Message ID | 20190716000203.15174-1-xnox@ubuntu.com |
---|---|
State | New |
Headers | show |
Series | [EOAN] UBUNTU: [Config] enable secureboot signing on s390x | expand |
On Tue, Jul 16, 2019 at 01:02:04AM +0100, Dimitri John Ledkov wrote: > Bug-Link: https://bugs.launchpad.net/bugs/1829749 > > Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> Looks good to me, would like to have Andy look this over too. Is support for signing the .sipl files already in launchpad? Thanks, Seth
On Wed, 17 Jul 2019 at 20:08, Seth Forshee <seth.forshee@canonical.com> wrote: > > On Tue, Jul 16, 2019 at 01:02:04AM +0100, Dimitri John Ledkov wrote: > > Bug-Link: https://bugs.launchpad.net/bugs/1829749 > > > > Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> > > Looks good to me, would like to have Andy look this over too. > > Is support for signing the .sipl files already in launchpad? > It is, and the correct production signing key is in place on the Ubuntu primary archive too. See statuses on https://bugs.launchpad.net/launchpad/+bug/1829749 ie. https://code.launchpad.net/~apw/launchpad/signing-sipl/+merge/368275 is merged and deployed.
On Tue, Jul 16, 2019 at 01:02:04AM +0100, Dimitri John Ledkov wrote: > Bug-Link: https://bugs.launchpad.net/bugs/1829749 > > Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> > --- > debian.master/rules.d/s390x.mk | 2 +- > debian/rules | 2 +- > debian/rules.d/1-maintainer.mk | 1 + > debian/rules.d/2-binary-arch.mk | 5 +++++ > 4 files changed, 8 insertions(+), 2 deletions(-) > > diff --git a/debian.master/rules.d/s390x.mk b/debian.master/rules.d/s390x.mk > index dad66b1a674f..14e58db17d27 100644 > --- a/debian.master/rules.d/s390x.mk > +++ b/debian.master/rules.d/s390x.mk > @@ -11,7 +11,7 @@ vdso = vdso_install > no_dumpfile = true > > do_extras_package = true > - > +sipl_signed = true > do_tools_usbip = true > do_tools_cpupower = true > do_tools_perf = true > diff --git a/debian/rules b/debian/rules > index 0953195f5ab1..80205f30b265 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) > endif > > # Are any of the kernel signing options enabled. > -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed))) > +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed))) > ifeq ($(any_signed),true) > bin_pkg_name=$(bin_pkg_name_unsigned) > else > diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk > index e71bf3c281ef..efc5e50841c9 100644 > --- a/debian/rules.d/1-maintainer.mk > +++ b/debian/rules.d/1-maintainer.mk > @@ -92,6 +92,7 @@ printenv: > @echo "any_signed = $(any_signed)" > @echo " uefi_signed = $(uefi_signed)" > @echo " opal_signed = $(opal_signed)" > + @echo " sipl_signed = $(sipl_signed)" > @echo "full_build = $(full_build)" > @echo "libc_dev_version = $(libc_dev_version)" > @echo "DEB_HOST_GNU_TYPE = $(DEB_HOST_GNU_TYPE)" > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk > index f3ab06748cf6..083b64772439 100644 > --- a/debian/rules.d/2-binary-arch.mk > +++ b/debian/rules.d/2-binary-arch.mk > @@ -151,6 +151,11 @@ ifeq ($(opal_signed),true) > cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ > $(signingv)/$(instfile)-$(abi_release)-$*.opal; > endif > +ifeq ($(sipl_signed),true) > + install -d $(signingv) > + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ > + $(signingv)/$(instfile)-$(abi_release)-$*.sipl; > +endif > > install -d $(pkgdir)/boot > install -m644 $(builddir)/build-$*/.config \ > -- > 2.20.1 Looks in the ball-park. Acked-by: Andy Whitcroft <apw@canonical.com> Was there something we were waiting for before allowing the kernel to be signed, making sure it was appropriately locked down as is done in x86 I think. Xnox has that landed? -apw
On Thu, 18 Jul 2019 at 15:32, Andy Whitcroft <apw@canonical.com> wrote: > > On Tue, Jul 16, 2019 at 01:02:04AM +0100, Dimitri John Ledkov wrote: > > Bug-Link: https://bugs.launchpad.net/bugs/1829749 > > > > Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> > > --- > > debian.master/rules.d/s390x.mk | 2 +- > > debian/rules | 2 +- > > debian/rules.d/1-maintainer.mk | 1 + > > debian/rules.d/2-binary-arch.mk | 5 +++++ > > 4 files changed, 8 insertions(+), 2 deletions(-) > > > > diff --git a/debian.master/rules.d/s390x.mk b/debian.master/rules.d/s390x.mk > > index dad66b1a674f..14e58db17d27 100644 > > --- a/debian.master/rules.d/s390x.mk > > +++ b/debian.master/rules.d/s390x.mk > > @@ -11,7 +11,7 @@ vdso = vdso_install > > no_dumpfile = true > > > > do_extras_package = true > > - > > +sipl_signed = true > > do_tools_usbip = true > > do_tools_cpupower = true > > do_tools_perf = true > > diff --git a/debian/rules b/debian/rules > > index 0953195f5ab1..80205f30b265 100755 > > --- a/debian/rules > > +++ b/debian/rules > > @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) > > endif > > > > # Are any of the kernel signing options enabled. > > -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed))) > > +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed))) > > ifeq ($(any_signed),true) > > bin_pkg_name=$(bin_pkg_name_unsigned) > > else > > diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk > > index e71bf3c281ef..efc5e50841c9 100644 > > --- a/debian/rules.d/1-maintainer.mk > > +++ b/debian/rules.d/1-maintainer.mk > > @@ -92,6 +92,7 @@ printenv: > > @echo "any_signed = $(any_signed)" > > @echo " uefi_signed = $(uefi_signed)" > > @echo " opal_signed = $(opal_signed)" > > + @echo " sipl_signed = $(sipl_signed)" > > @echo "full_build = $(full_build)" > > @echo "libc_dev_version = $(libc_dev_version)" > > @echo "DEB_HOST_GNU_TYPE = $(DEB_HOST_GNU_TYPE)" > > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk > > index f3ab06748cf6..083b64772439 100644 > > --- a/debian/rules.d/2-binary-arch.mk > > +++ b/debian/rules.d/2-binary-arch.mk > > @@ -151,6 +151,11 @@ ifeq ($(opal_signed),true) > > cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ > > $(signingv)/$(instfile)-$(abi_release)-$*.opal; > > endif > > +ifeq ($(sipl_signed),true) > > + install -d $(signingv) > > + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ > > + $(signingv)/$(instfile)-$(abi_release)-$*.sipl; > > +endif > > > > install -d $(pkgdir)/boot > > install -m644 $(builddir)/build-$*/.config \ > > -- > > 2.20.1 > > Looks in the ball-park. > > Acked-by: Andy Whitcroft <apw@canonical.com> > > Was there something we were waiting for before allowing the kernel to be > signed, making sure it was appropriately locked down as is done in x86 I > think. Xnox has that landed? > > -apw As discussed on irc, there are currently no appropriately locked down as is done in x86. Opened case to confirm with IBM if further locking down is to be expected or not. Thus this is on hold, pending further information.
On Tue, Jul 16, 2019 at 01:02:04AM +0100, Dimitri John Ledkov wrote: > Bug-Link: https://bugs.launchpad.net/bugs/1829749 > > Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> Applied to eoan/master-next and unstable/master, thanks!
diff --git a/debian.master/rules.d/s390x.mk b/debian.master/rules.d/s390x.mk index dad66b1a674f..14e58db17d27 100644 --- a/debian.master/rules.d/s390x.mk +++ b/debian.master/rules.d/s390x.mk @@ -11,7 +11,7 @@ vdso = vdso_install no_dumpfile = true do_extras_package = true - +sipl_signed = true do_tools_usbip = true do_tools_cpupower = true do_tools_perf = true diff --git a/debian/rules b/debian/rules index 0953195f5ab1..80205f30b265 100755 --- a/debian/rules +++ b/debian/rules @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) endif # Are any of the kernel signing options enabled. -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed))) +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed))) ifeq ($(any_signed),true) bin_pkg_name=$(bin_pkg_name_unsigned) else diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk index e71bf3c281ef..efc5e50841c9 100644 --- a/debian/rules.d/1-maintainer.mk +++ b/debian/rules.d/1-maintainer.mk @@ -92,6 +92,7 @@ printenv: @echo "any_signed = $(any_signed)" @echo " uefi_signed = $(uefi_signed)" @echo " opal_signed = $(opal_signed)" + @echo " sipl_signed = $(sipl_signed)" @echo "full_build = $(full_build)" @echo "libc_dev_version = $(libc_dev_version)" @echo "DEB_HOST_GNU_TYPE = $(DEB_HOST_GNU_TYPE)" diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk index f3ab06748cf6..083b64772439 100644 --- a/debian/rules.d/2-binary-arch.mk +++ b/debian/rules.d/2-binary-arch.mk @@ -151,6 +151,11 @@ ifeq ($(opal_signed),true) cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ $(signingv)/$(instfile)-$(abi_release)-$*.opal; endif +ifeq ($(sipl_signed),true) + install -d $(signingv) + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \ + $(signingv)/$(instfile)-$(abi_release)-$*.sipl; +endif install -d $(pkgdir)/boot install -m644 $(builddir)/build-$*/.config \
Bug-Link: https://bugs.launchpad.net/bugs/1829749 Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> --- debian.master/rules.d/s390x.mk | 2 +- debian/rules | 2 +- debian/rules.d/1-maintainer.mk | 1 + debian/rules.d/2-binary-arch.mk | 5 +++++ 4 files changed, 8 insertions(+), 2 deletions(-)