debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #06061
[Bug 2118762] Re: [UBUNTU 25.04] genprotimg fails on Ubuntu 25.04
Thank you Nick, I now rebuild the packages with
-v2.37.0-0ubuntu2 (plucky)
respectively
-v2.31.0-0ubuntu5.1 (noble)
to include the changelog entries of the version that are currently in -proposed into the .changes file
and re-uploaded.
New version (of s390-tools and s390-tools-signed) are now in unapproved queue:
https://launchpad.net/ubuntu/plucky/+queue?queue_state=1&queue_text=s390-tools
https://launchpad.net/ubuntu/noble/+queue?queue_state=1&queue_text=s390-tools
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/2118762
Title:
[UBUNTU 25.04] genprotimg fails on Ubuntu 25.04
Status in Ubuntu on IBM z Systems:
In Progress
Status in s390-tools package in Ubuntu:
Fix Released
Status in s390-tools-signed package in Ubuntu:
Fix Released
Status in s390-tools source package in Plucky:
Triaged
Status in s390-tools-signed source package in Plucky:
Triaged
Status in s390-tools source package in Questing:
Fix Released
Status in s390-tools-signed source package in Questing:
Fix Released
Bug description:
SRU Justification:
[ Impact ]
* Starting with Ubuntu Server 25.04 genprotimg (part of s390-tools 2.37.0)
fails with:
"error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin"
* However, the needed file is located /usr/share/s390-tools/pvimg/boot,
so just in the wrong folder.
The genprotimg tool expects them 'one up' in /usr/share/s390-tools/pvimg,
the same folder where the genprotimg tool itself is located in.
* Prior to 25.04 the Makefile build and placed the stage3*.bin files at
/usr/share/s390-tools/pvimg/ and the debian helper installed it in the
same folder.
* With s390-tools 2.37.0 the Makefile builds them in
/usr/share/s390-tools/pvimg/boot
hence installing them there (in the same folder) is no longer correct.
* The solution is simply to move them again one up
(or let's better say: explicitly install them to the correct folder)
using/modifying d/s390-tools-data.install.
[ Test Plan ]
* An Ubuntu Server 25.04 installation with s390-tools installed is
required.
* A (dummy) host key is needed - which can be for example obtained by IBM.
Here assuming it's named HKD.crt and placed in the user's home directory.
* On a system without the package modification (that is discussed here),
means with having the stage3* files in /usr/share/s390-tools/pvimg/boot),
the genprotimg tool will fail with the the error that was reported:
$ genprotimg --kernel /boot/vmlinuz-$(uname -r) --output se.img -k ~/HKD.crt --no-verify
Host-key document verification is disabled. \
The Secure Execution image may not be protected.
error: Cannot read stage3a at `/usr/share/s390-tools/pvimg/stage3a.bin`
* However, on a system with the updated package installed,
means with having the stage3* files in /usr/share/s390-tools/pvimg),
the genprotimg tool will successfully work:
$ genprotimg --kernel /boot/-$(uname -r) --output se.img -k ~/HKD.crt --no-verify
Host-key document verification is disabled. \
The Secure Execution image may not be protected.
Successfully generated the Secure Execution image.
* This is a step of the creation of secure execution images for s390x
(confidential computing).
The entire end-to-end setup for secure execution is described here
in more detail, also uses Ubuntu Server as an example:
https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf
(esp. genprotimg, page 60ff)
[ Where problems could occur ]
* The s390-tools code itself was not touched,
just the packaging meta data d/s390-tools-data.install file.
* Since this issue is in plucky only, an interim release,
but the vast majority of secure execution use cases is on LTS releases,
not many users will be affected.
* And if a user is affected, the obvious solution/workaround is to
either copy or link the needed, files,
so that they can be found by genprotimg.
And that is exactly what the modification here does.
* However, regressions and issues could have been introduced:
in case the syntax in the d/s390-tools-data.install file is wrong,
or it has wrong permissions
or is not properly recognized and/or evaluated (for whatever reason)
in the Debian package build process.
To mitigate this a test build in PPA was done.
* Since the files were always in the same folder than the genprotimg tool,
they should also be there in plucky.
[ Other Info ]
* The modification has already landed in questing.
* With that, other than plucky, no other Ubuntu release is affected.
__________
---Problem Description---
On Ubuntu 25.04 genprotimg fails with error: Cannot read stage3a at /usr/share/s390-tools/pvimg/stage3a.bin
The file is located /usr/share/s390-tools/pvimg/boot however
Machine Type = n/a
---Debugger---
A debugger is not configured
---Steps to Reproduce---
install s390-tools, try to use genprotimg
---uname output---
n/a
Userspace rpm: s390-tools
Userspace tool common name: genprotimg
Userspace tool obtained from project website: na
The userspace tool has the following bit modes: both
*Additional Instructions for d.herrendoerfer@xxxxxxxxxx:
-Attach ltrace and strace of userspace application.
== Comment by <MHartmay@xxxxxxxxxx> =========
The issue is with the packager, see
https://git.launchpad.net/ubuntu/+source/s390-tools/tree/debian/s390-tools-
data.install?h=ubuntu/plucky
Instead of what is expected '.../pvimg/', Ubuntu installs the file to
the path '.../pvimg/boot/'.
So the s390-tools-data.install file needs to be changed from
```
rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/boot/
rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/boot/
```
to
```
rust/pvimg/boot/stage3a.bin usr/share/s390-tools/pvimg/
rust/pvimg/boot/stage3b_reloc.bin usr/share/s390-tools/pvimg/
```
FYI, I've already talked to Frank.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2118762/+subscriptions
