15) are limited to 64M of memory. Any stock kernel would run oom in such a constrained environment. (In reply to comment #11) > Hm, I'm not sure we can sign the zfcpdump-kernel. > > By convention, in Focal, signed kernels enforce signed module loading & > lockdown that prevents unsigned module loading, kexec unsigned kernels or > reading arbitrary kernel memory from userspace. And I am under impression > that zfcpdump kernel/initrd rely on being able to read kernel memory. hmm... not sure if this is really a problem * the kernel is build without CONFIG_MODULES so all of the non existing kernel modules are automatically signed * not sure how lockdown works in detail but zfcpdump only needs access to /proc/vmcore which should still be possible. Otherwise kdump would be broken as well. * kexec is not needed. init is replaced by a piece of code that simply copies /proc/vmcore to disc and reboots. > The zfcpdump-kernel flavour currently is built using zfcpdump_defconfig. I > would be more comfortable if we could use the stock signed kernel image as > the zfcpdump one, instead of the purpose built one. And include any missing > modules in the zfcpdump initrd and/or adjust the cmdline to do things like > PANIC_ON_OOPS=y. But i guess we will not get CONFIG_CC_OPTIMIZE_FOR_SIZE=y > with the stock kernel image. As said before the stock kernel won't run on a pre z15 machine. On z15 (needed for secure boot anyway) that might be an option as the HSA area (the piece of memory the zfcpdump kernel runs in) was increased to 512M. That's more than usually reserved for a kdump kernel, and should be enough for any stock kernel. The problem is that zfcpdumps design never considered such an option so it won't run out of the box. Furthermore you would then need to support two different dump methods depending on the machine generation you are running on as long as any pre z15 machine is supported. I must admit that getting rid of this monstrosity would be great but I don't think it will happen any time soon. > Does zfcdump work with locked-down kernels? Not sure never tried. Philipp -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877089 Title: zfcpdump kernel can not be IPLed when secure boot is requested To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1877089] Comment bridged from LTC Bugzilla
--- Comment From thorsten.di...@de.ibm.com 2020-05-06 08:28 EDT--- (In reply to comment #6) > We can either revert the path change in s390-tools or rebuild the zfcpdump > kernel flavour with the new name. This should IMO be decided by the s390tools maintainer! (I personally prefer the latter.) --- Comment From thorsten.di...@de.ibm.com 2020-05-06 08:34 EDT--- (In reply to comment #7) > Separately, are you expecting for the zfcpdump-kernel to be secure boot > signed? because currently it is not. Yes: If a user has booted his system with Secure Boot enables and needs to perform a standalone zfcp dump, the HMC panel keeps the setting of Secure Boot enablement. Thus, if it was enabled for normal zfcp boot, it remains enabled for zfcp dump, and if the zfcpdump kernel is not signed, the dump fails and probably part of the memory content is lost. Secondly, if dumpconf is being used, the automatic zfcpdump will fail, too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877089 Title: zfcpdump kernel can not be IPLed when secure boot is requested To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877089/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
