Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-disco into ubuntu/+source/qemu:ubuntu/disco-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1830243-secure-boot-toleration-disco
  4. Merge into ubuntu/disco-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merged at revision: 7104ddcbbc58472aa973813925a0fd64be707d86
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-disco
Merge into: ubuntu/+source/qemu:ubuntu/disco-devel
Diff against target: 122 lines (+100/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch (+92/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+369711@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1830243-secure-boot-toleration

Testign this needs a secure boot enabled s390x kernel which I haven't seen yet.
I asked on the bug who could verify this.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

I would like to review this one, since these were already in qemu 4.0 merge. Will get back to this soon.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

I don't have access to s390 yet (working on it) so I'll do a logical review only.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

Alright, at the end I got my s390x environment back and re-installed my 2xLPARs capable of properly reviewing s390x packages. I'll check this with signed kernel and provide feedback on this small change. Sorry for the delay, wanted to have the environment ready for other needs as well.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :
Download full text (4.6 KiB)

Alright, sorry for the delay in this review, I wanted to have all my environment ready and now I do.

All my templates use external vmlinuz and initrd images, so I created a similar one to IPL from /dev/vda after zipl has burned stages in MBR: (kguest is eoan fully updated, latest s390-tools):

[inaddy@kguest:~]$ sudo zipl -V
Using config file '/etc/zipl.conf'
Target device information
  Device..........................: fc:00
  Device name.....................: vda
  Device driver name..............: virtblk
  Type............................: disk device
  Disk layout.....................: SCSI disk layout
  Geometry - start................: 0
  File system block size..........: 4096
  Physical block size.............: 512
  Device size in physical blocks..: 62914560
Building bootmap in '/boot'
Adding IPL section 'ubuntu' (default)
  initial ramdisk...: /boot/initrd.img-5.2.0-1-generic
  signature for.....: /lib/s390-tools/stage3.bin
  kernel image......: /boot/vmlinuz-5.2.0-1-generic
  signature for.....: /boot/vmlinuz-5.2.0-1-generic
  kernel parmline...: 'root=LABEL=KGUEST noresume apparmor=0 net.ifnames=0 crashkernel=196M'
  component address:
    heap area.......: 0x00002000-0x00005fff
    stack area......: 0x0000f000-0x0000ffff
    internal loader.: 0x0000a000-0x0000efff
    parameters......: 0x00009000-0x000091ff
    kernel image....: 0x00010000-0x004b8fff
    parmline........: 0x004ba000-0x004ba1ff
    initial ramdisk.: 0x004c0000-0x0125ddff
Preparing boot device: vda (0000).
Detected plain SCSI partition.
Writing SCSI master boot record.
Syncing disks...
Done.

----

Later I IPLed tihs guest in a lxc Eoan container:

2019-07-11 02:02:39.781+0000: starting up libvirt version: 5.4.0, package: 0ubuntu3 (Marc Deslauriers <email address hidden> Tue, 02 Jul 2019 08:08:33 -0400), qemu version: 4.0.0Debian 1:4.0+dfsg-0ubuntu1, kernel: 5.0.0-21-generic, hostname: lqemueoan
LC_ALL=C \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
HOME=/var/lib/libvirt/qemu/domain-2-kguesttest \
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-2-kguesttest/.local/share \
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-2-kguesttest/.cache \
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain-2-kguesttest/.config \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-s390x \
-name guest=kguesttest,debug-threads=on \
-S \
-object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-2-kguesttest/master-key.aes \
-machine s390-ccw-virtio-2.12,accel=kvm,usb=off,dump-guest-core=off \
-m 4096 \
-overcommit mem-lock=off \
-smp 4,sockets=4,cores=1,threads=1 \
-uuid 82d7e011-3300-4e1d-b4f0-e29ecf548e1f \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=22,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-boot strict=on \
-drive file=/var/lib/libvirt/images/kguest/disk01.ext4.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 \
-device virtio-blk-ccw,scsi=off,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 \
-fsdev local,security_model=passthrough,id=fsdev-fs0,path=/home/inaddy \
-device virtio-9p-ccw,id=fs0,fsdev=fsdev-fs0,mount_tag=inaddy,devno=fe.0.0002 ...

Read more...

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

(c)inaddy@lqemudisco:~$ virsh start --console kguesttest
Domain kguesttest started
Connected to domain kguesttest
Escape character is ^]
........
[ 0.477234] Linux version 5.2.0-1-generic (buildd@bos02-s390x-020) (gcc version 8.3.0 (Ubuntu 8.3.0-13ubuntu1)) #2-Ubuntu SMP Tue May 28 15:17:17 UTC 2019 (Ubuntu 5.2.0-1.2-generic 5.2.0-rc2)
[ 0.477236] setup.289988: Linux is running under KVM in 64-bit mode

review: Approve
Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

2 things, unrelated with this change:

(1)

Whats up with libcapstone ? Configure might get it from upstream or the system, but without having the system one, my builds system fails... (is it a build dependency ? I needed it on all builds).

(2)

my builds on DISCO are ... "funny":

dh_testdir
mkdir -p b/fw
/usr/bin/make -f /home/inaddy/work3/qemu/debian/optionrom.mak -C /home/inaddy/work3/qemu/b/fw SRC_PATH=/home/inaddy/work3/qemu
make[1]: Entering directory '/home/inaddy/work3/qemu/b/fw'
cc -O2 -m16 -Wa,-32 -march=i486 -ffreestanding -fno-stack-protector -fno-pie -I/home/inaddy/work3/qemu/include -c -o kvmvapic.o /home/inaddy/work3/qemu/pc-bios/optionrom/kvmvapic.S
cc -O2 -m16 -Wa,-32 -march=i486 -ffreestanding -fno-stack-protector -fno-pie -I/home/inaddy/work3/qemu/include -c -o linuxboot.o /home/inaddy/work3/qemu/pc-bios/optionrom/linuxboot.S
cc -O2 -m16 -Wa,-32 -march=i486 -ffreestanding -fno-stack-protector -fno-pie -I/home/inaddy/work3/qemu/include -c -o linuxboot_dma.o /home/inaddy/work3/qemu/pc-bios/optionrom/linuxboot_dma.c
cc -O2 -m16 -Wa,-32 -march=i486 -ffreestanding -fno-stack-protector -fno-pie -I/home/inaddy/work3/qemu/include -c -o multiboot.o /home/inaddy/work3/qemu/pc-bios/optionrom/multiboot.S
cc: error: unrecognized argument in option ‘-march=i486’
cc: note: valid arguments to ‘-march=’ are: arch10 arch11 arch12 arch3 arch5 arch6 arch7 arch8 arch9 g5 g6 native z10
z13 z14 z196 z9-109 z9-ec z900 z990 zEC12
cc: error: unrecognized argument in option ‘-march=i486’
cc: note: valid arguments to ‘-march=’ are: arch10 arch11 arch12 arch3 arch5 arch6 arch7 arch8 arch9 g5 g6 native z10
z13 z14 z196 z9-109 z9-ec z900 z990 zEC12
cc: error: unrecognized argument in option ‘-march=i486’
cc: error: unrecognized argument in option ‘-march=i486’
cc: note: valid arguments to ‘-march=’ are: arch10 arch11 arch12 arch3 arch5 arch6 arch7 arch8 arch9 g5 g6 native z10
z13 z14 z196 z9-109 z9-ec z900 z990 zEC12
cc: note: valid arguments to ‘-march=’ are: arch10 arch11 arch12 arch3 arch5 arch6 arch7 arch8 arch9 g5 g6 native z10
z13 z14 z196 z9-109 z9-ec z900 z990 zEC12
cc: error: unrecognized command line option ‘-m16’
make[1]: *** [/home/inaddy/work3/qemu/debian/optionrom.mak:13: kvmvapic.o] Error 1
make[1]: *** Waiting for unfinished jobs....
cc: error: unrecognized command line option ‘-m16’
make[1]: *** [/home/inaddy/work3/qemu/debian/optionrom.mak:13: linuxboot.o] Error 1
cc: error: unrecognized command line option ‘-m16’
cc: error: unrecognized command line option ‘-m16’

Looks like it comes from build-indep:

# x86 optionrom (will use arch local config by default)
    ${MAKE} -f ${CURDIR}/debian/optionrom.mak -C ${CURDIR}/b/fw SRC_PATH=${CURDIR}

And optionrom.mak tries to optimize to x86 and use its flags in s390x.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index a5ac97a..f663282 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1qemu (1:3.1+dfsg-2ubuntu3.3) disco; urgency=medium
2
3 * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch:
4 tolerate guests with secure boot loaders (LP: #1830243)
5
6 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 Jul 2019 14:47:56 +0200
7
1qemu (1:3.1+dfsg-2ubuntu3.2) disco; urgency=medium8qemu (1:3.1+dfsg-2ubuntu3.2) disco; urgency=medium
29
3 * d/p/ubuntu/define-ubuntu-machine-types.patch: fix wily machine type being10 * d/p/ubuntu/define-ubuntu-machine-types.patch: fix wily machine type being
diff --git a/debian/patches/series b/debian/patches/series
index 4f779f5..c258211 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,3 +25,4 @@ ubuntu/CVE-2018-20815.patch
25ubuntu/CVE-2019-5008.patch25ubuntu/CVE-2019-5008.patch
26ubuntu/CVE-2019-9824.patch26ubuntu/CVE-2019-9824.patch
27ubuntu/lp-1830704-s390x-cpumodel-ignore-csske-for-expansion.patch27ubuntu/lp-1830704-s390x-cpumodel-ignore-csske-for-expansion.patch
28ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
diff --git a/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
28new file mode 10064429new file mode 100644
index 0000000..7a24fbb
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
@@ -0,0 +1,92 @@
1From 2497b4a3c08426122d1a89b808c669a734469e5a Mon Sep 17 00:00:00 2001
2From: "Jason J. Herne" <jjherne@linux.ibm.com>
3Date: Mon, 29 Apr 2019 09:09:41 -0400
4Subject: [PATCH] s390-bios: Skip bootmap signature entries
5
6Newer versions of zipl have the ability to write signature entries to the boot
7script for secure boot. We don't yet support secure boot, but we need to skip
8over signature entries while reading the boot script in order to maintain our
9ability to boot guest operating systems that have a secure bootloader.
10
11Signed-off-by: Jason J. Herne <jjherne@linux.ibm.com>
12Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
13Message-Id: <1556543381-12671-1-git-send-email-jjherne@linux.ibm.com>
14Signed-off-by: Thomas Huth <thuth@redhat.com>
15
16Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=2497b4a3
17Bug-Ubuntu: https://bugs.launchpad.net/bugs/1830243
18Last-Update: 2019-07-04
19
20---
21 pc-bios/s390-ccw/bootmap.c | 19 +++++++++++++++++--
22 pc-bios/s390-ccw/bootmap.h | 10 ++++++----
23 2 files changed, 23 insertions(+), 6 deletions(-)
24
25diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
26index 7aef65ab67..d13b7cbd15 100644
27--- a/pc-bios/s390-ccw/bootmap.c
28+++ b/pc-bios/s390-ccw/bootmap.c
29@@ -254,7 +254,14 @@ static void run_eckd_boot_script(block_number_t bmt_block_nr,
30 memset(sec, FREE_SPACE_FILLER, sizeof(sec));
31 read_block(block_nr, sec, "Cannot read Boot Map Script");
32
33- for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD; i++) {
34+ for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD ||
35+ bms->entry[i].type == BOOT_SCRIPT_SIGNATURE; i++) {
36+
37+ /* We don't support secure boot yet, so we skip signature entries */
38+ if (bms->entry[i].type == BOOT_SCRIPT_SIGNATURE) {
39+ continue;
40+ }
41+
42 address = bms->entry[i].address.load_address;
43 block_nr = eckd_block_num(&bms->entry[i].blkptr.xeckd.bptr.chs);
44
45@@ -489,7 +496,15 @@ static void zipl_run(ScsiBlockPtr *pte)
46
47 /* Load image(s) into RAM */
48 entry = (ComponentEntry *)(&header[1]);
49- while (entry->component_type == ZIPL_COMP_ENTRY_LOAD) {
50+ while (entry->component_type == ZIPL_COMP_ENTRY_LOAD ||
51+ entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
52+
53+ /* We don't support secure boot yet, so we skip signature entries */
54+ if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
55+ entry++;
56+ continue;
57+ }
58+
59 zipl_load_segment(entry);
60
61 entry++;
62diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h
63index a085212077..94f53a5f1e 100644
64--- a/pc-bios/s390-ccw/bootmap.h
65+++ b/pc-bios/s390-ccw/bootmap.h
66@@ -98,8 +98,9 @@ typedef struct ScsiMbr {
67 #define ZIPL_COMP_HEADER_IPL 0x00
68 #define ZIPL_COMP_HEADER_DUMP 0x01
69
70-#define ZIPL_COMP_ENTRY_LOAD 0x02
71-#define ZIPL_COMP_ENTRY_EXEC 0x01
72+#define ZIPL_COMP_ENTRY_EXEC 0x01
73+#define ZIPL_COMP_ENTRY_LOAD 0x02
74+#define ZIPL_COMP_ENTRY_SIGNATURE 0x03
75
76 typedef struct XEckdMbr {
77 uint8_t magic[4]; /* == "xIPL" */
78@@ -117,8 +118,9 @@ typedef struct BootMapScriptEntry {
79 BootMapPointer blkptr;
80 uint8_t pad[7];
81 uint8_t type; /* == BOOT_SCRIPT_* */
82-#define BOOT_SCRIPT_EXEC 0x01
83-#define BOOT_SCRIPT_LOAD 0x02
84+#define BOOT_SCRIPT_EXEC 0x01
85+#define BOOT_SCRIPT_LOAD 0x02
86+#define BOOT_SCRIPT_SIGNATURE 0x03
87 union {
88 uint64_t load_address;
89 uint64_t load_psw;
90--
912.22.0
92

Subscribers

People subscribed via source and target branches