debcrafters-packages team mailing list archive

Thread
Date
[Bug 2118762] Re: [UBUNTU 25.04] genprotimg fails on Ubuntu 25.04

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Frank Heimes <2118762@xxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Aug 2025 12:42:35 -0000
Reply-to: Bug 2118762 <2118762@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hi Timo, I am sorry, I forgot to copy my notes of the SRU justification from my draft doc to this LP bug - when I was in a hurry and leaving for vacation.
The SRU template can now be found (filled out) in the bug description ...

** Description changed:

+ SRU Justification:
+ 
+ [ Impact ]
+ 
+  * Starting with Ubuntu Server 25.04 genprotimg (part of s390-tools 2.37.0)
+    fails with:
+    "error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin"
+ 
+  * However, the needed file is located /usr/share/s390-tools/pvimg/boot,
+    so just in the wrong folder.
+    The genprotimg tool expects them 'one up' in /usr/share/s390-tools/pvimg,
+    the same folder where the genprotimg tool itself is located in.
+ 
+  * Prior to 25.04 the Makefile build and placed the stage3*.bin files at
+    /usr/share/s390-tools/pvimg/ and the debian helper installed it in the
+    same folder.
+ 
+  * With s390-tools 2.37.0 the Makefile builds them in
+    /usr/share/s390-tools/pvimg/boot
+    hence installing them there (in the same folder) is no longer correct.
+ 
+  * The solution is simply to move them again one up
+    (or let's better say: explicitly install them to the correct folder)
+    using/modifying d/s390-tools-data.install.
+ 
+ [ Test Plan ]
+ 
+  * An Ubuntu Server 25.04 installation with s390-tools installed is
+ required.
+ 
+  * A (dummy) host key is needed - which can be for example obtained by IBM.
+    Here assuming it's named HKD.crt and placed in the user's home directory.
+ 
+  * On a system without the package modification (that is discussed here),
+    means with having the stage3* files in /usr/share/s390-tools/pvimg/boot),
+    the genprotimg tool will fail with the the error that was reported:
+    $ genprotimg --kernel /boot/vmlinuz-$(uname -r) --output se.img -k ~/HKD.crt --no-verify
+    Host-key document verification is disabled. \
+    The Secure Execution image may not be protected.
+    error: Cannot read stage3a at `/usr/share/s390-tools/pvimg/stage3a.bin`
+ 
+  * However, on a system with the updated package installed,
+    means with having the stage3* files in /usr/share/s390-tools/pvimg),
+    the genprotimg tool will successfully work:
+    $ genprotimg --kernel /boot/-$(uname -r) --output se.img -k ~/HKD.crt --no-verify
+    Host-key document verification is disabled. \
+    The Secure Execution image may not be protected.
+    Successfully generated the Secure Execution image.
+ 
+  * This is a step of the creation of secure execution images for s390x
+    (confidential computing).
+    The entire end-to-end setup for secure execution is described here
+    in more detail, also uses Ubuntu Server as an example:
+    https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf
+    (esp.  genprotimg, page 60ff)
+ 
+ [ Where problems could occur ]
+ 
+  * The s390-tools code itself was not touched,
+    just the packaging meta data d/s390-tools-data.install file.
+ 
+  * Since this issue is in plucky only, an interim release,
+    but the vast majority of secure execution use cases is on LTS releases,
+    not many users will be affected.
+ 
+  * And if a user is affected, the obvious solution/workaround is to
+    either copy or link the needed, files,
+    so that they can be found by genprotimg.
+    And that is exactly what the modification here does.
+ 
+  * However, regressions and issues could have been introduced:
+    in case the syntax in the d/s390-tools-data.install file is wrong,
+    or it has wrong permissions
+    or is not properly recognized and/or evaluated (for whatever reason)
+    in the Debian package build process.
+    To mitigate this a test build in PPA was done.
+ 
+  * Since the files were always in the same folder than the genprotimg tool,
+    they should also be there in plucky.
+ 
+ [ Other Info ]
+ 
+  * The modification has already landed in questing.
+ 
+  * With that, other than plucky, no other Ubuntu release is affected.
+ __________
+ 
  ---Problem Description---
  
  On Ubuntu 25.04 genprotimg fails with error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin
  The file is located /usr/share/s390-tools/pvimg/boot however
-  
- Machine Type = n/a 
-  
+ 
+ Machine Type = n/a
+ 
  ---Debugger---
  A debugger is not configured
-  
-  
+ 
  ---Steps to Reproduce---
-  install s390-tools, try to use genprotimg
-  
+  install s390-tools, try to use genprotimg
+ 
  ---uname output---
  n/a
  
- Userspace rpm: s390-tools 
-  
- Userspace tool common name: genprotimg 
+ Userspace rpm: s390-tools
  
- Userspace tool obtained from project website:  na 
-  
- The userspace tool has the following bit modes: both 
-  
+ Userspace tool common name: genprotimg
+ 
+ Userspace tool obtained from project website:  na
+ 
+ The userspace tool has the following bit modes: both
+ 
  *Additional Instructions for d.herrendoerfer@xxxxxxxxxx:
  -Attach ltrace and strace of userspace application.
- 
  
  == Comment by <MHartmay@xxxxxxxxxx> =========
  
  The issue is with the packager, see
  https://git.launchpad.net/ubuntu/+source/s390-tools/tree/debian/s390-tools-
  data.install?h=ubuntu/plucky
  
  Instead of what is expected '.../pvimg/', Ubuntu installs the file to
  the path '.../pvimg/boot/'.
  
  So the s390-tools-data.install file needs to be changed from
  
  ```
  rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/boot/
  rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/boot/
  ```
  
  to
  
  ```
  rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/
  rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/
  ```
  
  FYI, I've already talked to Frank.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/2118762

Title:
  [UBUNTU 25.04] genprotimg fails on Ubuntu 25.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Released
Status in s390-tools source package in Plucky:
  Triaged
Status in s390-tools-signed source package in Plucky:
  Triaged
Status in s390-tools source package in Questing:
  Fix Released
Status in s390-tools-signed source package in Questing:
  Fix Released

Bug description:
  SRU Justification:

  [ Impact ]

   * Starting with Ubuntu Server 25.04 genprotimg (part of s390-tools 2.37.0)
     fails with:
     "error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin"

   * However, the needed file is located /usr/share/s390-tools/pvimg/boot,
     so just in the wrong folder.
     The genprotimg tool expects them 'one up' in /usr/share/s390-tools/pvimg,
     the same folder where the genprotimg tool itself is located in.

   * Prior to 25.04 the Makefile build and placed the stage3*.bin files at
     /usr/share/s390-tools/pvimg/ and the debian helper installed it in the
     same folder.

   * With s390-tools 2.37.0 the Makefile builds them in
     /usr/share/s390-tools/pvimg/boot
     hence installing them there (in the same folder) is no longer correct.

   * The solution is simply to move them again one up
     (or let's better say: explicitly install them to the correct folder)
     using/modifying d/s390-tools-data.install.

  [ Test Plan ]

   * An Ubuntu Server 25.04 installation with s390-tools installed is
  required.

   * A (dummy) host key is needed - which can be for example obtained by IBM.
     Here assuming it's named HKD.crt and placed in the user's home directory.

   * On a system without the package modification (that is discussed here),
     means with having the stage3* files in /usr/share/s390-tools/pvimg/boot),
     the genprotimg tool will fail with the the error that was reported:
     $ genprotimg --kernel /boot/vmlinuz-$(uname -r) --output se.img -k ~/HKD.crt --no-verify
     Host-key document verification is disabled. \
     The Secure Execution image may not be protected.
     error: Cannot read stage3a at `/usr/share/s390-tools/pvimg/stage3a.bin`

   * However, on a system with the updated package installed,
     means with having the stage3* files in /usr/share/s390-tools/pvimg),
     the genprotimg tool will successfully work:
     $ genprotimg --kernel /boot/-$(uname -r) --output se.img -k ~/HKD.crt --no-verify
     Host-key document verification is disabled. \
     The Secure Execution image may not be protected.
     Successfully generated the Secure Execution image.

   * This is a step of the creation of secure execution images for s390x
     (confidential computing).
     The entire end-to-end setup for secure execution is described here
     in more detail, also uses Ubuntu Server as an example:
     https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf
     (esp.  genprotimg, page 60ff)

  [ Where problems could occur ]

   * The s390-tools code itself was not touched,
     just the packaging meta data d/s390-tools-data.install file.

   * Since this issue is in plucky only, an interim release,
     but the vast majority of secure execution use cases is on LTS releases,
     not many users will be affected.

   * And if a user is affected, the obvious solution/workaround is to
     either copy or link the needed, files,
     so that they can be found by genprotimg.
     And that is exactly what the modification here does.

   * However, regressions and issues could have been introduced:
     in case the syntax in the d/s390-tools-data.install file is wrong,
     or it has wrong permissions
     or is not properly recognized and/or evaluated (for whatever reason)
     in the Debian package build process.
     To mitigate this a test build in PPA was done.

   * Since the files were always in the same folder than the genprotimg tool,
     they should also be there in plucky.

  [ Other Info ]

   * The modification has already landed in questing.

   * With that, other than plucky, no other Ubuntu release is affected.
  __________

  ---Problem Description---

  On Ubuntu 25.04 genprotimg fails with error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin
  The file is located /usr/share/s390-tools/pvimg/boot however

  Machine Type = n/a

  ---Debugger---
  A debugger is not configured

  ---Steps to Reproduce---
   install s390-tools, try to use genprotimg

  ---uname output---
  n/a

  Userspace rpm: s390-tools

  Userspace tool common name: genprotimg

  Userspace tool obtained from project website:  na

  The userspace tool has the following bit modes: both

  *Additional Instructions for d.herrendoerfer@xxxxxxxxxx:
  -Attach ltrace and strace of userspace application.

  == Comment by <MHartmay@xxxxxxxxxx> =========

  The issue is with the packager, see
  https://git.launchpad.net/ubuntu/+source/s390-tools/tree/debian/s390-tools-
  data.install?h=ubuntu/plucky

  Instead of what is expected '.../pvimg/', Ubuntu installs the file to
  the path '.../pvimg/boot/'.

  So the s390-tools-data.install file needs to be changed from

  ```
  rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/boot/
  rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/boot/
  ```

  to

  ```
  rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/
  rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/
  ```

  FYI, I've already talked to Frank.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2118762/+subscriptions