------- Comment From Grgo.Mariani@ibm.com 2024-06-12 04:31 EDT-------
We installed from ppa:canonical-kernel-team/unstable:
# cat /etc/os-release
PRETTY_NAME="Ubuntu Oracular Oriole (development branch)"
NAME="Ubuntu"
VERSION_ID="24.10"
VERSION="24.10 (Oracular Oriole)"
VERSION_CODENAME=oracular
...
...
# uname -r
6.10.0-4-generic
# grep [0-9] /sys/firmware/ipl/*sec*
/sys/firmware/ipl/has_secure:1
/sys/firmware/ipl/secure:0
# ls -l /boot/vmlinuz /boot/initrd.img
lrwxrwxrwx 1 root root 27 Jun 12 07:30 /boot/initrd.img -> initrd.img-6.10.0-4-generic
lrwxrwxrwx 1 root root 24 Jun 12 07:30 /boot/vmlinuz -> vmlinuz-6.10.0-4-generic
load with kernel vmlinuz-6.10.0-4-generic
- without secure boot enable
- without adding the signature
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 5 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572c,LUN:4021402c00000000.
--- Audit message summary end ---
OK00000000 Success
load with kernel vmlinuz-6.8.0-2-generic
- with secure boot enable
- without adding the signature
IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
--- Audit message summary start ---
MLOLOA62693210 Audit: Signature verification failure for component 5 in program
0 loaded from device HBA:0.0.1900,WWPN:500507630710572C,LUN:4021402C00000000.
--- Audit message summary end ---
MLOLOA6269321F A security violation error was encountered when loading from devi
ce HBA:0.0.1900,WWPN:500507630710572C,LUN:4021402C00000000.
IPL failed (110).
load with kernel vmlinuz-6.8.0-2-generic
- with secure boot enable
- with adding the signature
IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.2.4' level 'D51C.D51C_328.17'.
OK00000000 Success
[ 0.082046] Linux version 6.10.0-4-generic (buildd@bos01-s390x-019) (s390x-linux-gnu-gcc-13 (Ubuntu 13.2.0-25ubuntu1) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #4-Ubuntu SMP Mon Jun 3 10:28:36 UTC 2024 (Ubuntu 6.10.0-4.4-generic 6.10.0-rc2)
[ 0.082048] setup: Linux is running natively in 64-bit mode
[ 0.082048] setup: Linux is running with Secure-IPL enabled
After secure boot load
# grep [0-9] /sys/firmware/ipl/*sec*
/sys/firmware/ipl/has_secure:1
/sys/firmware/ipl/secure:1
we used these Certificate:
# openssl x509 -text -in sipl1.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:b6:a0:75:09:df:f4:18
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = PPA canonical-kernel-team unstable SIPL
Validity
Not Before: Aug 23 20:47:25 2019 GMT
Not After : Aug 20 20:47:25 2029 GMT
Subject: CN = PPA canonical-kernel-team unstable SIPL
...
...
# openssl x509 -text -in sipl2.x509
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ee:61:db:02:41:ef:d1:06
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (ZIPL, 2019)"
Validity
Not Before: May 16 13:50:05 2019 GMT
Not After : May 14 13:50:05 2049 GMT
Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (ZIPL, 2019)"
..
this was tested on our Z16 machine
No problems detected. Secure boot works as expected.
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2069035
Title:
[24.10] Please test secure-boot and lockdown on the 6.10 kernel
(s390x) for Oracular
Status in Ubuntu on IBM z Systems:
New
Status in linux package in Ubuntu:
New
Bug description:
The Canonical kernel team is working on a new 6.10 kernel for
'oracular' (24.10) and has an early build ready for secure-boot and
lockdown testing (version 6.10.0-4.4).
To avoid potentially negative implications that a broken secure-boot
lockdown functionality would cause (esp. using the production key), we
ask to get secure-boot tested early in the cycle using Canonical
kernel team's PPA key for signature.
The early test build is available at: ppa:canonical-kernel-team/unstable
(https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/)
The PPA key used for signing can be found in the tarball available here:
https://ppa.launchpad.net/canonical-kernel-team/unstable/ubuntu/dists/devel/main/signed/linux-generate-unstable-s390x/current/
(Please note that this kernel is coming from the 'canonical-kernel-
team' PPA, hence it is NOT signed with the regular
archive/release/production key, instead with the above PPA's key!)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2069035/+subscriptions
Комментариев нет:
Отправить комментарий