Merge ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-xenial into ubuntu/+source/qemu:ubuntu/xenial-devel

Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: 98ec5a6d0d88e0bca606a86d0a522c246538cf7c
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-xenial
Merge into: ubuntu/+source/qemu:ubuntu/xenial-devel
Diff against target: 122 lines (+100/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch (+92/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco Approve
Canonical Server packageset reviewers Pending
Ubuntu Server Dev import team Pending
Review via email: mp+369709@code.launchpad.net
To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1830243-secure-boot-toleration

Testign this needs a secure boot enabled s390x kernel which I haven't seen yet.
I asked on the bug who could verify this.

Rafael David Tinoco (rafaeldtinoco) wrote :

I would like to review this one, since these were already in qemu 4.0 merge. Will get back to this soon.

Rafael David Tinoco (rafaeldtinoco) wrote :

I don't have access to s390 yet (working on it) so I'll do a logical review only.

Rafael David Tinoco (rafaeldtinoco) wrote :

without the fix:

(c)inaddy@lqemuxenial:~$ virsh start --console kguesttest
Domain kguesttest started
Connected to domain kguesttest
Escape character is ^]
Using SCSI scheme.
                  ..
                    ! No EXEC entry !

with the fix:

(c)inaddy@lqemuxenial:~$ virsh start --console kguesttest
Domain kguesttest started
Connected to domain kguesttest
Escape character is ^]
.......
       [ 0.501871] Linux version 5.2.0-1-generic (buildd@bos02-s390x-020) (gcc version 8.3.0 (Ubuntu 8.3.0-13ubuntu1)) #2-Ubuntu SMP Tue May 28 15:17:17 UTC 2019 (Ubuntu 5.2.0-1.2-generic 5.2.0-rc2)
[ 0.501873] setup.289988: Linux is running under KVM in 64-bit mode
[ 0.501898] setup.b050d0: The maximum memory size is 4096MB

review: Approve
Rafael David Tinoco (rafaeldtinoco) wrote :

patch is upstream and straightforward, binary generation is good:

dpkg-deb: building package 'qemu' in '../qemu_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system' in '../qemu-system_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-block-extra' in '../qemu-block-extra_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-common' in '../qemu-system-common_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-misc' in '../qemu-system-misc_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-arm' in '../qemu-system-arm_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-mips' in '../qemu-system-mips_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-sparc' in '../qemu-system-sparc_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-ppc' in '../qemu-system-ppc_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-utils' in '../qemu-utils_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-guest-agent' in '../qemu-guest-agent_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-kvm' in '../qemu-kvm_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-user' in '../qemu-user_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-user-binfmt' in '../qemu-user-binfmt_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-x86' in '../qemu-system-x86_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-user-static' in '../qemu-user-static_2.5+dfsg-5ubuntu10.41_s390x.deb'.
dpkg-deb: building package 'qemu-system-s390x' in '../qemu-system-s390x_2.5+dfsg-5ubuntu10.41_s390x.deb'.

all good o/

Christian Ehrhardt  (paelzer) wrote :

This is fix released nowadays, cleaning up old MP

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 18e52d4..dd1ec03 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+qemu (1:2.5+dfsg-5ubuntu10.41) xenial; urgency=medium
7+
8+ * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch:
9+ tolerate guests with secure boot loaders (LP: #1830243)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 Jul 2019 14:47:56 +0200
12+
13 qemu (1:2.5+dfsg-5ubuntu10.40) xenial; urgency=medium
14
15 * Restore patches that caused regression
16diff --git a/debian/patches/series b/debian/patches/series
17index e531988..5006edb 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -285,3 +285,4 @@ CVE-2018-20815.patch
21 CVE-2019-9824.patch
22 lp1829380.patch
23 lp1828288/target-i386-Set-AMD-alias-bits-after-filtering-CPUID.patch
24+ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
25diff --git a/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
26new file mode 100644
27index 0000000..180428e
28--- /dev/null
29+++ b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
30@@ -0,0 +1,92 @@
31+From 2497b4a3c08426122d1a89b808c669a734469e5a Mon Sep 17 00:00:00 2001
32+From: "Jason J. Herne" <jjherne@linux.ibm.com>
33+Date: Mon, 29 Apr 2019 09:09:41 -0400
34+Subject: [PATCH] s390-bios: Skip bootmap signature entries
35+
36+Newer versions of zipl have the ability to write signature entries to the boot
37+script for secure boot. We don't yet support secure boot, but we need to skip
38+over signature entries while reading the boot script in order to maintain our
39+ability to boot guest operating systems that have a secure bootloader.
40+
41+Signed-off-by: Jason J. Herne <jjherne@linux.ibm.com>
42+Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
43+Message-Id: <1556543381-12671-1-git-send-email-jjherne@linux.ibm.com>
44+Signed-off-by: Thomas Huth <thuth@redhat.com>
45+
46+Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=2497b4a3
47+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1830243
48+Last-Update: 2019-07-04
49+
50+---
51+ pc-bios/s390-ccw/bootmap.c | 19 +++++++++++++++++--
52+ pc-bios/s390-ccw/bootmap.h | 10 ++++++----
53+ 2 files changed, 23 insertions(+), 6 deletions(-)
54+
55+diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
56+index 7aef65ab67..d13b7cbd15 100644
57+--- a/pc-bios/s390-ccw/bootmap.c
58++++ b/pc-bios/s390-ccw/bootmap.c
59+@@ -254,7 +254,14 @@ static void run_eckd_boot_script(block_number_t bmt_block_nr,
60+ memset(sec, FREE_SPACE_FILLER, sizeof(sec));
61+ read_block(block_nr, sec, "Cannot read Boot Map Script");
62+
63+- for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD; i++) {
64++ for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD ||
65++ bms->entry[i].type == BOOT_SCRIPT_SIGNATURE; i++) {
66++
67++ /* We don't support secure boot yet, so we skip signature entries */
68++ if (bms->entry[i].type == BOOT_SCRIPT_SIGNATURE) {
69++ continue;
70++ }
71++
72+ address = bms->entry[i].address.load_address;
73+ block_nr = eckd_block_num(&(bms->entry[i].blkptr));
74+
75+@@ -489,7 +496,15 @@ static void zipl_run(ScsiBlockPtr *pte)
76+
77+ /* Load image(s) into RAM */
78+ entry = (ComponentEntry *)(&header[1]);
79+- while (entry->component_type == ZIPL_COMP_ENTRY_LOAD) {
80++ while (entry->component_type == ZIPL_COMP_ENTRY_LOAD ||
81++ entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
82++
83++ /* We don't support secure boot yet, so we skip signature entries */
84++ if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
85++ entry++;
86++ continue;
87++ }
88++
89+ zipl_load_segment(entry);
90+
91+ entry++;
92+diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h
93+index a085212077..94f53a5f1e 100644
94+--- a/pc-bios/s390-ccw/bootmap.h
95++++ b/pc-bios/s390-ccw/bootmap.h
96+@@ -98,8 +98,9 @@ typedef struct ScsiMbr {
97+ #define ZIPL_COMP_HEADER_IPL 0x00
98+ #define ZIPL_COMP_HEADER_DUMP 0x01
99+
100+-#define ZIPL_COMP_ENTRY_LOAD 0x02
101+-#define ZIPL_COMP_ENTRY_EXEC 0x01
102++#define ZIPL_COMP_ENTRY_EXEC 0x01
103++#define ZIPL_COMP_ENTRY_LOAD 0x02
104++#define ZIPL_COMP_ENTRY_SIGNATURE 0x03
105+
106+ typedef struct XEckdMbr {
107+ uint8_t magic[4]; /* == "xIPL" */
108+@@ -117,8 +118,9 @@ typedef struct BootMapScriptEntry {
109+ BootMapPointer blkptr;
110+ uint8_t pad[7];
111+ uint8_t type; /* == BOOT_SCRIPT_* */
112+-#define BOOT_SCRIPT_EXEC 0x01
113+-#define BOOT_SCRIPT_LOAD 0x02
114++#define BOOT_SCRIPT_EXEC 0x01
115++#define BOOT_SCRIPT_LOAD 0x02
116++#define BOOT_SCRIPT_SIGNATURE 0x03
117+ union {
118+ uint64_t load_address;
119+ uint64_t load_psw;
120+--
121+2.22.0
122+

Subscribers

People subscribed via source and target branches