Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-bionic into ubuntu/+source/qemu:ubuntu/bionic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. lp-1830243-secure-boot-toleration-bionic
  4. Merge into ubuntu/bionic-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merged at revision: 9c9428a68dd9528d11f9c4e36d467311289e2001
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-bionic
Merge into: ubuntu/+source/qemu:ubuntu/bionic-devel
Diff against target: 122 lines (+100/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch (+92/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+369710@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1830243-secure-boot-toleration

Testign this needs a secure boot enabled s390x kernel which I haven't seen yet.
I asked on the bug who could verify this.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

I would like to review this one, since these were already in qemu 4.0 merge. Will get back to this soon.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

I don't have access to s390 yet (working on it) so I'll do a logical review only.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

https://code.launchpad.net/~paelzer/ubuntu/+source/qemu/+git/qemu/+merge/369711/comments/966862

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

(c)inaddy@lqemubionic:~$ virsh start --console kguesttest
Domain kguesttest started
Connected to domain kguesttest
Escape character is ^]
...
[ 0.476495] Linux version 5.2.0-1-generic (buildd@bos02-s390x-020) (gcc version 8.3.0 (Ubuntu 8.3.0-13ubuntu1)) #2-Ubuntu SMP Tue May 28 15:17:17 UTC 2019 (Ubuntu 5.2.0-1.2-generic 5.2.0-rc2)
[ 0.476498] setup.289988: Linux is running under KVM in 64-bit mode

review: Approve
Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

dpkg-deb: building package 'qemu' in '../qemu_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-block-extra' in '../qemu-block-extra_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system-common' in '../qemu-system-common_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system' in '../qemu-system_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system-misc' in '../qemu-system-misc_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system-mips' in '../qemu-system-mips_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-utils' in '../qemu-utils_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system-sparc' in '../qemu-system-sparc_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system-ppc' in '../qemu-system-ppc_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system-x86' in '../qemu-system-x86_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-user-static' in '../qemu-user-static_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-kvm' in '../qemu-kvm_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system-arm' in '../qemu-system-arm_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-user' in '../qemu-user_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-system-s390x' in '../qemu-system-s390x_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-user-binfmt' in '../qemu-user-binfmt_2.11+dfsg-1ubuntu7.16_s390x.deb'.
dpkg-deb: building package 'qemu-guest-agent' in '../qemu-guest-agent_2.11+dfsg-1ubuntu7.16_s390x.deb'.

All good.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index a736aad..18e40be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1qemu (1:2.11+dfsg-1ubuntu7.16) bionic; urgency=medium
2
3 * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch:
4 tolerate guests with secure boot loaders (LP: #1830243)
5
6 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 Jul 2019 14:47:56 +0200
7
1qemu (1:2.11+dfsg-1ubuntu7.15) bionic; urgency=medium8qemu (1:2.11+dfsg-1ubuntu7.15) bionic; urgency=medium
29
3 * d/p/ubuntu/define-ubuntu-machine-types.patch: fix wily machine type being10 * d/p/ubuntu/define-ubuntu-machine-types.patch: fix wily machine type being
diff --git a/debian/patches/series b/debian/patches/series
index f42b259..9dc8a32 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -87,3 +87,4 @@ ubuntu/enable-md-clear.patch
87CVE-2018-20815.patch87CVE-2018-20815.patch
88CVE-2019-9824.patch88CVE-2019-9824.patch
89ubuntu/lp-1830704-s390x-cpumodel-ignore-csske-for-expansion.patch89ubuntu/lp-1830704-s390x-cpumodel-ignore-csske-for-expansion.patch
90ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
diff --git a/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
90new file mode 10064491new file mode 100644
index 0000000..180428e
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
@@ -0,0 +1,92 @@
1From 2497b4a3c08426122d1a89b808c669a734469e5a Mon Sep 17 00:00:00 2001
2From: "Jason J. Herne" <jjherne@linux.ibm.com>
3Date: Mon, 29 Apr 2019 09:09:41 -0400
4Subject: [PATCH] s390-bios: Skip bootmap signature entries
5
6Newer versions of zipl have the ability to write signature entries to the boot
7script for secure boot. We don't yet support secure boot, but we need to skip
8over signature entries while reading the boot script in order to maintain our
9ability to boot guest operating systems that have a secure bootloader.
10
11Signed-off-by: Jason J. Herne <jjherne@linux.ibm.com>
12Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
13Message-Id: <1556543381-12671-1-git-send-email-jjherne@linux.ibm.com>
14Signed-off-by: Thomas Huth <thuth@redhat.com>
15
16Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=2497b4a3
17Bug-Ubuntu: https://bugs.launchpad.net/bugs/1830243
18Last-Update: 2019-07-04
19
20---
21 pc-bios/s390-ccw/bootmap.c | 19 +++++++++++++++++--
22 pc-bios/s390-ccw/bootmap.h | 10 ++++++----
23 2 files changed, 23 insertions(+), 6 deletions(-)
24
25diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
26index 7aef65ab67..d13b7cbd15 100644
27--- a/pc-bios/s390-ccw/bootmap.c
28+++ b/pc-bios/s390-ccw/bootmap.c
29@@ -254,7 +254,14 @@ static void run_eckd_boot_script(block_number_t bmt_block_nr,
30 memset(sec, FREE_SPACE_FILLER, sizeof(sec));
31 read_block(block_nr, sec, "Cannot read Boot Map Script");
32
33- for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD; i++) {
34+ for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD ||
35+ bms->entry[i].type == BOOT_SCRIPT_SIGNATURE; i++) {
36+
37+ /* We don't support secure boot yet, so we skip signature entries */
38+ if (bms->entry[i].type == BOOT_SCRIPT_SIGNATURE) {
39+ continue;
40+ }
41+
42 address = bms->entry[i].address.load_address;
43 block_nr = eckd_block_num(&(bms->entry[i].blkptr));
44
45@@ -489,7 +496,15 @@ static void zipl_run(ScsiBlockPtr *pte)
46
47 /* Load image(s) into RAM */
48 entry = (ComponentEntry *)(&header[1]);
49- while (entry->component_type == ZIPL_COMP_ENTRY_LOAD) {
50+ while (entry->component_type == ZIPL_COMP_ENTRY_LOAD ||
51+ entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
52+
53+ /* We don't support secure boot yet, so we skip signature entries */
54+ if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
55+ entry++;
56+ continue;
57+ }
58+
59 zipl_load_segment(entry);
60
61 entry++;
62diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h
63index a085212077..94f53a5f1e 100644
64--- a/pc-bios/s390-ccw/bootmap.h
65+++ b/pc-bios/s390-ccw/bootmap.h
66@@ -98,8 +98,9 @@ typedef struct ScsiMbr {
67 #define ZIPL_COMP_HEADER_IPL 0x00
68 #define ZIPL_COMP_HEADER_DUMP 0x01
69
70-#define ZIPL_COMP_ENTRY_LOAD 0x02
71-#define ZIPL_COMP_ENTRY_EXEC 0x01
72+#define ZIPL_COMP_ENTRY_EXEC 0x01
73+#define ZIPL_COMP_ENTRY_LOAD 0x02
74+#define ZIPL_COMP_ENTRY_SIGNATURE 0x03
75
76 typedef struct XEckdMbr {
77 uint8_t magic[4]; /* == "xIPL" */
78@@ -117,8 +118,9 @@ typedef struct BootMapScriptEntry {
79 BootMapPointer blkptr;
80 uint8_t pad[7];
81 uint8_t type; /* == BOOT_SCRIPT_* */
82-#define BOOT_SCRIPT_EXEC 0x01
83-#define BOOT_SCRIPT_LOAD 0x02
84+#define BOOT_SCRIPT_EXEC 0x01
85+#define BOOT_SCRIPT_LOAD 0x02
86+#define BOOT_SCRIPT_SIGNATURE 0x03
87 union {
88 uint64_t load_address;
89 uint64_t load_psw;
90--
912.22.0
92

Subscribers

People subscribed via source and target branches