Hi Timo, I am sorry, I forgot to copy my notes of the SRU justification from my draft doc to this LP bug - when I was in a hurry and leaving for vacation. The SRU template can now be found (filled out) in the bug description ...
** Description changed: + SRU Justification: + + [ Impact ] + + * Starting with Ubuntu Server 25.04 genprotimg (part of s390-tools 2.37.0) + fails with: + "error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin" + + * However, the needed file is located /usr/share/s390-tools/pvimg/boot, + so just in the wrong folder. + The genprotimg tool expects them 'one up' in /usr/share/s390-tools/pvimg, + the same folder where the genprotimg tool itself is located in. + + * Prior to 25.04 the Makefile build and placed the stage3*.bin files at + /usr/share/s390-tools/pvimg/ and the debian helper installed it in the + same folder. + + * With s390-tools 2.37.0 the Makefile builds them in + /usr/share/s390-tools/pvimg/boot + hence installing them there (in the same folder) is no longer correct. + + * The solution is simply to move them again one up + (or let's better say: explicitly install them to the correct folder) + using/modifying d/s390-tools-data.install. + + [ Test Plan ] + + * An Ubuntu Server 25.04 installation with s390-tools installed is + required. + + * A (dummy) host key is needed - which can be for example obtained by IBM. + Here assuming it's named HKD.crt and placed in the user's home directory. + + * On a system without the package modification (that is discussed here), + means with having the stage3* files in /usr/share/s390-tools/pvimg/boot), + the genprotimg tool will fail with the the error that was reported: + $ genprotimg --kernel /boot/vmlinuz-$(uname -r) --output se.img -k ~/HKD.crt --no-verify + Host-key document verification is disabled. \ + The Secure Execution image may not be protected. + error: Cannot read stage3a at `/usr/share/s390-tools/pvimg/stage3a.bin` + + * However, on a system with the updated package installed, + means with having the stage3* files in /usr/share/s390-tools/pvimg), + the genprotimg tool will successfully work: + $ genprotimg --kernel /boot/-$(uname -r) --output se.img -k ~/HKD.crt --no-verify + Host-key document verification is disabled. \ + The Secure Execution image may not be protected. + Successfully generated the Secure Execution image. + + * This is a step of the creation of secure execution images for s390x + (confidential computing). + The entire end-to-end setup for secure execution is described here + in more detail, also uses Ubuntu Server as an example: + https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf + (esp. genprotimg, page 60ff) + + [ Where problems could occur ] + + * The s390-tools code itself was not touched, + just the packaging meta data d/s390-tools-data.install file. + + * Since this issue is in plucky only, an interim release, + but the vast majority of secure execution use cases is on LTS releases, + not many users will be affected. + + * And if a user is affected, the obvious solution/workaround is to + either copy or link the needed, files, + so that they can be found by genprotimg. + And that is exactly what the modification here does. + + * However, regressions and issues could have been introduced: + in case the syntax in the d/s390-tools-data.install file is wrong, + or it has wrong permissions + or is not properly recognized and/or evaluated (for whatever reason) + in the Debian package build process. + To mitigate this a test build in PPA was done. + + * Since the files were always in the same folder than the genprotimg tool, + they should also be there in plucky. + + [ Other Info ] + + * The modification has already landed in questing. + + * With that, other than plucky, no other Ubuntu release is affected. + __________ + ---Problem Description--- On Ubuntu 25.04 genprotimg fails with error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin The file is located /usr/share/s390-tools/pvimg/boot however - - Machine Type = n/a - + + Machine Type = n/a + ---Debugger--- A debugger is not configured - - + ---Steps to Reproduce--- - install s390-tools, try to use genprotimg - + install s390-tools, try to use genprotimg + ---uname output--- n/a - Userspace rpm: s390-tools - - Userspace tool common name: genprotimg + Userspace rpm: s390-tools - Userspace tool obtained from project website: na - - The userspace tool has the following bit modes: both - + Userspace tool common name: genprotimg + + Userspace tool obtained from project website: na + + The userspace tool has the following bit modes: both + *Additional Instructions for [email protected]: -Attach ltrace and strace of userspace application. - == Comment by <[email protected]> ========= The issue is with the packager, see https://git.launchpad.net/ubuntu/+source/s390-tools/tree/debian/s390-tools- data.install?h=ubuntu/plucky Instead of what is expected '.../pvimg/', Ubuntu installs the file to the path '.../pvimg/boot/'. So the s390-tools-data.install file needs to be changed from ``` rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/boot/ rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/boot/ ``` to ``` rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/ rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/ ``` FYI, I've already talked to Frank. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2118762 Title: [UBUNTU 25.04] genprotimg fails on Ubuntu 25.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2118762/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
