Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-xenial into ubuntu/+source/qemu:ubuntu/xenial-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1830243-secure-boot-toleration-xenial
  4. Merge into ubuntu/xenial-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 98ec5a6d0d88e0bca606a86d0a522c246538cf7c
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-xenial
Merge into: ubuntu/+source/qemu:ubuntu/xenial-devel
Diff against target: 122 lines (+100/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch (+92/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+369709@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1830243-secure-boot-toleration

Testign this needs a secure boot enabled s390x kernel which I haven't seen yet.
I asked on the bug who could verify this.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

I would like to review this one, since these were already in qemu 4.0 merge. Will get back to this soon.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

I don't have access to s390 yet (working on it) so I'll do a logical review only.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/369711/comments/966862

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

without the fix:

(c)inaddy@lqemuxenial:~$ virsh start --console kguesttest
Domain kguesttest started
Connected to domain kguesttest
Escape character is ^]
Using SCSI scheme.
                  ..
                    ! No EXEC entry !

with the fix:

(c)inaddy@lqemuxenial:~$ virsh start --console kguesttest
Domain kguesttest started
Connected to domain kguesttest
Escape character is ^]
.......
       [ 0.501871] Linux version 5.2.0-1-generic (buildd@bos02-s390x-020) (gcc version 8.3.0 (Ubuntu 8.3.0-13ubuntu1)) #2-Ubuntu SMP Tue May 28 15:17:17 UTC 2019 (Ubuntu 5.2.0-1.2-generic 5.2.0-rc2)
[ 0.501873] setup.289988: Linux is running under KVM in 64-bit mode
[ 0.501898] setup.b050d0: The maximum memory size is 4096MB

review: Approve
Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

patch is upstream and straightforward, binary generation is good:

dpkg-deb: building package 'qemu' in '../qemu_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system' in '../qemu-system_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-block-extra' in '../qemu-block-extra_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-common' in '../qemu-system-common_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-misc' in '../qemu-system-misc_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-arm' in '../qemu-system-arm_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-mips' in '../qemu-system-mips_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-sparc' in '../qemu-system-sparc_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-ppc' in '../qemu-system-ppc_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-utils' in '../qemu-utils_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-guest-agent' in '../qemu-guest-agent_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-kvm' in '../qemu-kvm_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-user' in '../qemu-user_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-user-binfmt' in '../qemu-user-binfmt_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-x86' in '../qemu-system-x86_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-user-static' in '../qemu-user-static_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-s390x' in '../qemu-system-s390x_2.5+dfsg-5ubuntu10.41_s390x.deb'.

all good o/

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is fix released nowadays, cleaning up old MP

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 18e52d4..dd1ec03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1qemu (1:2.5+dfsg-5ubuntu10.41) xenial; urgency=medium
2
3 * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch:
4 tolerate guests with secure boot loaders (LP: #1830243)
5
6 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 Jul 2019 14:47:56 +0200
7
1qemu (1:2.5+dfsg-5ubuntu10.40) xenial; urgency=medium8qemu (1:2.5+dfsg-5ubuntu10.40) xenial; urgency=medium
29
3 * Restore patches that caused regression10 * Restore patches that caused regression
diff --git a/debian/patches/series b/debian/patches/series
index e531988..5006edb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -285,3 +285,4 @@ CVE-2018-20815.patch
285CVE-2019-9824.patch285CVE-2019-9824.patch
286lp1829380.patch286lp1829380.patch
287lp1828288/target-i386-Set-AMD-alias-bits-after-filtering-CPUID.patch287lp1828288/target-i386-Set-AMD-alias-bits-after-filtering-CPUID.patch
288ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
diff --git a/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
288new file mode 100644289new file mode 100644
index 0000000..180428e
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
@@ -0,0 +1,92 @@
1From 2497b4a3c08426122d1a89b808c669a734469e5a Mon Sep 17 00:00:00 2001
2From: "Jason J. Herne" <jjherne@linux.ibm.com>
3Date: Mon, 29 Apr 2019 09:09:41 -0400
4Subject: [PATCH] s390-bios: Skip bootmap signature entries
5
6Newer versions of zipl have the ability to write signature entries to the boot
7script for secure boot. We don't yet support secure boot, but we need to skip
8over signature entries while reading the boot script in order to maintain our
9ability to boot guest operating systems that have a secure bootloader.
10
11Signed-off-by: Jason J. Herne <jjherne@linux.ibm.com>
12Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
13Message-Id: <1556543381-12671-1-git-send-email-jjherne@linux.ibm.com>
14Signed-off-by: Thomas Huth <thuth@redhat.com>
15
16Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=2497b4a3
17Bug-Ubuntu: https://bugs.launchpad.net/bugs/1830243
18Last-Update: 2019-07-04
19
20---
21 pc-bios/s390-ccw/bootmap.c | 19 +++++++++++++++++--
22 pc-bios/s390-ccw/bootmap.h | 10 ++++++----
23 2 files changed, 23 insertions(+), 6 deletions(-)
24
25diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
26index 7aef65ab67..d13b7cbd15 100644
27--- a/pc-bios/s390-ccw/bootmap.c
28+++ b/pc-bios/s390-ccw/bootmap.c
29@@ -254,7 +254,14 @@ static void run_eckd_boot_script(block_number_t bmt_block_nr,
30 memset(sec, FREE_SPACE_FILLER, sizeof(sec));
31 read_block(block_nr, sec, "Cannot read Boot Map Script");
32
33- for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD; i++) {
34+ for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD ||
35+ bms->entry[i].type == BOOT_SCRIPT_SIGNATURE; i++) {
36+
37+ /* We don't support secure boot yet, so we skip signature entries */
38+ if (bms->entry[i].type == BOOT_SCRIPT_SIGNATURE) {
39+ continue;
40+ }
41+
42 address = bms->entry[i].address.load_address;
43 block_nr = eckd_block_num(&(bms->entry[i].blkptr));
44
45@@ -489,7 +496,15 @@ static void zipl_run(ScsiBlockPtr *pte)
46
47 /* Load image(s) into RAM */
48 entry = (ComponentEntry *)(&header[1]);
49- while (entry->component_type == ZIPL_COMP_ENTRY_LOAD) {
50+ while (entry->component_type == ZIPL_COMP_ENTRY_LOAD ||
51+ entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
52+
53+ /* We don't support secure boot yet, so we skip signature entries */
54+ if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
55+ entry++;
56+ continue;
57+ }
58+
59 zipl_load_segment(entry);
60
61 entry++;
62diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h
63index a085212077..94f53a5f1e 100644
64--- a/pc-bios/s390-ccw/bootmap.h
65+++ b/pc-bios/s390-ccw/bootmap.h
66@@ -98,8 +98,9 @@ typedef struct ScsiMbr {
67 #define ZIPL_COMP_HEADER_IPL 0x00
68 #define ZIPL_COMP_HEADER_DUMP 0x01
69
70-#define ZIPL_COMP_ENTRY_LOAD 0x02
71-#define ZIPL_COMP_ENTRY_EXEC 0x01
72+#define ZIPL_COMP_ENTRY_EXEC 0x01
73+#define ZIPL_COMP_ENTRY_LOAD 0x02
74+#define ZIPL_COMP_ENTRY_SIGNATURE 0x03
75
76 typedef struct XEckdMbr {
77 uint8_t magic[4]; /* == "xIPL" */
78@@ -117,8 +118,9 @@ typedef struct BootMapScriptEntry {
79 BootMapPointer blkptr;
80 uint8_t pad[7];
81 uint8_t type; /* == BOOT_SCRIPT_* */
82-#define BOOT_SCRIPT_EXEC 0x01
83-#define BOOT_SCRIPT_LOAD 0x02
84+#define BOOT_SCRIPT_EXEC 0x01
85+#define BOOT_SCRIPT_LOAD 0x02
86+#define BOOT_SCRIPT_SIGNATURE 0x03
87 union {
88 uint64_t load_address;
89 uint64_t load_psw;
90--
912.22.0
92

Subscribers

People subscribed via source and target branches