------- Comment From juergen.lobe...@ibm.com 2020-02-06 03:44 EDT------- Retested with the secure entry moved to the menu section:
[defaultboot] defaultmenu = menu :menu target = /boot 1 = ubuntu 2 = old default = 1 prompt = 1 timeout = 10 secure=1 . . root@t35lp36:~# cat /etc/os-release NAME="Ubuntu" VERSION="20.04 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu Focal Fossa (development branch)" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/"; SUPPORT_URL="https://help.ubuntu.com/"; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"; VERSION_CODENAME=focal UBUNTU_CODENAME=focal root@t35lp36:~# uname -a Linux t35lp36 5.4.0-12-generic #15-Ubuntu SMP Tue Jan 21 17:56:00 UTC 2020 s390x s390x s390x GNU/Linux root@t35lp36:~# apt list s390-tools Listing... Done s390-tools/focal,now 2.12.0-0ubuntu1 s390x [installed] root@t35lp36:~# With the new placement of the "secure" keyword, secure boot works as expected: (1) IPL always possible with the "Enable secure boot for Linux" HMC checkbox disabled for secure=1/0/auto. /sys/firmware/ipl/secure shows value 0 after IPL. (2) IPL successful with the "Enable secure boot for Linux" HMC checkbox enabled for secure=1/auto. /sys/firmware/ipl/secure shows value 1 after IPL. (3) No IPL with the "Enable secure boot for Linux" checkbox enabled for secure=0. Console messages in this case Preparing system. Starting system. System version 8. Watchdog enabled. Running 'ZBootLoader' version '1.0.0' level 'D41C.D41C_0013'. ZBootLoader 2.0.0. MLOLOA6269050E Secure IPL: Execute entry does not point to the beginning of a signed component on device HBA=0.0.1900, WWPN=500507630B01C320, LUN=4050404700000000. IPL failed. But for the secure IPLs (2) the console shows about 1800 messages (or more) that look like: [ 2.485469] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [ 2.485471] Could not create tracefs 'available_events' entry with occasional intersections like these: [ 2.487994] ------------[ cut here ]------------ [ 2.487995] Could not register function stat for cpu 0 [ 2.488004] WARNING: CPU: 0 PID: 1 at kernel/trace/ftrace.c:987 ftrace_init_tracefs_toplevel+0x160/0x1b8 [ 2.488005] Modules linked in: [ 2.488007] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.0-12-generic #15-Ubuntu [ 2.488008] Hardware name: IBM 8561 T01 703 (LPAR) [ 2.488009] Krnl PSW : 0704f00180000000 00000000c886b0d0 (ftrace_init_tracefs_toplevel+0x160/0x1b8) [ 2.488011] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 2.488013] Krnl GPRS: 000000000000000a 00000000c8794110 000000000000002a 0000000000000001 [ 2.488014] 0000000000000f3b 000000007fe06000 0000000000000000 00000000c88fedb8 [ 2.488015] 00000000c8958000 0000000000000000 00000000f1081e70 0000000000000000 [ 2.488015] 00000000f093b300 00000000f19d2000 00000000c886b0cc 000003e00000bcd8 [ 2.488020] Krnl Code: 00000000c886b0c0: c020ffeb5dd3 larl %r2,00000000c85d6c66 00000000c886b0c6: c0e5ff9a87e5 brasl %r14,00000000c7bbc090 #00000000c886b0cc: a7f40001 brc 15,00000000c886b0ce >00000000c886b0d0: b904002a lgr %r2,%r10 00000000c886b0d4: eb6ff0a00004 lmg %r6,%r15,160(%r15) 00000000c886b0da: c0f4ffabc9f3 brcl 15,00000000c7de44c0 00000000c886b0e0: b9040049 lgr %r4,%r9 00000000c886b0e4: c060fff7d602 larl %r6,00000000c8765ce8 [ 2.488030] Call Trace: [ 2.488031] ([<00000000c886b0cc>] ftrace_init_tracefs_toplevel+0x15c/0x1b8) [ 2.488033] [<00000000c886bb4e>] tracer_init_tracefs+0xae/0x200 [ 2.488034] [<00000000c7b448bc>] do_one_initcall+0x3c/0x200 [ 2.488036] [<00000000c8854090>] kernel_init_freeable+0x1f8/0x2a8 [ 2.488038] [<00000000c8429f32>] kernel_init+0x22/0x150 [ 2.488040] [<00000000c8433e4c>] ret_from_fork+0x28/0x30 [ 2.488041] [<00000000c8433e54>] kernel_thread_starter+0x0/0x10 [ 2.488042] Last Breaking-Event-Address: [ 2.488043] [<00000000c886b0cc>] ftrace_init_tracefs_toplevel+0x15c/0x1b8 [ 2.488044] ---[ end trace c4f019b5774fd101 ]--- An example output of the dmesg command is added as an attachment. Another issue is the wrong documentation of the zipl.conf syntax in the man pages. It is stated here, that "secure" is a "configuration only" section keyword only: . . secure = auto/1/0 (configuration only) Configuration section: Control the zIPL secure boot support. Set this option to one of the following values: . . As it works now it seems to be a "menu only" configuration keyword. Also a question arises about the zipl -S parameter as it is described now: root@t35lp36:~# zipl --help Usage: zipl [OPTIONS] [SECTION] Prepare a device for initial program load. Use OPTIONS described below or provide the name of a SECTION defined in the zIPL configuration file. . . -S, --secure SWITCH Control the zIPL secure boot support. auto (default): Write signatures if available and supported 1: Write signatures regardless of support 0: Do not write signatures With multiple menus in zipl.conf: how does zipl -S work? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1860531 Title: IPL on z15 always performed regardless of the secure-boot related settings To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1860531/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
