Ubuntu
s390-tools package

Bug #1860531
Comment #2

Comment 2 for bug 1860531

Revision history for this message

bugproxy (bugproxy) wrote on 2020-01-22: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-01-22 05:29 EDT-------
addl. description:
"Operating system messages" output

Test on a z15 LPAR: Checking the combinations of the /etc/zipl.conf "secure" keyword and the HMC "Enable Secure Boot for Linux" option on the HMC SCSI load panel.

Result: the system always performs a successful IPL regardless of the
settings of the zipl.conf "secure" keyword and and the HMC "Enable Secure Boot
for Linux" option.

Problem: No IPL should be performed for the combination of "secure=0" in /etc/zipl.conf and the selection of "Enable Secure Boot for Linux" option in the HMC SCSI load panel.

Scenario
--------

root@t35lp36:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Focal Fossa (development branch)"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

root@t35lp36:~# uname -a
Linux t35lp36 5.4.0-9-generic #12-Ubuntu SMP Mon Dec 16 22:31:38 UTC 2019 s390x s390x s390x GNU/Linux

Setting secure=0 in /etc/zipl.conf

root@t35lp36:~# cat /etc/zipl.conf
[defaultboot]
defaultmenu = menu
secure=0

:menu
target = /boot
1 = ubuntu
2 = old
default = 1
prompt = 1
timeout = 10

[ubuntu]
target = /boot
image = /boot/vmlinuz
ramdisk = /boot/initrd.img
parameters = root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M

[old]
target = /boot
image = /boot/vmlinuz.old
ramdisk = /boot/initrd.img.old
parameters = root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M
optional = 1

root@t35lp36:~# zipl -V
Using config file '/etc/zipl.conf'
Run /lib/s390-tools/zipl_helper.device-mapper /boot
Target device information
Device..........................: fd:00 *)
Partition.......................: fd:01
Device name.....................: dm-0
Device driver name..............: device-mapper
Type............................: disk partition
Disk layout.....................: SCSI disk layout *)
Geometry - start................: 2048 *)
File system block size..........: 4096
Physical block size.............: 512 *)
Device size in physical blocks..: 37746688
*) Data provided by script.
Building bootmap in '/boot'
Building menu 'menu'
Adding #1: IPL section 'ubuntu' (default)
initial ramdisk...: /boot/initrd.img
signature for.....: /lib/s390-tools/stage3.bin
kernel image......: /boot/vmlinuz
signature for.....: /boot/vmlinuz
kernel parmline...: 'root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M'
component address:
heap area.......: 0x00002000-0x00005fff
stack area......: 0x0000f000-0x0000ffff
internal loader.: 0x0000a000-0x0000dfff
parameters......: 0x00009000-0x000091ff
kernel image....: 0x00010000-0x007d7fff
parmline........: 0x007d9000-0x007d91ff
initial ramdisk.: 0x007e0000-0x01a73bff
Adding #2: IPL section 'old'
initial ramdisk...: /boot/initrd.img.old
signature for.....: /lib/s390-tools/stage3.bin
kernel image......: /boot/vmlinuz.old
signature for.....: /boot/vmlinuz.old
kernel parmline...: 'root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M'
component address:
heap area.......: 0x00002000-0x00005fff
stack area......: 0x0000f000-0x0000ffff
internal loader.: 0x0000a000-0x0000dfff
parameters......: 0x00009000-0x000091ff
kernel image....: 0x00010000-0x007d7fff
parmline........: 0x007d9000-0x007d91ff
initial ramdisk.: 0x007e0000-0x01a73bff
Preparing boot device: dm-0.
Detected SCSI PCBIOS disk layout.
Writing SCSI master boot record.
Syncing disks...
Done.
root@t35lp36:~#

Then the system was shut down and a new IPL was triggered from the HMC SCSI load panel. The system IPL'd successfully.

Excerpt from the "Operating System Messages" output:

Preparing system.
Starting system.
System version 8.
Watchdog enabled.
Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'.
ZBootLoader 2.0.0.
OK00000000 Success
[ 0.317598] Linux version 5.4.0-9-generic (buildd@bos02-s390x-011) (gcc versi
on 9.2.1 20191130 (Ubuntu 9.2.1-21ubuntu1)) #12-Ubuntu SMP Mon Dec 16 22:31:38 U
TC 2019 (Ubuntu 5.4.0-9.12-generic 5.4.3)
[ 0.317600] setup.6bac7a: Linux is running natively in 64-bit mode
[ 0.317601] setup.433296: Linux is running with Secure-IPL enabled
[ 0.317602] setup.6482e5: The IPL report contains the following components:
[ 0.317603] setup.4da44b: 0000000000002000 - 0000000000006000 (not signed)
[ 0.317605] setup.4da44b: 000000000000f000 - 0000000000010000 (not signed)
[ 0.317606] setup.4da44b: 000000000000a000 - 000000000000e000 (signed, verified)
[ 0.317607] setup.4da44b: 0000000000009000 - 0000000000009200 (not signed)
[ 0.317608] setup.4da44b: 0000000000010000 - 00000000007d8000 (signed, verified)
[ 0.317609] setup.4da44b: 00000000007d9000 - 00000000007d9200 (not signed)
[ 0.317610] setup.4da44b: 00000000007e0000 - 0000000001a73c00 (not signed)
[ 0.317611] Kernel is locked down from Secure IPL; see man kernel_lockdown.7
[ 0.317624] setup.b050d0: The maximum memory size is 4096MB
[ 0.317627] setup.dae2e8: Reserving 196MB of memory at 3900MB for crashkernel (System RAM: 3900MB)
.
.

The full console log is added as an attachment.

When the system IPL had finished, the secure-boot related flags in sysfs had the following settings:

root@t35lp36:~# cat /sys/firmware/ipl/has_secure
1
root@t35lp36:~# cat /sys/firmware/ipl/secure
1

------- Comment From <email address hidden> 2020-01-22 05:30 EDT-------
Solution:
As can be seen from the zipl output, secure boot signatures have been written despite secure=0, so successful IPL is expected. This boils down to the secure=0 setting not being recognized by zipl.

This is likely fixed with upstream commit https://github.com/ibm-s390-tools/s390-tools/commit/6f9337d1016e00f360cf4a81d39a42df5184b3a2

Which need to be added on top of s390-tools 2.12 which will be integrated into 20.04.
And also applied to 2.11 for Ubuntu 19.10...

------- Comment From heinz-werner_seeck@de.ibm.com 2020-01-22 05:29 EDT-------
addl. description:
"Operating system messages" output

Test on a z15 LPAR: Checking the combinations of the /etc/zipl.conf "secure" keyword and the HMC "Enable Secure Boot for Linux" option on the HMC SCSI load panel.

Result: the system always performs a successful IPL regardless of the
settings of the zipl.conf "secure" keyword and and the HMC "Enable Secure Boot
for Linux" option.

Problem: No IPL should be performed for the combination of "secure=0" in /etc/zipl.conf and the selection of "Enable Secure Boot for Linux" option in the HMC SCSI load panel.

Scenario
--------

root@t35lp36:~# uname -a
Linux t35lp36 5.4.0-9-generic #12-Ubuntu SMP Mon Dec 16 22:31:38 UTC 2019 s390x s390x s390x GNU/Linux

Setting secure=0 in /etc/zipl.conf

root@t35lp36:~# cat /etc/zipl.conf
[defaultboot]
defaultmenu = menu
secure=0

:menu
target = /boot
1 = ubuntu
2 = old
default = 1
prompt = 1
timeout = 10

[ubuntu]
target = /boot
image = /boot/vmlinuz
ramdisk = /boot/initrd.img
parameters = root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M

[old]
target = /boot
image = /boot/vmlinuz.old
ramdisk = /boot/initrd.img.old
parameters = root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M
optional = 1

Then the system was shut down and a new IPL was triggered from the HMC SCSI load panel. The system IPL'd successfully.

Excerpt from the "Operating System Messages" output:

Preparing system.
Starting system.
System version 8.
Watchdog enabled.
Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'.
ZBootLoader 2.0.0.
OK00000000 Success
[    0.317598] Linux version 5.4.0-9-generic (buildd@bos02-s390x-011) (gcc versi
on 9.2.1 20191130 (Ubuntu 9.2.1-21ubuntu1)) #12-Ubuntu SMP Mon Dec 16 22:31:38 U
TC 2019 (Ubuntu 5.4.0-9.12-generic 5.4.3)
[    0.317600] setup.6bac7a: Linux is running natively in 64-bit mode
[    0.317601] setup.433296: Linux is running with Secure-IPL enabled
[    0.317602] setup.6482e5: The IPL report contains the following components:
[    0.317603] setup.4da44b: 0000000000002000 - 0000000000006000 (not signed)
[    0.317605] setup.4da44b: 000000000000f000 - 0000000000010000 (not signed)
[    0.317606] setup.4da44b: 000000000000a000 - 000000000000e000 (signed, verified)
[    0.317607] setup.4da44b: 0000000000009000 - 0000000000009200 (not signed)
[    0.317608] setup.4da44b: 0000000000010000 - 00000000007d8000 (signed, verified)
[    0.317609] setup.4da44b: 00000000007d9000 - 00000000007d9200 (not signed)
[    0.317610] setup.4da44b: 00000000007e0000 - 0000000001a73c00 (not signed)
[    0.317611] Kernel is locked down from Secure IPL; see man kernel_lockdown.7
[    0.317624] setup.b050d0: The maximum memory size is 4096MB
[    0.317627] setup.dae2e8: Reserving 196MB of memory at 3900MB for crashkernel (System RAM: 3900MB)
.
.

The full console log is added as an attachment.

When the system IPL had finished, the secure-boot related flags in sysfs had the following settings:

root@t35lp36:~# cat /sys/firmware/ipl/has_secure
1
root@t35lp36:~# cat /sys/firmware/ipl/secure
1

------- Comment From heinz-werner_seeck@de.ibm.com 2020-01-22 05:30 EDT-------
Solution:
As can be seen from the zipl output, secure boot signatures have been written despite secure=0, so successful IPL is expected. This boils down to the secure=0 setting not being recognized by zipl.

This is likely fixed with upstream commit https://github.com/ibm-s390-tools/s390-tools/commit/6f9337d1016e00f360cf4a81d39a42df5184b3a2

Which need to be added on top of s390-tools 2.12 which will be integrated into 20.04.
And also applied to 2.11 for Ubuntu 19.10...

Ubuntus390-tools package

Comment 2 for bug 1860531

Ubuntu
s390-tools package