Ubuntu
s390-tools package

[23.10 FEAT] Provide s390-tools on x86_64 to enable Secure Execution in the Cloud

Bug #2025578 reported by bugproxy
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Fix Released
High
Frank Heimes
s390-tools-signed (Ubuntu)
Fix Released
High
Frank Heimes

Bug Description

Feature Description:

Selected tools from the s390-tools package need to be made available on x86_64.

This will enable the integration of IBM Z machines running Secure Execution in a cloud environment where users don't necessarily need to have an s390x environment.
genprotimg (for building secure images) and pvattest (for external attestation) are examples for these tools.
This feature requires structural changes to the s390-tools package to e.g. in the Makefile and potential changes on the distributor side to reflect their changes on the package.

See original description
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-07-02 20:15 EDT-------
List of tools enabled for x86_64 use:

Binaries: genprotimg and pvattest.
Scripts: check_hostkeydoc (in the genprotimg/samples directory) and pvextract-hdr (in the pvattest/tools directory).

Over time we may want to have more programs in there (e.g. zipl, zgetdump), but for the time being we have tested only the ones mentioned above under x86_64.

tags: added: architecture-s39064 bugnameltc-201330 severity-high targetmilestone-inin2310
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in s390-tools-signed (Ubuntu):
importance: Undecided → High
Changed in s390-tools (Ubuntu):
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → High
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in s390-tools (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
Frank Heimes (fheimes)
description: updated
Revision history for this message
Frank Heimes (fheimes) wrote :

Even if the planned s390-tools target version for mantic is v2.28 (LP: #2025781), I took the chance and time to package v2.27 for mantic/23.10 as interim release and to have a first package for amd64 (aka x86_64).

Attached are the debdiffs (s390-tools and s390-tools-signed, the latter one for s390x only, not for amd64).

Package test builds are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2025578

Afaics the build for amd64 is currently limited to the pvatest tool (and supporting files), thus the amd64 package content, which seems to fit to the 2.27 info in the CHANGELOG.md:
# dpkg -c ../s390-tools_2.27.0-0ubuntu1_amd64.deb
drwxr-xr-x root/root 0 2023-07-04 19:18 ./
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/bin/
-rwxr-xr-x root/root 115704 2023-07-04 19:18 ./usr/bin/pvattest
-rwxr-xr-x root/root 2731 2023-07-04 19:18 ./usr/bin/pvextract-hdr
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/share/
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/share/doc/
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/share/doc/s390-tools/
-rw-r--r-- root/root 2423 2023-07-04 13:54 ./usr/share/doc/s390-tools/AUTHORS.md
-rw-r--r-- root/root 9458 2023-07-04 13:57 ./usr/share/doc/s390-tools/CHANGELOG.md.gz
-rw-r--r-- root/root 1055 2023-07-04 13:57 ./usr/share/doc/s390-tools/LICENSE
-rw-r--r-- root/root 7571 2023-07-04 13:57 ./usr/share/doc/s390-tools/README.md.gz
-rw-r--r-- root/root 6490 2023-07-04 19:18 ./usr/share/doc/s390-tools/changelog.Debian.gz
-rw-r--r-- root/root 1450 2023-07-04 13:56 ./usr/share/doc/s390-tools/copyright
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/share/man/
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/share/man/man1/
-rw-r--r-- root/root 1344 2023-07-04 19:18 ./usr/share/man/man1/pvattest-create.1.gz
-rw-r--r-- root/root 664 2023-07-04 19:18 ./usr/share/man/man1/pvattest-perform.1.gz
-rw-r--r-- root/root 931 2023-07-04 19:18 ./usr/share/man/man1/pvattest-verify.1.gz
-rw-r--r-- root/root 1259 2023-07-04 19:18 ./usr/share/man/man1/pvattest.1.gz
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/share/s390-tools/
drwxr-xr-x root/root 0 2023-07-04 19:18 ./usr/share/s390-tools/pvattest/
-rw-r--r-- root/root 5594 2023-07-04 13:54 ./usr/share/s390-tools/pvattest/README.md
-rwxr-xr-x root/root 2427 2023-07-04 13:54 ./usr/share/s390-tools/pvattest/pvattest-info

@IBM Please have a look and check if the content is reasonable and like expected.

Changed in s390-tools-signed (Ubuntu):
status: New → In Progress
Changed in s390-tools (Ubuntu):
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
Changed in s390-tools (Ubuntu):
assignee: nobody → Frank Heimes (fheimes)
Changed in s390-tools-signed (Ubuntu):
assignee: nobody → Frank Heimes (fheimes)
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-07-05 03:40 EDT-------
> @IBM Please have a look and check if the content is reasonable and like
> expected.

The content is reasonable and like expected.
Installed it on an ubuntux86 vm tools/mans are available and I can run/view them.

Revision history for this message
Frank Heimes (fheimes) wrote :

Ok, many thx checking, Steffen!

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-07-05 06:25 EDT-------
genprotimg is missing - probably because the Makefile target is not yet enabled by default in the main Makefile. The question is, what should we do? And how can we proceed?

There was a suggestion from Canonical to package the genprotimg bootloader in a noarch package [1] - so that's (probably) only a packaging issue. The noarch package approach would be very similar to how the QEMU s390-ccw BIOS is packaged on Ubuntu. The QEMU BIOS lives in the architecture-neutral qemu-system-data package (FYI, there is an open issue regarding the debuginfo for the QEMU BIOS [2]).

So run these commands in order to cross-compile genprotimg on x86:

pushd "$S390_TOOLS"
pushd genprotimg
pushd boot
make -j HOST_ARCH=s390x CROSS_COMPILE=s390x-linux-gnu-
popd
pushd src
make -j
popd
make install -j
popd
popd

[1] https://github.com/ibm-s390-linux/s390-tools/discussions/150#discussioncomment-5977825
[2] https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/2020624

Revision history for this message
Frank Heimes (fheimes) wrote :

Well, initially I also had in mind that pvattest AND genprotimg will be the tools that end up in an amd64 package (and in my 2st attempt I tried to incl. them), but then noticed (on a local build on amd64) that only pvattest is build, hence I removed genprotimg again.

So this is just a draft/test, since 2.27 is not the planned version for mantic - but 2.28 is.
So could the Makefile in 2.28 be enabled to build genprotimg also for amd64?
And btw. back to the (early) discussion upstream, should it be build for arm64 too - or is amd64 sufficient?

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-07-05 07:17 EDT-------
(In reply to comment #17)
[...]
> And btw. back to the (early) discussion upstream, should it be build for
> arm64 too - or is amd64 sufficient?

We don't have have an ARM environment, so at this point in time we can't guarantee it would be working there.

Frank Heimes (fheimes)
information type: Private → Public
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-07-14 10:13 EDT-------
As of commit https://github.com/ibm-s390-linux/s390-tools/commit/de013d2f04b32b3b456877ad44a7158be695437b, genprotimg is also built on architectures other than s390x (note: the bootloaders are skipped - they need to be built with a cross-compiler or on a s390x system).

$ # Build and install /usr/bin/genprotimg
$ make -C genprotimg
$ make install -C genprotimg

$ # Build and install the genprotimg bootloaders unsing a cross-compiler or on a s390x system
$ make -C genprotimg/boot HOST_ARCH=s390x CROSS_COMPILE=s390x-linux-gnu-
$ make install -C genprotimg/boot HOST_ARCH=s390x CROSS_COMPILE=s390x-linux-gnu-

See https://github.com/ibm-s390-linux/s390-tools/discussions/150#discussioncomment-6371525 for details.

Revision history for this message
Frank Heimes (fheimes) wrote :

Yeah, that's the commit as it is in v2.28 right?
I've created a PPA with that version and packages for amd64, arm64 and ppc64el that incl. the pvattest and genprotimg tools themselves:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2020469/+packages

Are the genprotimg bootloaders mandatory or is it for now sufficient to have the tool itself incl.?

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-07-14 11:19 EDT-------
Yep, the commit has landed in v2.28.

The genprotimg bootloaders are mandatory for building a Secure Execution boot image. There were discussions whether they can be packaged in a new .noarch.rpm / _all.deb package - see https://github.com/ibm-s390-linux/s390-tools/discussions/150#discussioncomment-5977825. Not sure what's the best way...

Revision history for this message
Frank Heimes (fheimes) wrote :

So I re-did the work on providing no also packages for non-s390x architectures,
based on feedback from @xnox and @schopin
and incl. an add. upstream commit as patch to avoid random build issues (thx to @mhartmay).

The re-worked packages build fine locally on s390x and amd64 and in PPA - builds are available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2025578

I also did installation and upgrade tests, that led to some further tweaks needed (Breaks and Replace, postinst now s390x specific etc.), but all that is included, too.

I'm attaching here the two debdiffs (for s390-tools and s390-tools-signed).

Revision history for this message
Simon Chopin (schopin) wrote :

Uploaded :)

Changed in s390-tools (Ubuntu):
status: In Progress → Fix Committed
Changed in s390-tools-signed (Ubuntu):
status: In Progress → Fix Committed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools-signed - 2.28.0-0ubuntu2

---------------
s390-tools-signed (2.28.0-0ubuntu2) mantic; urgency=medium

  * Rebuild against 2.26.0-0ubuntu2 (LP: #2025578)

 -- Frank Heimes <email address hidden> Wed, 26 Jul 2023 18:38:38 +0200

Changed in s390-tools-signed (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.28.0-0ubuntu2

---------------
s390-tools (2.28.0-0ubuntu2) mantic; urgency=medium

  * Extend s390-tools package to amd64, ppc64el and arm64. (LP: #2025578)
    - d/control: - Extend Architecture: in s390-tools with amd64 ppc64el arm64
                 - Add new package s390-tools-data as 'Architecture: all'.
                 - Extend Depends: in s390-tools with s390-tools-data.
                 - Limit Depends on gcc-multilib to s390x.
                 - Add 'XS-Build-Indep-Architecture: s390x' to ensure building
                   the 'Architecture: all' on s390x.
                 - Mark Depends, Suggests and Recommends for s390x only where
                   needed to avoid confusing messages on non-s390x installs.
                 - Add Replaces and Breaks s390-tools (<< 2.28.0-0ubuntu2)
                   to allow smooth upgrades, since stage3a.bin moved to -data.
    - d/rules: - Separate selected statements in d/rules in s390x
                 (and non-s390x).
               - Add '-Xstage3a.bin -Xstage3b_reloc.bin' to dh_install
                 to avoid having these files in two packages (s390-tools
                 and s390-tools-data).
               - Change SIGN_SIPL condition to enable signing in Launchpad
                 only, and on s390x only.
    - d/s390-tools.install: - Make this old d/s390-tools.install the new s390x
                              specific version (.install.s390x) (by using mv).
                            - Remove lines with "=>" that rename files, to
                              eliminate executable .install.s390x file and
                              remove '#!/usr/bin/dh-exec', since this doesn't
                              seem to work for arch specific install files.
                            - Create new d/s390-tools.install to become the
                              default version for non-s390x, and install only
                              files for pvattest and genprotimg.
    - d/s390-tools-data.install: Pick and install bootloader files (stage3a.bin
                                 and stage3b_reloc.bin) required by genprotimg.
    - d/s390-tools.postinst: Make this old d/s390-tools.postinst now s390x
                             specific (mv to d/s390-tools.postinst.s390x).
    - Add d/p/lp-2025578-Recursive-Makefiles-avoid-race-condition.patch
      to fix random build failures due to race condition in install target.

 -- Frank Heimes <email address hidden> Wed, 26 Jul 2023 16:56:00 +0200

Changed in s390-tools (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.