[Bug 1134303] New: aarch64 kernel are not signed
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303 Bug ID: 1134303 Summary: aarch64 kernel are not signed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: aarch64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: guillaume.gardet@arm.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On aarch64, "pesign -S -i /boot/Image-5.0.7-5.g8a6bcaf-default" returns: No signatures found. This is because in kernel-binary.spec.in, we only have the x86_64 image format: BRP_PESIGN_FILES="/boot/vmlinuz-%kernelrelease-%build_flavor" For aarch64, we should have: BRP_PESIGN_FILES="/boot/Image-%kernelrelease-%build_flavor" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c1
--- Comment #1 from Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c2
--- Comment #2 from Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c3
Andreas Färber
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c4
Michal Suchanek
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c5
Guillaume GARDET
The patch looks okay to me so far. However it is only for aarch64 and may need to be revisited later for jsc#PM-26 if we choose to package Image.gz or something.
Not sure what jsc#PM-26 is about, but we can update later, if needed.
For %arm it would need to be the zImage equivalent.
Not sure if it is useful to sign armv7 zImage, as I am not sure if there are firmware supporting it, but why not.
Not sure whether the other non-x86 architectures care.
There are some sections further down the file that set an $image variable with the name - maybe it would make sense to rearrange the code so that we can just reuse that variable instead of duplicating it?
Indeed, we could do that. FYI, in master branch, only armv6, armv7, arm64, x86 and x86_64 do have CONFIG_EFI_STUB=y and would have a signed kernel. So, should I add support for all archs, which would add armv6 and armv7 to the current patch? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c6
Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c7
--- Comment #7 from Michal Suchanek
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c8
--- Comment #8 from Guillaume GARDET
I think it is preferable to use $image so changes to image name does not cause regression in signing.
Ok.
However, we should select explicitly which archs we want to sign as well. Signing ppc64 or s390x might break boot on some systems.
As only ARM and x86* have CONFIG_EFI_STUB=y, ppc64 and s390x will not be signed anyway. Do you need explicit %ifarch to disable signing for ppc64 and s390x? Or CONFIG_EFI_STUB=y condition is enough? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c9
--- Comment #9 from Michal Suchanek
As only ARM and x86* have CONFIG_EFI_STUB=y, ppc64 and s390x will not be signed anyway. Do you need explicit %ifarch to disable signing for ppc64 and s390x? Or CONFIG_EFI_STUB=y condition is enough?
CONFIG_EFI_STUB=y condition should be fine -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
Michal Suchanek
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c10
Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c11
--- Comment #11 from Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c12
--- Comment #12 from Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c13
--- Comment #13 from Guillaume GARDET
'pesign' is not built for armv6 and armv7. Any reason for that?
It builds properly on %arm. SR to enable 'pesign' build on %arm: https://build.opensuse.org/request/show/701792 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c15
--- Comment #15 from Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
Guillaume GARDET
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c16
--- Comment #16 from Michal Suchanek
Leap 15.1 branch is blocked by bug#1134670 as 'pesign' update must go through SLE15-SP1 to later land on Leap 15.1.
It seems progressing just fine. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c17
--- Comment #17 from Guillaume GARDET
Leap 15.1 branch is blocked by bug#1134670 as 'pesign' update must go through SLE15-SP1 to later land on Leap 15.1.
It seems progressing just fine.
Yes, it is in Leap 15.1 as well: https://build.opensuse.org/request/show/701943 So, @Michal, can you add my patch, please? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c18
--- Comment #18 from Michal Suchanek
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c19
--- Comment #19 from Guillaume GARDET
The patch is queued for SLE15 SP1
Thanks. I guess Leap 15.1 will inherit this update. What about master and stable branches, for Tumbleweed? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c23
Guillaume GARDET
Guillaume, how would you use signed kernels in Leap 15.1 without GRUB support? It is really late for SP1 (GMC!) and 15.1.
@Andreas, not sure what you mean. AFAICT, Grub is fine, signed with openSUSE key. Anyway, signing a kernel will not hurt as it will continue to boot in a non-secureboot environment. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c24
--- Comment #24 from Petr Tesařík
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c25
--- Comment #25 from Guillaume GARDET
I'm concerned about any last-minute changes in the build process. If something blows up, we have no time to fix it.
Anyway, it sounds like it does not really bring any immediate benefit, so let me just postpone the change for SLE15 SP1 and Leap 15.1.
Ok, I understand it is a bit late. But, please push it for master/stable branches to get it in Tumbleweed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303
http://bugzilla.opensuse.org/show_bug.cgi?id=1134303#c29
Guillaume GARDET
participants (1)
-
bugzilla_noreply@novell.com