[Bug 1968259] Re: [UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)
Graham Inggs
1968259 at bugs.launchpad.net
Tue Apr 12 10:18:12 UTC 2022
** Changed in: s390-tools (Ubuntu Jammy)
Status: In Progress => Fix Committed
** Changed in: s390-tools-signed (Ubuntu Jammy)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1968259
Title:
[UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate
issuer too strictly (s390-tools)
Status in Ubuntu on IBM z Systems:
In Progress
Status in s390-tools package in Ubuntu:
Fix Committed
Status in s390-tools-signed package in Ubuntu:
Fix Committed
Status in s390-tools source package in Impish:
In Progress
Status in s390-tools-signed source package in Impish:
In Progress
Status in s390-tools source package in Jammy:
Fix Committed
Status in s390-tools-signed source package in Jammy:
Fix Committed
Bug description:
SRU Justification:
==================
[Impact]
* The s390-tools script check_hostkeydoc can be used to perform the
verification of the chain of trust for Secure Execution host key documents.
* The certificate verification is however too strict and doesn't match the
checking performed by the genprotimg tool.
* Affected is the OU field in the issuer DN of the host key document.
As a consequence, verification failures will occur for host key documents
issued for newer hardware generations like IBM z16.
* While the original default issuer's organizationalUnitName (OU)
was defined as "IBM Z Host Key Signing Service", any OU ending
with "Key Signing Service" is considered legal by this fix/commit.
* So the default issuer check got relaxed by stripping off characters
preceding "Key Signing Service".
[Fix]
* 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d
("genprotimg/check_hostkeydoc: relax default issuer check")
[Test Plan]
* The usage of secure execution is nicely documented at the
'Introducing IBM Secure Execution for Linux' docs.
https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
Relevant for this fix is paragraph 'Verifying the host key document'
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
* Especially notice the 'About this task' section that references the
check_hostkeydoc script to perform the verification steps.
+ Due to the fact that Secure Execution requires z15 as a minimal
hardware level, the testing is done by IBM.
[Where problems could occur]
* Problem can occur in the check_hostkeydoc helper script only.
* The script cane become broken at all and may refuse to properly verify
even valid signed keys.
* The sed statement in the script might be wrong and cut out a wrong
organizationalUnitName.
* And since this is a helper script and the verification can also be done
without this script, the risk is not too high.
* A verification can be done based with check_hostkeydoc and with the manual
steps (with a valid and invalid signed key) to validate equal results.
* The modification are relatively straight-formward:
https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d
* And overall this is an s390x topic only, and even there only relevant for
Secure Execution (KVM) TEE environments only.
[Other Info]
* This does not affect focal (like initiall indicated),
since focal's s390-tools version does not include the
check_hostkeydoc file.
__________
== Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 09:16:49 ==
The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.
== Comment: #1 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 09:18:08 ==
Fixed by:
https://github.com/ibm-s390-linux/s390-tools
commit 673ff375d939d3cde674f8f99a62d456f8b1673d
Author: Viktor Mihajlovski <mihajlov at linux.ibm.com>
Date: Tue Mar 15 12:55:02 2022 +0100
genprotimg/check_hostkeydoc: relax default issuer check
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968259/+subscriptions
More information about the foundations-bugs
mailing list