Determining successful preparation

Make sure that the boot media was successfully prepared for secure boot.

Procedure

Use zipl with the --verbose option to determine whether a Linux boot volume was successfully prepared for secure boot:

$ sudo zipl --verbose --secure=1
...
Secure boot support: yes
...
Adding #1: IPL section 'ubuntu' (default)
  initial ramdisk...: /boot/initrd.img
  signature for.....: /lib/s390-tools/stage3.bin
  kernel image......: /boot/vmlinuz
  signature for.....: /boot/vmlinuz
...
Preparing boot device for CCW- and LD-IPL: dasda (1234).
...

Watch for the following output lines:

Secure boot support: yes
This line indicates that the environment supports secure boot.
signature for...: <filename>
This line indicates that the listed boot file contains a secure boot signature. For a successful boot, this message must appear twice; once for stage3.bin and once for the Linux kernel, typically named vmlinuz or image.
Preparing boot device for CCW- and LD-IPL
This message occurs only for DASD boot devices and indicates that the DASD was prepared both for traditional CCW boot, and for LD-IPL boot, which is required for secure boot.

Results

On a successful secure boot, the following lines are displayed on the HMC operating system message console, or the z/VM guest console, before any operating system output.

IPB received.
IPB sent.
System version 9.
Watchdog enabled.
Running 'ZBootLoader' version '3.1.5' level 'D51C.D51C_328.13'.
OK00000000 Success

For more information about messages on the HMC, see SC28-7046-00: IPL Machine Loader Messages, available at: https://www.ibm.com/support/pages/sites/default/files/2023-06/SC28-7046-00.pdf