[UBUNTU 20.04] Secure Execution: Unable to start Qemu with "-no-reboot" option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
qemu (Ubuntu) |
Fix Released
|
Medium
|
Canonical Server | ||
Focal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* on s390x the transition from non-secure to secure is a program directed
IPL. IPL "usually" was menat to load a system. Due to that the
-no-reboot option blocks that transition.
* It is required to check the IPL function code and allow this "kind of
IPL" despite -no-reboot being set.
[Test Case]
* Run a s390x protvirt qemu-kvm and add the option -no-reboot
- without the fix this will fail
* Note: We will need IBM to test this for the access to the required
hardware and a secure-execution enabled kernel (as used in the bug
report)
[Regression Potential]
* The change is small and clear, but if anything then IPL actions like
load&reboot should be affected.
[Other Info]
* n/a
---
---Problem Description---
Secure Execution: Qemu fails to start with no output when "-no-reboot" option has been set.
---uname output---
Linux se1 5.4.0-37-generic #41-Ubuntu SMP Wed Jun 3 17:53:50 UTC 2020 s390x s390x s390x GNU/Linux
Machine Type = z15 8562
---Debugger---
A debugger is not configured
---Steps to Reproduce---
Run Qemu with "-no-reboot" option:
/usr/bin/
Userspace tool common name: qemu-system-s390x
The userspace tool has the following bit modes: 64
Userspace rpm: qemu-system-s390x
Userspace tool obtained from project website: na
Solution:
Fix is upstream for qemu
commit d1bb69db4ceb689
Author: Christian Borntraeger <email address hidden>
AuthorDate: Tue Jul 21 06:32:02 2020 -0400
Commit: Cornelia Huck <email address hidden>
CommitDate: Fri Jul 24 08:35:22 2020 +0200
s390x/protvirt: allow to IPL secure guests with -no-reboot
Related branches
- Rafael David Tinoco (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 10691 lines (+9839/-7)133 files modifieddebian/changelog (+86/-0)
debian/patches/series (+131/-1)
debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch (+74/-0)
debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch (+91/-0)
debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch (+49/-0)
debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch (+43/-0)
debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch (+44/-0)
debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch (+67/-0)
debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch (+41/-0)
debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch (+65/-0)
debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch (+43/-0)
debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch (+77/-0)
debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch (+24/-0)
debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch (+209/-0)
debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch (+87/-0)
debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch (+41/-0)
debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch (+100/-0)
debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch (+58/-0)
debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch (+55/-0)
debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch (+122/-0)
debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch (+68/-0)
debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch (+49/-0)
debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch (+42/-0)
debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch (+52/-0)
debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch (+167/-0)
debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch (+71/-0)
debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch (+56/-0)
debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch (+55/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch (+45/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch (+51/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch (+137/-0)
debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch (+68/-0)
debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch (+57/-0)
debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch (+98/-0)
debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch (+113/-0)
debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch (+75/-0)
debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch (+60/-0)
debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch (+51/-0)
debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch (+54/-0)
debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch (+61/-0)
debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch (+59/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch (+83/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch (+59/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch (+63/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch (+52/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch (+55/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch (+58/-0)
debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch (+49/-0)
debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch (+66/-0)
debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch (+91/-0)
debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch (+99/-0)
debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch (+232/-0)
debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch (+107/-0)
debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch (+97/-0)
debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch (+57/-0)
debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch (+42/-0)
debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch (+69/-0)
debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch (+71/-0)
debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch (+19/-6)
debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch (+108/-0)
debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch (+157/-0)
debian/patches/stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch (+39/-0)
debian/patches/stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch (+39/-0)
debian/patches/stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch (+67/-0)
debian/patches/stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch (+43/-0)
debian/patches/stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch (+75/-0)
debian/patches/stable/lp-1891877-numa-remove-not-needed-check.patch (+52/-0)
debian/patches/stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch (+63/-0)
debian/patches/stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch (+49/-0)
debian/patches/stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch (+208/-0)
debian/patches/stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch (+43/-0)
debian/patches/stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch (+70/-0)
debian/patches/stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch (+46/-0)
debian/patches/stable/lp-1891877-qga-Fix-undefined-C-behavior.patch (+53/-0)
debian/patches/stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch (+42/-0)
debian/patches/stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch (+47/-0)
debian/patches/stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch (+55/-0)
debian/patches/stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch (+69/-0)
debian/patches/stable/lp-1891877-s390x-adapter-routes-error-handling.patch (+84/-0)
debian/patches/stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch (+102/-0)
debian/patches/stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch (+54/-0)
debian/patches/stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch (+42/-0)
debian/patches/stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch (+47/-0)
debian/patches/stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch (+47/-0)
debian/patches/stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch (+54/-0)
debian/patches/stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch (+66/-0)
debian/patches/stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch (+163/-0)
debian/patches/stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch (+67/-0)
debian/patches/stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch (+36/-0)
debian/patches/stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch (+45/-0)
debian/patches/stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch (+57/-0)
debian/patches/stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch (+54/-0)
debian/patches/stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch (+228/-0)
debian/patches/stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch (+75/-0)
debian/patches/stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch (+67/-0)
debian/patches/stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch (+49/-0)
debian/patches/stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch (+71/-0)
debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch (+51/-0)
debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch (+116/-0)
debian/patches/stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch (+49/-0)
debian/patches/stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch (+61/-0)
debian/patches/stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch (+37/-0)
debian/patches/stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch (+45/-0)
debian/patches/stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch (+40/-0)
debian/patches/stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch (+55/-0)
debian/patches/stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch (+96/-0)
debian/patches/stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch (+163/-0)
debian/patches/ubuntu/CVE-2020-10761.patch (+149/-0)
debian/patches/ubuntu/CVE-2020-12829-2.patch (+55/-0)
debian/patches/ubuntu/CVE-2020-12829-3.patch (+41/-0)
debian/patches/ubuntu/CVE-2020-12829-4.patch (+42/-0)
debian/patches/ubuntu/CVE-2020-12829-5.patch (+28/-0)
debian/patches/ubuntu/CVE-2020-12829-6.patch (+129/-0)
debian/patches/ubuntu/CVE-2020-12829-7.patch (+61/-0)
debian/patches/ubuntu/CVE-2020-12829-pre1.patch (+159/-0)
debian/patches/ubuntu/CVE-2020-12829-pre2.patch (+134/-0)
debian/patches/ubuntu/CVE-2020-12829-pre3.patch (+42/-0)
debian/patches/ubuntu/CVE-2020-12829-pre4.patch (+95/-0)
debian/patches/ubuntu/CVE-2020-12829.patch (+261/-0)
debian/patches/ubuntu/CVE-2020-13253.patch (+122/-0)
debian/patches/ubuntu/CVE-2020-13361.patch (+60/-0)
debian/patches/ubuntu/CVE-2020-13362-1.patch (+51/-0)
debian/patches/ubuntu/CVE-2020-13362-2.patch (+36/-0)
debian/patches/ubuntu/CVE-2020-13362-3.patch (+97/-0)
debian/patches/ubuntu/CVE-2020-13659.patch (+47/-0)
debian/patches/ubuntu/CVE-2020-13754-1.patch (+81/-0)
debian/patches/ubuntu/CVE-2020-13754-2.patch (+59/-0)
debian/patches/ubuntu/CVE-2020-13800.patch (+59/-0)
debian/patches/ubuntu/CVE-2020-14415.patch (+33/-0)
debian/patches/ubuntu/CVE-2020-15863.patch (+58/-0)
debian/patches/ubuntu/CVE-2020-16092.patch (+40/-0)
debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0)
debian/patches/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0)
- Rafael David Tinoco (community): Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 150 lines (+105/-0)5 files modifieddebian/changelog (+10/-0)
debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0)
debian/rules (+4/-0)
CVE References
tags: | added: architecture-s39064 bugnameltc-186486 severity-medium targetmilestone-inin2004 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → qemu (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
importance: | Undecided → Medium |
summary: |
- Secure Execution: Unable to start Qemu with "-no-reboot" option + [UBUNTU 20.04] Secure Execution: Unable to start Qemu with "-no-reboot" + option |
Changed in ubuntu-z-systems: | |
assignee: | Canonical Foundations Team (canonical-foundations) → Canonical Server Team (canonical-server) |
Changed in qemu (Ubuntu): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Canonical Server Team (canonical-server) |
Changed in ubuntu-z-systems: | |
assignee: | Canonical Server Team (canonical-server) → Skipper Bug Screeners (skipper-screen-team) |
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done verification-done-focal removed: verification-needed verification-needed-focal |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
The fixes line is wrong: 7ef6a17bf263146 b53a123632 references:
d1bb69db4ceb689
Fixes: 4d226deafc44 ("s390x: protvirt: Support unpack facility")
That commit does not (yet) exists, at least by title that is instead: 7dcf7bfe7f9c388 4a9596727a
commit c3347ed0d2ee42a
Author: Janosch Frank <email address hidden>
Date: Mon Mar 23 04:36:06 2020 -0400
s390x: protvirt: Support unpack facility
All that affected code naturally is in qemu 5.1 but we have backported it to 4.2 in Focal - therefore add a task for that.