group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1830243] Re: [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1830243@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Aug 2019 08:57:43 -0000
Reply-to: Bug 1830243 <1830243@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package qemu - 1:3.1+dfsg-2ubuntu3.3

---------------
qemu (1:3.1+dfsg-2ubuntu3.3) disco; urgency=medium

  [ Christian Ehrhardt ]
  * d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch:
    tolerate guests with secure boot loaders (LP: #1830243)

  [ Rafael David Tinoco ]
  * {Ice,Cascade}Lake CPUs IA32_ARCH_CAPABILITIES support (LP: #1828495)
    Needed patches are in d/p/u/lp1828495-:
    - 0011-disable-arch-cap-when-no-msr.patch (LP: #1828495):
      i386: kvm: Disable arch_capabilities if MSR can't be set
    - 0012-arch-capabilities-migratable.patch (LP: #1828495):
      i386: Make arch_capabilities migratable
    - 0014-remove-cpuid-pconfig.patch
      i386: remove the new CPUID 'PCONFIG' from Icelake-Server CPU model
    - 0015-remove-cpuid-intel_pt.patch
      i386: remove the 'INTEL_PT' CPUID bit from named CPU models
    - 0016-no-ospke-on-some.patch (LP: #1828495):
      i386: Disable OSPKE on CPU model definitions

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Thu, 04 Jul
2019 14:47:56 +0200

** Changed in: qemu (Ubuntu Disco)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1830243

Title:
  [19.10 FEAT] KVM: Secure Linux Boot Toleration - qemu

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in qemu package in Ubuntu:
  Fix Released
Status in qemu source package in Xenial:
  Fix Released
Status in qemu source package in Bionic:
  Fix Committed
Status in qemu source package in Cosmic:
  Won't Fix
Status in qemu source package in Disco:
  Fix Released
Status in qemu source package in Eoan:
  Fix Released

Bug description:
  [Impact]

   * s390x is about to add secure boot features which are implemented by a 
     new IPL section

   * Older qemu bootloaders for s390x will stumble over that IPL section and 
     be unable to boot.

   * Backport the changes from upstream that make qemu tolerate those 
     sections (not the new feature of secure boot, just the avoidance of the 
     guest crash on boot)

  [Test Case]

   * Take a signed kernel on s390x (either the one from xnox in comment #19 
     or use signtool to create one)
   * Install that kernel in a guest of the qemu that is to be tested
   * Run zipl with --secure 1 to write a secure boot section for sure
   * With an unpatched qemu this would now fail to boot again
   * Install the update to qemu and boot the guest, by skipping the 
     "tolerated, but not supported" new section it works again.

  [Regression Potential]

   * If any of the checks goes wrong we might affect booting of guests in a 
     negative way. For example it might no more start or load a wrong 
     kernel. But since the IPL records written by `zipl` are clearly 
     specified that should hopefully not be the case here. The code added 
     clearly only skips an additional section that didn't exist before.

  [Other Info]
   
   * n/a

  ---

  Secure boot enablement KVM.
  Will be made available with qemu 4.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1830243/+subscriptions