group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1830243@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Jul 2019 15:55:07 -0000
Reply-to: Bug 1830243 <1830243@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu10.41

---------------
qemu (1:2.5+dfsg-5ubuntu10.41) xenial; urgency=medium

  * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch:
    tolerate guests with secure boot loaders (LP: #1830243)

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Thu, 04 Jul
2019 14:47:56 +0200

** Changed in: qemu (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1830243

Title:
  [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in qemu package in Ubuntu:
  Fix Released
Status in qemu source package in Xenial:
  Fix Released
Status in qemu source package in Bionic:
  Fix Committed
Status in qemu source package in Cosmic:
  Won't Fix
Status in qemu source package in Disco:
  Fix Committed
Status in qemu source package in Eoan:
  Fix Released

Bug description:
  [Impact]

   * s390x is about to add secure boot features which are implemented by a 
     new IPL section

   * Older qemu bootloaders for s390x will stumble over that IPL section and 
     be unable to boot.

   * Backport the changes from upstream that make qemu tolerate those 
     sections (not the new feature of secure boot, just the avoidance of the 
     guest crash on boot)

  [Test Case]

   * Take a signed kernel on s390x (either the one from xnox in comment #19 
     or use signtool to create one)
   * Install that kernel in a guest of the qemu that is to be tested
   * Run zipl with --secure 1 to write a secure boot section for sure
   * With an unpatched qemu this would now fail to boot again
   * Install the update to qemu and boot the guest, by skipping the 
     "tolerated, but not supported" new section it works again.

  [Regression Potential]

   * If any of the checks goes wrong we might affect booting of guests in a 
     negative way. For example it might no more start or load a wrong 
     kernel. But since the IPL records written by `zipl` are clearly 
     specified that should hopefully not be the case here. The code added 
     clearly only skips an additional section that didn't exist before.

  [Other Info]
   
   * n/a

  ---

  Secure boot enablement KVM.
  Will be made available with qemu 4.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions