Merge ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-disco into ubuntu/+source/qemu:ubuntu/disco-devel

Proposed by Christian Ehrhardt 
Status: Merged
Merged at revision: 7104ddcbbc58472aa973813925a0fd64be707d86
Proposed branch: ~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-disco
Merge into: ubuntu/+source/qemu:ubuntu/disco-devel
Diff against target: 122 lines (+100/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch (+92/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco Approve
Canonical Server packageset reviewers Pending
Ubuntu Server Dev import team Pending
Review via email:
To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :


Testign this needs a secure boot enabled s390x kernel which I haven't seen yet.
I asked on the bug who could verify this.

Rafael David Tinoco (rafaeldtinoco) wrote :

I would like to review this one, since these were already in qemu 4.0 merge. Will get back to this soon.

Rafael David Tinoco (rafaeldtinoco) wrote :

I don't have access to s390 yet (working on it) so I'll do a logical review only.

Rafael David Tinoco (rafaeldtinoco) wrote :

Alright, at the end I got my s390x environment back and re-installed my 2xLPARs capable of properly reviewing s390x packages. I'll check this with signed kernel and provide feedback on this small change. Sorry for the delay, wanted to have the environment ready for other needs as well.

Rafael David Tinoco (rafaeldtinoco) wrote :
Download full text (4.6 KiB)

Alright, sorry for the delay in this review, I wanted to have all my environment ready and now I do.

All my templates use external vmlinuz and initrd images, so I created a similar one to IPL from /dev/vda after zipl has burned stages in MBR: (kguest is eoan fully updated, latest s390-tools):

[inaddy@kguest:~]$ sudo zipl -V
Using config file '/etc/zipl.conf'
Target device information
  Device..........................: fc:00
  Device name.....................: vda
  Device driver name..............: virtblk
  Type............................: disk device
  Disk layout.....................: SCSI disk layout
  Geometry - start................: 0
  File system block size..........: 4096
  Physical block size.............: 512
  Device size in physical blocks..: 62914560
Building bootmap in '/boot'
Adding IPL section 'ubuntu' (default)
  initial ramdisk...: /boot/initrd.img-5.2.0-1-generic
  signature for.....: /lib/s390-tools/stage3.bin
  kernel image......: /boot/vmlinuz-5.2.0-1-generic
  signature for.....: /boot/vmlinuz-5.2.0-1-generic
  kernel parmline...: 'root=LABEL=KGUEST noresume apparmor=0 net.ifnames=0 crashkernel=196M'
  component address:
    heap area.......: 0x00002000-0x00005fff
    stack area......: 0x0000f000-0x0000ffff
    internal loader.: 0x0000a000-0x0000efff
    parameters......: 0x00009000-0x000091ff
    kernel image....: 0x00010000-0x004b8fff
    parmline........: 0x004ba000-0x004ba1ff
    initial ramdisk.: 0x004c0000-0x0125ddff
Preparing boot device: vda (0000).
Detected plain SCSI partition.
Writing SCSI master boot record.
Syncing disks...


Later I IPLed tihs guest in a lxc Eoan container:

2019-07-11 02:02:39.781+0000: starting up libvirt version: 5.4.0, package: 0ubuntu3 (Marc Deslauriers <email address hidden> Tue, 02 Jul 2019 08:08:33 -0400), qemu version: 4.0.0Debian 1:4.0+dfsg-0ubuntu1, kernel: 5.0.0-21-generic, hostname: lqemueoan
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
HOME=/var/lib/libvirt/qemu/domain-2-kguesttest \
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-2-kguesttest/.local/share \
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-2-kguesttest/.cache \
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain-2-kguesttest/.config \
/usr/bin/qemu-system-s390x \
-name guest=kguesttest,debug-threads=on \
-S \
-object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-2-kguesttest/master-key.aes \
-machine s390-ccw-virtio-2.12,accel=kvm,usb=off,dump-guest-core=off \
-m 4096 \
-overcommit mem-lock=off \
-smp 4,sockets=4,cores=1,threads=1 \
-uuid 82d7e011-3300-4e1d-b4f0-e29ecf548e1f \
-display none \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=22,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc \
-no-shutdown \
-boot strict=on \
-drive file=/var/lib/libvirt/images/kguest/disk01.ext4.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 \
-device virtio-blk-ccw,scsi=off,devno=fe.0.0000,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 \
-fsdev local,security_model=passthrough,id=fsdev-fs0,path=/home/inaddy \
-device virtio-9p-ccw,id=fs0,fsdev=fsdev-fs0,mount_tag=inaddy,devno=fe.0.0002 ...


Rafael David Tinoco (rafaeldtinoco) wrote :

(c)inaddy@lqemudisco:~$ virsh start --console kguesttest
Domain kguesttest started
Connected to domain kguesttest
Escape character is ^]
[ 0.477234] Linux version 5.2.0-1-generic (buildd@bos02-s390x-020) (gcc version 8.3.0 (Ubuntu 8.3.0-13ubuntu1)) #2-Ubuntu SMP Tue May 28 15:17:17 UTC 2019 (Ubuntu 5.2.0-1.2-generic 5.2.0-rc2)
[ 0.477236] setup.289988: Linux is running under KVM in 64-bit mode

review: Approve
Rafael David Tinoco (rafaeldtinoco) wrote :

2 things, unrelated with this change:


Whats up with libcapstone ? Configure might get it from upstream or the system, but without having the system one, my builds system fails... (is it a build dependency ? I needed it on all builds).


my builds on DISCO are ... "funny":

mkdir -p b/fw
/usr/bin/make -f /home/inaddy/work3/qemu/debian/optionrom.mak -C /home/inaddy/work3/qemu/b/fw SRC_PATH=/home/inaddy/work3/qemu
make[1]: Entering directory '/home/inaddy/work3/qemu/b/fw'
cc -O2 -m16 -Wa,-32 -march=i486 -ffreestanding -fno-stack-protector -fno-pie -I/home/inaddy/work3/qemu/include -c -o kvmvapic.o /home/inaddy/work3/qemu/pc-bios/optionrom/kvmvapic.S
cc -O2 -m16 -Wa,-32 -march=i486 -ffreestanding -fno-stack-protector -fno-pie -I/home/inaddy/work3/qemu/include -c -o linuxboot.o /home/inaddy/work3/qemu/pc-bios/optionrom/linuxboot.S
cc -O2 -m16 -Wa,-32 -march=i486 -ffreestanding -fno-stack-protector -fno-pie -I/home/inaddy/work3/qemu/include -c -o linuxboot_dma.o /home/inaddy/work3/qemu/pc-bios/optionrom/linuxboot_dma.c
cc -O2 -m16 -Wa,-32 -march=i486 -ffreestanding -fno-stack-protector -fno-pie -I/home/inaddy/work3/qemu/include -c -o multiboot.o /home/inaddy/work3/qemu/pc-bios/optionrom/multiboot.S
cc: error: unrecognized argument in option ‘-march=i486’
cc: note: valid arguments to ‘-march=’ are: arch10 arch11 arch12 arch3 arch5 arch6 arch7 arch8 arch9 g5 g6 native z10
z13 z14 z196 z9-109 z9-ec z900 z990 zEC12
cc: error: unrecognized argument in option ‘-march=i486’
cc: note: valid arguments to ‘-march=’ are: arch10 arch11 arch12 arch3 arch5 arch6 arch7 arch8 arch9 g5 g6 native z10
z13 z14 z196 z9-109 z9-ec z900 z990 zEC12
cc: error: unrecognized argument in option ‘-march=i486’
cc: error: unrecognized argument in option ‘-march=i486’
cc: note: valid arguments to ‘-march=’ are: arch10 arch11 arch12 arch3 arch5 arch6 arch7 arch8 arch9 g5 g6 native z10
z13 z14 z196 z9-109 z9-ec z900 z990 zEC12
cc: note: valid arguments to ‘-march=’ are: arch10 arch11 arch12 arch3 arch5 arch6 arch7 arch8 arch9 g5 g6 native z10
z13 z14 z196 z9-109 z9-ec z900 z990 zEC12
cc: error: unrecognized command line option ‘-m16’
make[1]: *** [/home/inaddy/work3/qemu/debian/optionrom.mak:13: kvmvapic.o] Error 1
make[1]: *** Waiting for unfinished jobs....
cc: error: unrecognized command line option ‘-m16’
make[1]: *** [/home/inaddy/work3/qemu/debian/optionrom.mak:13: linuxboot.o] Error 1
cc: error: unrecognized command line option ‘-m16’
cc: error: unrecognized command line option ‘-m16’

Looks like it comes from build-indep:

# x86 optionrom (will use arch local config by default)
    ${MAKE} -f ${CURDIR}/debian/optionrom.mak -C ${CURDIR}/b/fw SRC_PATH=${CURDIR}

And optionrom.mak tries to optimize to x86 and use its flags in s390x.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index a5ac97a..f663282 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+qemu (1:3.1+dfsg-2ubuntu3.3) disco; urgency=medium
8+ * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch:
9+ tolerate guests with secure boot loaders (LP: #1830243)
11+ -- Christian Ehrhardt <> Thu, 04 Jul 2019 14:47:56 +0200
13 qemu (1:3.1+dfsg-2ubuntu3.2) disco; urgency=medium
15 * d/p/ubuntu/define-ubuntu-machine-types.patch: fix wily machine type being
16diff --git a/debian/patches/series b/debian/patches/series
17index 4f779f5..c258211 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -25,3 +25,4 @@ ubuntu/CVE-2018-20815.patch
21 ubuntu/CVE-2019-5008.patch
22 ubuntu/CVE-2019-9824.patch
23 ubuntu/lp-1830704-s390x-cpumodel-ignore-csske-for-expansion.patch
25diff --git a/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
26new file mode 100644
27index 0000000..7a24fbb
28--- /dev/null
29+++ b/debian/patches/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch
30@@ -0,0 +1,92 @@
31+From 2497b4a3c08426122d1a89b808c669a734469e5a Mon Sep 17 00:00:00 2001
32+From: "Jason J. Herne" <>
33+Date: Mon, 29 Apr 2019 09:09:41 -0400
34+Subject: [PATCH] s390-bios: Skip bootmap signature entries
36+Newer versions of zipl have the ability to write signature entries to the boot
37+script for secure boot. We don't yet support secure boot, but we need to skip
38+over signature entries while reading the boot script in order to maintain our
39+ability to boot guest operating systems that have a secure bootloader.
41+Signed-off-by: Jason J. Herne <>
42+Reviewed-by: Farhan Ali <>
43+Message-Id: <>
44+Signed-off-by: Thomas Huth <>
46+Origin: upstream,;a=commit;h=2497b4a3
48+Last-Update: 2019-07-04
51+ pc-bios/s390-ccw/bootmap.c | 19 +++++++++++++++++--
52+ pc-bios/s390-ccw/bootmap.h | 10 ++++++----
53+ 2 files changed, 23 insertions(+), 6 deletions(-)
55+diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
56+index 7aef65ab67..d13b7cbd15 100644
57+--- a/pc-bios/s390-ccw/bootmap.c
58++++ b/pc-bios/s390-ccw/bootmap.c
59+@@ -254,7 +254,14 @@ static void run_eckd_boot_script(block_number_t bmt_block_nr,
60+ memset(sec, FREE_SPACE_FILLER, sizeof(sec));
61+ read_block(block_nr, sec, "Cannot read Boot Map Script");
63+- for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD; i++) {
64++ for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD ||
65++ bms->entry[i].type == BOOT_SCRIPT_SIGNATURE; i++) {
67++ /* We don't support secure boot yet, so we skip signature entries */
68++ if (bms->entry[i].type == BOOT_SCRIPT_SIGNATURE) {
69++ continue;
70++ }
72+ address = bms->entry[i].address.load_address;
73+ block_nr = eckd_block_num(&bms->entry[i].blkptr.xeckd.bptr.chs);
75+@@ -489,7 +496,15 @@ static void zipl_run(ScsiBlockPtr *pte)
77+ /* Load image(s) into RAM */
78+ entry = (ComponentEntry *)(&header[1]);
79+- while (entry->component_type == ZIPL_COMP_ENTRY_LOAD) {
80++ while (entry->component_type == ZIPL_COMP_ENTRY_LOAD ||
81++ entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
83++ /* We don't support secure boot yet, so we skip signature entries */
84++ if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
85++ entry++;
86++ continue;
87++ }
89+ zipl_load_segment(entry);
91+ entry++;
92+diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h
93+index a085212077..94f53a5f1e 100644
94+--- a/pc-bios/s390-ccw/bootmap.h
95++++ b/pc-bios/s390-ccw/bootmap.h
96+@@ -98,8 +98,9 @@ typedef struct ScsiMbr {
97+ #define ZIPL_COMP_HEADER_IPL 0x00
98+ #define ZIPL_COMP_HEADER_DUMP 0x01
100+-#define ZIPL_COMP_ENTRY_LOAD 0x02
101+-#define ZIPL_COMP_ENTRY_EXEC 0x01
102++#define ZIPL_COMP_ENTRY_EXEC 0x01
103++#define ZIPL_COMP_ENTRY_LOAD 0x02
106+ typedef struct XEckdMbr {
107+ uint8_t magic[4]; /* == "xIPL" */
108+@@ -117,8 +118,9 @@ typedef struct BootMapScriptEntry {
109+ BootMapPointer blkptr;
110+ uint8_t pad[7];
111+ uint8_t type; /* == BOOT_SCRIPT_* */
112+-#define BOOT_SCRIPT_EXEC 0x01
113+-#define BOOT_SCRIPT_LOAD 0x02
114++#define BOOT_SCRIPT_EXEC 0x01
115++#define BOOT_SCRIPT_LOAD 0x02
116++#define BOOT_SCRIPT_SIGNATURE 0x03
117+ union {
118+ uint64_t load_address;
119+ uint64_t load_psw;


People subscribed via source and target branches