------- Comment From heinz-werner_se...@de.ibm.com 2020-01-22 05:29 EDT------- addl. description: "Operating system messages" output
Test on a z15 LPAR: Checking the combinations of the /etc/zipl.conf "secure" keyword and the HMC "Enable Secure Boot for Linux" option on the HMC SCSI load panel. Result: the system always performs a successful IPL regardless of the settings of the zipl.conf "secure" keyword and and the HMC "Enable Secure Boot for Linux" option. Problem: No IPL should be performed for the combination of "secure=0" in /etc/zipl.conf and the selection of "Enable Secure Boot for Linux" option in the HMC SCSI load panel. Scenario -------- root@t35lp36:~# cat /etc/os-release NAME="Ubuntu" VERSION="20.04 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu Focal Fossa (development branch)" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/"; SUPPORT_URL="https://help.ubuntu.com/"; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"; VERSION_CODENAME=focal UBUNTU_CODENAME=focal root@t35lp36:~# uname -a Linux t35lp36 5.4.0-9-generic #12-Ubuntu SMP Mon Dec 16 22:31:38 UTC 2019 s390x s390x s390x GNU/Linux Setting secure=0 in /etc/zipl.conf root@t35lp36:~# cat /etc/zipl.conf [defaultboot] defaultmenu = menu secure=0 :menu target = /boot 1 = ubuntu 2 = old default = 1 prompt = 1 timeout = 10 [ubuntu] target = /boot image = /boot/vmlinuz ramdisk = /boot/initrd.img parameters = root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M [old] target = /boot image = /boot/vmlinuz.old ramdisk = /boot/initrd.img.old parameters = root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M optional = 1 root@t35lp36:~# zipl -V Using config file '/etc/zipl.conf' Run /lib/s390-tools/zipl_helper.device-mapper /boot Target device information Device..........................: fd:00 *) Partition.......................: fd:01 Device name.....................: dm-0 Device driver name..............: device-mapper Type............................: disk partition Disk layout.....................: SCSI disk layout *) Geometry - start................: 2048 *) File system block size..........: 4096 Physical block size.............: 512 *) Device size in physical blocks..: 37746688 *) Data provided by script. Building bootmap in '/boot' Building menu 'menu' Adding #1: IPL section 'ubuntu' (default) initial ramdisk...: /boot/initrd.img signature for.....: /lib/s390-tools/stage3.bin kernel image......: /boot/vmlinuz signature for.....: /boot/vmlinuz kernel parmline...: 'root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M' component address: heap area.......: 0x00002000-0x00005fff stack area......: 0x0000f000-0x0000ffff internal loader.: 0x0000a000-0x0000dfff parameters......: 0x00009000-0x000091ff kernel image....: 0x00010000-0x007d7fff parmline........: 0x007d9000-0x007d91ff initial ramdisk.: 0x007e0000-0x01a73bff Adding #2: IPL section 'old' initial ramdisk...: /boot/initrd.img.old signature for.....: /lib/s390-tools/stage3.bin kernel image......: /boot/vmlinuz.old signature for.....: /boot/vmlinuz.old kernel parmline...: 'root=UUID=dc6b7633-49f0-4095-8c35-678cbc212ca5 crashkernel=196M' component address: heap area.......: 0x00002000-0x00005fff stack area......: 0x0000f000-0x0000ffff internal loader.: 0x0000a000-0x0000dfff parameters......: 0x00009000-0x000091ff kernel image....: 0x00010000-0x007d7fff parmline........: 0x007d9000-0x007d91ff initial ramdisk.: 0x007e0000-0x01a73bff Preparing boot device: dm-0. Detected SCSI PCBIOS disk layout. Writing SCSI master boot record. Syncing disks... Done. root@t35lp36:~# Then the system was shut down and a new IPL was triggered from the HMC SCSI load panel. The system IPL'd successfully. Excerpt from the "Operating System Messages" output: Preparing system. Starting system. System version 8. Watchdog enabled. Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'. ZBootLoader 2.0.0. OK00000000 Success [ 0.317598] Linux version 5.4.0-9-generic (buildd@bos02-s390x-011) (gcc versi on 9.2.1 20191130 (Ubuntu 9.2.1-21ubuntu1)) #12-Ubuntu SMP Mon Dec 16 22:31:38 U TC 2019 (Ubuntu 5.4.0-9.12-generic 5.4.3) [ 0.317600] setup.6bac7a: Linux is running natively in 64-bit mode [ 0.317601] setup.433296: Linux is running with Secure-IPL enabled [ 0.317602] setup.6482e5: The IPL report contains the following components: [ 0.317603] setup.4da44b: 0000000000002000 - 0000000000006000 (not signed) [ 0.317605] setup.4da44b: 000000000000f000 - 0000000000010000 (not signed) [ 0.317606] setup.4da44b: 000000000000a000 - 000000000000e000 (signed, verified) [ 0.317607] setup.4da44b: 0000000000009000 - 0000000000009200 (not signed) [ 0.317608] setup.4da44b: 0000000000010000 - 00000000007d8000 (signed, verified) [ 0.317609] setup.4da44b: 00000000007d9000 - 00000000007d9200 (not signed) [ 0.317610] setup.4da44b: 00000000007e0000 - 0000000001a73c00 (not signed) [ 0.317611] Kernel is locked down from Secure IPL; see man kernel_lockdown.7 [ 0.317624] setup.b050d0: The maximum memory size is 4096MB [ 0.317627] setup.dae2e8: Reserving 196MB of memory at 3900MB for crashkernel (System RAM: 3900MB) . . The full console log is added as an attachment. When the system IPL had finished, the secure-boot related flags in sysfs had the following settings: root@t35lp36:~# cat /sys/firmware/ipl/has_secure 1 root@t35lp36:~# cat /sys/firmware/ipl/secure 1 ------- Comment From heinz-werner_se...@de.ibm.com 2020-01-22 05:30 EDT------- Solution: As can be seen from the zipl output, secure boot signatures have been written despite secure=0, so successful IPL is expected. This boils down to the secure=0 setting not being recognized by zipl. This is likely fixed with upstream commit https://github.com/ibm-s390-tools/s390-tools/commit/6f9337d1016e00f360cf4a81d39a42df5184b3a2 Which need to be added on top of s390-tools 2.12 which will be integrated into 20.04. And also applied to 2.11 for Ubuntu 19.10... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1860531 Title: IPL on z15 always performed regardless of the secure-boot related settings To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1860531/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
