------- Comment From thorsten.diehl@de.ibm.com 2026-03-02 05:45 EDT-------
I upgraded to kernel 7.0.0-2-generic as described and rebooted. System could be IPLed as expected from DASD.
Secure Boot:
1. With production key only, I got "Signature verification failure for component 3" - expected, OK, DASD part
2. With development unstable PPA key only, I got "Signature verification failure for component 1" - expected, OK, zipl part
3. With both of the above keys I was able to securely boot the LPAR with kernel 7.0.0-2 from DASD, as expected.
root@a83lp32:~# uname -a
Linux a83lp32.lnxne.boe 7.0.0-2-generic #2-Ubuntu SMP PREEMPT Fri Feb 27 10:24:48 UTC 2026 s390x GNU/Linux
root@a83lp32:~# lsreipl
Re-IPL type: eckd
Device: 0.0.7e65
bootprog: 0
br_chr: auto
Bootparm: ""
Loadparm: ""
clear: 0
Secure boot: 1
root@a83lp32:~#
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2142693
Title:
[26.04] Please test secureboot and lock-down with 7.0.0 kernel (s390x)
on Resolute Raccoon
Status in Ubuntu on IBM z Systems:
Triaged
Status in linux package in Ubuntu:
Triaged
Bug description:
The Canonical kernel team is working on an early 7.0.0 kernel for
Ubuntu Resolute Raccoon (26.04) and has an early build ready for
secure-boot and lockdown testing (version 7.0.0-1.1).
https://launchpad.net/~canonical-kernel-
team/+archive/ubuntu/unstable/+packages?field.name_filter=&field.status_filter=published&field.series_filter=resolute
To avoid potentially negative implications that a broken secure-boot
lockdown functionality would cause (esp. using the production key), we
kindly ask to get secure-boot tested, using Canonical kernel team's
PPA key for signature.
The linux-generic (7.0.0-1.1 or actually latest) is available in ppa:canonical-kernel-team/unstable.
(https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable)
$ sudo add-apt-repository ppa:canonical-kernel-team/unstable # add the unstable kernel PPA
$ sudo apt update # if not done automatically after the previous command
$ apt-cache policy linux-generic # will show potential install candidates
$ sudo apt install linux-generic=7.0.0-1.1 # install explicit version; or just latest available
Please note that this kernel is coming from the 'canonical-kernel-team'
PPA, hence it is NOT signed with the regular archive/release/production
key, BUT instead with the above PPA test signing key.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2142693/+subscriptions
Комментариев нет:
Отправить комментарий