File s390-tools-sles15sp3-zipl-boot-add-secure-boot-... of Package s390-tools.28664

Overview Repositories Revisions Requests Users Attributes Meta

File s390-tools-sles15sp3-zipl-boot-add-secure-boot-trailer.patch of Package s390-tools.28664

Subject: [PATCH] [BZ 200342] zipl/boot: add secure boot trailer
From: Peter Oberparleiter <oberpar@linux.ibm.com>

Description:   zipl: Add secure boot trailer
Symptom:       Secure boot of Linux will no longer be possible with an upcoming
               IBM Z firmware update.
Problem:       New IBM Z firmware requires all signed boot images to contain a
               trailing data block with a specific format.
Solution:      Add trailing data block to the zipl stage 3 boot loader image.
Reproduction:  Apply latest firmware, perform IPL with Secure Boot enabled.
Upstream-ID:   5768d55a08e163f718bd87498b9e763687ae7137
Problem-ID:    200342

Upstream-Description:

zipl/boot: add secure boot trailer

This patch enhances the zipl stage3 loader image adding a trailer as
              required for secure boot by future firmware versions.

Note: with the change in this patch the padding via objcopy command line
              options is replaced by padding via linker script directives with the
              same effect.

Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
              Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>

Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
---
 zipl/boot/Makefile     |    2 +-
 zipl/boot/stage3.lds.S |   10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

--- a/zipl/boot/Makefile
+++ b/zipl/boot/Makefile
@@ -105,7 +105,7 @@ stage3.bin:	stage3.exec
 		--only-section=.stage2dump.tail \
 		--only-section=.eckd2dump_mv.tail \
 		--only-section=.fixup \
-		--pad-to=0xe000 \
+		--only-section=.sb.trailer \
 		$< $@
 
 data.o: $(FILES)
--- a/zipl/boot/stage3.lds.S
+++ b/zipl/boot/stage3.lds.S
@@ -14,6 +14,7 @@
  */
 
 #include "boot/loaders_layout.h"
+#include "boot/s390.h"
 
 SECTIONS
 {
@@ -46,6 +47,15 @@ SECTIONS
   .rodata : {*(.rodata) }
   .data : { *(.data) }
 
+  /* Trailer needed for Secure Boot */
+  . = COMMAND_LINE_EXTRA - 32;
+  .sb.trailer : {
+    QUAD(0x0000c00000000000)
+    QUAD(STAGE3_ENTRY + PSW_LOAD)
+    QUAD(STAGE3_ENTRY)
+    QUAD(0x000000207a49504c)
+  }
+
   . = COMMAND_LINE_EXTRA;
   .cmdline_extra : {
     . += COMMAND_LINE_EXTRA_SIZE;

Places

File s390-tools-sles15sp3-zipl-boot-add-secure-boot-trailer.patch of Package s390-tools.28664

Places