Ubuntu
s390-tools package

[UBUNTU 20.04] zipl: Add secure boot trailer (s390-tools part)

Bug #1996069 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned
s390-tools-signed (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification:
==================

[ Impact ]

 * Secureboot on Ubuntu/s390x (and Linux on zSystems in general)
   will no longer be possible with an upcoming IBM zSystems firmware update.

 * New IBM zSystems firmware requires all signed boot images to contain a
   trailing data block with a specific format.

 * Solution: Add trailing data block to the zipl stage 3 boot loader image.

[ Fix ]

 * 5768d55a08e163f718bd87498b9e763687ae7137 5768d55a08e1
   "zipl/boot: add secure boot trailer"

[ Test Plan ]

 * Reproduction: Apply latest zSystem firmware, perform an IPL (boot)
   with Secure Boot enabled (in the LPAR activation profile).

 * Without having the new firmware in place, or on systems that do not support
   secureboot on s390x, the boot trailer can be tested with this script:
   https://launchpadlibrarian.net/633126861/check_sb_trailer.sh
   $ check_sb_trailer.sh arch/s390/boot/bzImage
   Checking secure boot trailer of file arch/s390/boot/bzImage
   * Read 32 bytes at offset 00777fe0:
   000000000000000000000000000000000000000000000000000000207a49504c
   * Success - Linux kernel trailer found

[ Where problems could occur ]

 * Problems could occur if build tools still use '--pad-to=0xe000'

 * or if the trailer is not generated the right way (according to
   the trailer spec),

 * or the kernel is not able to detect the trailer properly
   (maybe because the trailer is generated in a wrong way,
   or the detection mechanism is wrong).

 * But this can be tested by using the script mentioned above,
   and was already tested (kernel part) based on LP#1996071.

[ Other Info ]

 * This bug also has a Kernel part which is addressed in a separate
   ticket: https://bugs.launchpad.net/bugs/1996071

 * The kernel part is addressed in the current cycle, hence Fix Committed.

 * The affected Ubuntu releases are Focal, Jammy and Kinetic - as one can
   see at the bug header of this ticket.

 * Lunar will get a brand new s390-tools package later in the cycle,
   that will have this fix included.
__________

Description: zipl: Add secure boot trailer

Symptom: Secure boot of Linux will no longer be possible with an upcoming
               IBM Z firmware update.

Problem: New IBM Z firmware requires all signed boot images to contain a
               trailing data block with a specific format.

Solution: Add trailing data block to the zipl stage 3 boot loader image.
Reproduction: Apply latest firmware, perform IPL with Secure Boot enabled.

Fix: Available upstream with
Upstream-ID: 5768d55a08e163f718bd87498b9e763687ae7137

Upstream-Description:

              zipl/boot: add secure boot trailer

              This patch enhances the zipl stage3 loader image adding a trailer as
              required for secure boot by future firmware versions.

              Note: with the change in this patch the padding via objcopy command line
              options is replaced by padding via linker script directives with the
              same effect.

              Signed-off-by: Peter Oberparleiter <email address hidden>
              Signed-off-by: Jan Hoeppner <email address hidden>

Signed-off-by: Peter Oberparleiter <email address hidden>

See original description
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-200453 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in linux (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in ubuntu-z-systems:
importance: Undecided → High
Revision history for this message
Frank Heimes (fheimes) wrote :

Test packages are being build for K, J and F at these PPAs:

Kinetic:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1996069

Jammy:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1974109+lp1959987+lp1990520+lp1990524+lp1996069

Focal:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1987387+lp1996069

The fix for this particular bug is combined with other bug fixes in a single package update.

Revision history for this message
Frank Heimes (fheimes) wrote :

The (combined) debdiffs are here.

Again for multiple bug fixes at the same time for J and F.

The debdiffs (s390-tools and s390-tools-signed) for kinetic incl. only the bug fix for LP#1996069.

The debdiffs (s390-tools and s390-tools-signed) for jammy incl. the bug fixes for LP#1974109, LP#1959987, LP#1990520, LP#1990524 and LP#1996069.

The debdiffs (s390-tools and s390-tools-signed) for jammy incl. the bug fixes for LP#1987387 and LP#1996069.

Changed in ubuntu-z-systems:
status: New → In Progress
Changed in s390-tools (Ubuntu):
status: New → In Progress
Changed in s390-tools-signed (Ubuntu):
status: New → In Progress
Frank Heimes (fheimes)
description: updated
Frank Heimes (fheimes)
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted s390-tools into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.23.0-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Kinetic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-kinetic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools-signed into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools-signed/2.23.0-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools-signed (Ubuntu Kinetic):
status: New → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed-jammy
Changed in s390-tools-signed (Ubuntu Jammy):
status: New → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools-signed/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.12.0-0ubuntu3.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools-signed (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools-signed/2.12.0-0ubuntu3.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-12-02 05:28 EDT-------
I successfully verified that the updated s390-tools package version 2.12.0-0ubuntu3.7 found in focal-proposed fixes the problem and works as expected.

tags: removed: verification-needed verification-needed-focal verification-needed-jammy verification-needed-kinetic
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-12-02 06:07 EDT-------
I successfully verified that the updated s390-tools package version 2.20.0-0ubuntu3.2 found in jammy-proposed fixes the problem and works as expected.

Revision history for this message
Frank Heimes (fheimes) wrote :

Thanks Peter - and I just checked it on kinetic, too:

Checking secure boot trailer of file /boot/vmlinuz-5.19.0-27-generic
  * Read 32 bytes at offset 0081b218:
    000002107e4d6f64756c65207369676e617475726520617070656e6465647e0a
  * Found signature marker - skipping 568 bytes
  * Read 32 bytes at offset 0081afe0:
    000000000000000000000000000000000000000000000000000000207a49504c
  * Success - Linux kernel trailer found

So I'm adjusting the tags accordingly ...

tags: added: verification-done verification-done-jammy verification-done-kinetic
bugproxy (bugproxy)
tags: added: targetmilestone-inin2004
removed: targetmilestone-inin---
Brian Murray (brian-murray)
tags: added: verification-done-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.23.0-0ubuntu1.1

---------------
s390-tools (2.23.0-0ubuntu1.1) kinetic; urgency=medium

  * d/p/lp1996069-zipl-boot-add-secure-boot-trailer.patch
    Add secure boot trailer in zipl stage 3 to keep compatibility with
    upcoming IBM zSystems firmware updates. (LP: #1996069)
  * Add d/p/lp1996477-dbginfo.sh-ensure-type-commands-compatible-with-dash.patch
    and d/p/lp1996477-dbginfo.sh-ensure-compatibility-with-bin-dash.patch
    to achieve dbginfo.sh compatibility with /bin/dash shell. (LP: #1996477)

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 16:48:54 +0100

Changed in s390-tools (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools-signed - 2.23.0-0ubuntu1.1

---------------
s390-tools-signed (2.23.0-0ubuntu1.1) kinetic; urgency=medium

  * Rebuild against 2.23.0-0ubuntu1.1 (LP: #1996069, LP: #1996477)

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 10:59:21 +0100

Changed in s390-tools-signed (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Frank Heimes (fheimes)
Changed in s390-tools-signed (Ubuntu):
status: In Progress → Fix Committed
Changed in s390-tools (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.20.0-0ubuntu3.2

---------------
s390-tools (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Fix zipl segfaults when "parameters=" is missing (LP: #1974109) with:
    d/p/6ff8202f-zipl-Add-missing-check-for-a-nullpointer.patch
  * Add KVM Secure Execution Attestation Userspace Tool to enhance secure
    execution (hardware feature: FC 115) exploitation (LP: #1959987) with:
    d/p/38639269-libpv-New-library-for-PV-tools.patch
    d/p/3ab06d77-pvattest-Create-perform-and-verify-attestation-measu.patch
    d/p/26148740-pvattest-tools-Add-tool-for-attestation.patch
  * Fix re-enciphering of EP11 identity key of KMIP plugin (LP: #1990520) with:
    d/p/4e2ebe03-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
  * Fix KMIP plugin fails to connection to KMIP server (LP: #1990524) with:
    d/p/6c5c5f7e-libseckey-Adapt-keymgmt_match-implementation-to-Open.patch
  * d/p/5768d55-zipl-boot-add-secure-boot-trailer.patch
    Add secure boot trailer in zipl stage 3 to keep compatibility with
    upcoming IBM zSystems firmware updates. (LP: #1996069)
  * Add d/p/92b8409-dbginfo.sh-ensure-type-commands-compatible-with-dash.patch
    and d/p/9f93af6-dbginfo.sh-ensure-compatibility-with-bin-dash.patch
    to achieve dbginfo.sh compatibility with /bin/dash shell. (LP: #1996477)

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 18:14:00 +0200

Changed in s390-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools-signed - 2.20.0-0ubuntu3.2

---------------
s390-tools-signed (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Rebuild against 2.20.0-0ubuntu3.2:
    LP: #1974109, LP: #1959987, LP: #1990520,
    LP: #1990524, LP: #1996069, LP: #1996477

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 18:27:10 +0200

Changed in s390-tools-signed (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-01-15 11:10 EDT-------
Fix is now available in focal, jammy and kinetic, therefore we can close this bug.
Thanks everyone for your work!

==> Changing the status to: CLOSED

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.12.0-0ubuntu3.7

---------------
s390-tools (2.12.0-0ubuntu3.7) focal; urgency=medium

  * d/p/lp1987387-zgetdump-Fix-device-node-determination-via-sysfs.patch
    Fix zgetdump can not handle multivolume dumps. (LP: #1987387)
  * d/p/lp1996069-zipl-boot-add-secure-boot-trailer.patch
    Add secure boot trailer in zipl stage 3 to keep compatibility with
    upcoming IBM zSystems firmware updates. (LP: #1996069)

 -- Frank Heimes <email address hidden> Fri, 11 Nov 2022 09:07:52 +0200

Changed in s390-tools (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools-signed - 2.12.0-0ubuntu3.7

---------------
s390-tools-signed (2.12.0-0ubuntu3.7) focal; urgency=medium

  * Rebuild against 2.12.0-0ubuntu3.7 (LP: #1987387, LP: #1996069)

 -- Frank Heimes <email address hidden> Thu, 25 Aug 2022 09:18:36 +0200

Changed in s390-tools-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Frank Heimes (fheimes) wrote :

I've set the development entry (lunar) for this ticket to Invalid,
since this will be addressed by a different ticket (update to latest s390-tools version, LP#2003284).

Changed in s390-tools-signed (Ubuntu):
status: Fix Committed → Invalid
Changed in s390-tools (Ubuntu):
status: Fix Committed → Invalid
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.