[Bug 1942908] Comment bridged from LTC Bugzilla

bugproxy 1942908 at bugs.launchpad.net
Tue Sep 28 16:48:48 UTC 2021


------- Comment From MHartmay at de.ibm.com 2021-09-28 12:47 EDT-------
(In reply to comment #25)
> Hi Marc, the new curl bits that were added require an additional build
> dependency (libcurl-dev).
> I've now added "libcurl4-openssl-dev" to achieve this, since this is the
> build dependency that is also used in newer s390-tools releases, like
> hirsute (2.16) and impish (2.17).
> The corresponding makefile was written in a way that it just skipped the
> compile of genprotimg if the build dependencies are not satisfied, hence the
> PPA build did not fail, and I didn't noticed the issue earlier.
> I did a new compile and genprotimg is not in (it was already in the set of
> packages for hirsute).
> You may try again ... (it can be found at /usr/bin/genprotimg)

FYI, the problem you've mentioned is already fixed upstream by commit
https://github.com/ibm-s390-linux/s390-tools/commit/6db7fbe0187042f44a63a5c7dbeb9f116909d02e

I'll try the new package tomorrow.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1942908

Title:
  Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Released
Status in s390-tools source package in Focal:
  New
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Hirsute:
  New
Status in s390-tools-signed source package in Hirsute:
  New

Bug description:
  SRU Justification:
  ==================

  [Impact]

   * Fix of 'genprotimg' allowing the tool to verify the validity
     of IBM Secure Execution host key documents.

   * Without that, customers must verify the host key document by themselves,
     which is error prone and may impact security.

  [Test Plan]

   * A z15 or LinuxONE III LPAR with FC 115 is needed,
     running Ubuntu Server 20.04 (respectively 21.04).

   * Obtain the host-key document,
     the IBM signing key (ibm-z-host-key-signing.crt)
     and the intermediate DigiCert CA (DigiCertCA.crt)
     from 'IBM Resource Link':
     (https://www.ibm.com/servers/resourcelink/lib03060.nsf/pages/IBM-Secure-Execution-for-Linux)

   * The systems needs to be online (access to the internet) to
     be able to automatically download the latest revocation lists.

   * Create an IBM Secure Execution image, using the obtained host key like:
     $ genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
      --no-verify -k HKD-8651-00020089A8.crt -o /boot/secure-linux
     (optional, host key can also be verified w/o having created an image)

   * With the above patches applied, the 'genprotimg' command
    can be used to verify the host key document automatically:
    $ genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
     -k HKD-8651-00020089A8.crt -o /boot/secure-linux \
     --cert DigiCertCA.crt --cert ibm-z-host-key-signing.crt
    (in this case ‘--no-verify‘ get obsolete)

   * More detailed information is available here:
     http://public.dhe.ibm.com/software/dw/linux390/docu/l110se01.pdf

   * Due to the lack of hardware, the verification needs to be done by
  IBM.

  [Where problems could occur]

   * If the 'genprotimg' way of verifying the host key document
     is erroneous, tool based verification can be broken,
     which may force people having to use '--no-verify'
     and fall back to manual (openssl based) verification again.

   * In worst case a 'false positive' verification
     of a host key document may occur,
     that might provide a false sense of security.
     Hence proper testing is crucial!

   * Quite some code was added that is only used for this verification
     (like 'curl'), which may break things indirectly.
     Using '--no-verify' may allow to overcome such issues again.

   * Overall this is all unique to s390x,
     and again special to 'secure execution' and would affect
     only z15 or LinuxONE III systems with FC 115 enabled.

   * The system where the Host-Key document is verified or
     where the image is built, needs to be online - otherwise the 
     verification is not possible, because the needed up-to-date
     CRLs cannot be downloaded.

  [Fixes]

   * For Hirsute, only the following upstream patch is needed:
     d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg: check return value of BIO_reset")

   * For Focal, the following patches are needed (the first one as
  backport):

   * 074de1e14ed785c18f55ecf9762ac3f5de3465b4 074de1e ("genprotimg: add host-key document verification support")
     To get this commit in, the attached backport is needed:
     https://launchpadlibrarian.net/559224229/0001-genprotimg-add-host-key-document-verification-suppor.patch

   * 7827a791c98dbf14f7e5dfd1c9ea14365cac6272 7827a79 ("genprotimg: add
  missing return")

   * d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg:
  check return value of BIO_reset")

  [Other Info]

   * Test builds were created for both, hirsute and focal,
     each s390-tools and s390-tools-signed,
     and have been published at PPA:
     https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908

  __________

  Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

  Description:
  Fix of genprotimg allowing the tool to verify the validity of IBM Secure Execution host key documents.
  Without that, customers must verify the host key document by themselves,which is error prone and may impact security.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1942908/+subscriptions




More information about the foundations-bugs mailing list