Ubuntu
s390-tools package

  1. Bug #1860531
  2. Comment #9

Comment 9 for bug 1860531

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-02-06 03:44 EDT-------
Retested with the secure entry moved to the menu section:

[defaultboot]
defaultmenu = menu

:menu
target = /boot
1 = ubuntu
2 = old
default = 1
prompt = 1
timeout = 10
secure=1
.
.

root@t35lp36:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu Focal Fossa (development branch)"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

root@t35lp36:~# uname -a
Linux t35lp36 5.4.0-12-generic #15-Ubuntu SMP Tue Jan 21 17:56:00 UTC 2020 s390x s390x s390x GNU/Linux

root@t35lp36:~# apt list s390-tools
Listing... Done
s390-tools/focal,now 2.12.0-0ubuntu1 s390x [installed]
root@t35lp36:~#

With the new placement of the "secure" keyword, secure boot works as expected:

(1) IPL always possible with the "Enable secure boot for Linux" HMC checkbox
disabled for secure=1/0/auto. /sys/firmware/ipl/secure shows value 0 after IPL.

(2) IPL successful with the "Enable secure boot for Linux" HMC checkbox
enabled for secure=1/auto. /sys/firmware/ipl/secure shows value 1 after IPL.

(3) No IPL with the "Enable secure boot for Linux" checkbox enabled for secure=0.
Console messages in this case

Preparing system.
Starting system.
System version 8.
Watchdog enabled.
Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'.
ZBootLoader 2.0.0.
MLOLOA6269050E Secure IPL: Execute entry does not point to the beginning of a signed component on device HBA=0.0.1900, WWPN=500507630B01C320, LUN=4050404700000000.
IPL failed.

But for the secure IPLs (2) the console shows about 1800 messages (or more)
that look like:

[ 2.485469] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7
[ 2.485471] Could not create tracefs 'available_events' entry

with occasional intersections like these:

[ 2.487994] ------------[ cut here ]------------
[ 2.487995] Could not register function stat for cpu 0
[ 2.488004] WARNING: CPU: 0 PID: 1 at kernel/trace/ftrace.c:987 ftrace_init_tracefs_toplevel+0x160/0x1b8
[ 2.488005] Modules linked in:
[ 2.488007] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.0-12-generic #15-Ubuntu
[ 2.488008] Hardware name: IBM 8561 T01 703 (LPAR)
[ 2.488009] Krnl PSW : 0704f00180000000 00000000c886b0d0 (ftrace_init_tracefs_toplevel+0x160/0x1b8)
[ 2.488011] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3
[ 2.488013] Krnl GPRS: 000000000000000a 00000000c8794110 000000000000002a 0000000000000001
[ 2.488014] 0000000000000f3b 000000007fe06000 0000000000000000 00000000c88fedb8
[ 2.488015] 00000000c8958000 0000000000000000 00000000f1081e70 0000000000000000
[ 2.488015] 00000000f093b300 00000000f19d2000 00000000c886b0cc 000003e00000bcd8
[ 2.488020] Krnl Code: 00000000c886b0c0: c020ffeb5dd3 larl %r2,00000000c85d6c66
00000000c886b0c6: c0e5ff9a87e5 brasl %r14,00000000c7bbc090
#00000000c886b0cc: a7f40001 brc 15,00000000c886b0ce
>00000000c886b0d0: b904002a lgr %r2,%r10
 00000000c886b0d4: eb6ff0a00004 lmg %r6,%r15,160(%r15)
00000000c886b0da: c0f4ffabc9f3 brcl 15,00000000c7de44c0
00000000c886b0e0: b9040049 lgr %r4,%r9
00000000c886b0e4: c060fff7d602 larl %r6,00000000c8765ce8
[ 2.488030] Call Trace:
[ 2.488031] ([<00000000c886b0cc>] ftrace_init_tracefs_toplevel+0x15c/0x1b8)
[ 2.488033] [<00000000c886bb4e>] tracer_init_tracefs+0xae/0x200
[ 2.488034] [<00000000c7b448bc>] do_one_initcall+0x3c/0x200
[ 2.488036] [<00000000c8854090>] kernel_init_freeable+0x1f8/0x2a8
[ 2.488038] [<00000000c8429f32>] kernel_init+0x22/0x150
[ 2.488040] [<00000000c8433e4c>] ret_from_fork+0x28/0x30
[ 2.488041] [<00000000c8433e54>] kernel_thread_starter+0x0/0x10
[ 2.488042] Last Breaking-Event-Address:
[ 2.488043] [<00000000c886b0cc>] ftrace_init_tracefs_toplevel+0x15c/0x1b8
[ 2.488044] ---[ end trace c4f019b5774fd101 ]---

An example output of the dmesg command is added as an attachment.

Another issue is the wrong documentation of the zipl.conf syntax in the man pages.
It is stated here, that "secure" is a "configuration only" section keyword only:

.
.
secure = auto/1/0 (configuration only)

Configuration section:
Control the zIPL secure boot support. Set this option to one of the following values:
.
.

As it works now it seems to be a "menu only" configuration keyword.

Also a question arises about the zipl -S parameter as it is described now:

root@t35lp36:~# zipl --help
Usage: zipl [OPTIONS] [SECTION]

Prepare a device for initial program load. Use OPTIONS described below or
provide the name of a SECTION defined in the zIPL configuration file.
.
.
-S, --secure SWITCH Control the zIPL secure boot support.
auto (default):
Write signatures if available and supported
1: Write signatures regardless of support
0: Do not write signatures

With multiple menus in zipl.conf: how does zipl -S work?