[Bug 1932177] Re: [21.10 FEAT] KVM: Change Secure Execution Header defaults for plaintext control flags (PCF) (s390-tools)

[Frank Heimes]

** Information type changed from Private to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1932177

Title:
  [21.10 FEAT] KVM: Change Secure Execution Header defaults for
  plaintext control flags (PCF) (s390-tools)

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in s390-tools package in Ubuntu:
  Fix Released

Bug description:
  The plaintext control flags (PCF) in the Secure Execution header have
  safe default settings. Specifically the protected key support (PCKMO)
  is disabled by default. This is however in contrast to the defaults
  used by regular KVM guests, which are allowed to use protected keys.
  This may lead (and has lead) to confusion. To improve usability the
  default SE header PCF settings should be set to allow all PCKMO types.
  While doing that, an explicit option to enable/disable PCKMO should be
  added, so that clients have no need to use the 'experimental/expert'
  flags.

  Value: Lowers the hurdles to deploy secure execution guests by
  maintaining commonality with the non-secure behavior.

  Feature will be part of s390-tools >= 2.17

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1932177/+subscriptions