[Bug 1968260] Re: [UBUNTU 20.04] genprotimg fails to process z15 host key documents after April 2022 (s390-tools)

Steve Langasek 1968260 at bugs.launchpad.net
Fri May 6 19:41:53 UTC 2022 

Hello bugproxy, or anyone else affected,

Accepted s390-tools into focal-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/s390-tools/2.12.0-0ubuntu3.5 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: s390-tools (Ubuntu Focal)
       Status: In Progress => Fix Committed

** Changed in: s390-tools-signed (Ubuntu Impish)
       Status: In Progress => Fix Committed

** Tags added: verification-needed-focal

** Changed in: s390-tools-signed (Ubuntu Focal)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1968260

Title:
  [UBUNTU 20.04] genprotimg fails to process z15 host key documents
  after April 2022 (s390-tools)

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Committed
Status in s390-tools source package in Focal:
  Fix Committed
Status in s390-tools-signed source package in Focal:
  Fix Committed
Status in s390-tools source package in Impish:
  Fix Committed
Status in s390-tools-signed source package in Impish:
  Fix Committed
Status in s390-tools source package in Jammy:
  Fix Released
Status in s390-tools-signed source package in Jammy:
  Fix Released

Bug description:
  SRU Justification:
  ==================

  [Impact]

   * DigiCert is the CA issuing the signing certificate for Secure Execution
     host key documents. This certificate is used for the verification of the
     host key document validity.

   * Recently, DigiCert has changed the root CA certificate used for issuance
     of the signing certificates.

   * As genprotimg is checking the CA serial, the verification of the chain of
     trust will fail.

   * As a workaround, it is possible to disable certificate verification,
     but this is of course not recommended, because it makes it easier to
     provide a fake host key document.

   * Since the previously issued host key documents are expiring in April 2022,
     it is necessary to fix genprotimg to accept the newly issued host key
     documents.

   * The situation is now addressed by removing the DigiCert root CA
  pinning.

   * The root CA used for the chain of trust can change in the future,
     therefore it makes sense to remove this check.

   * If someone wants to enforce the usage of a specific root CA, it can be
     selected by the genprotimg command line option `--root-ca $CA`.

   * Make it transparent to the user which root CA is actually being used by
     printing the subject name of the root CA to stdout in verbose mode.

  [Fix]

   * 78b0533 78b053326c504c0535b5ec1c244ad7bb5a1df29d ("genprotimg:
  remove DigiCert root CA pinning")

  [Test Plan]

   * The usage of secure execution is nicely documented at the
     'Introducing IBM Secure Execution for Linux' docs.
     https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
     Relevant for this fix is paragraph 'Verifying the host key document'
     https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document

   * Especially notice the 'About this task' section that references the
     check_hostkeydoc script to perform the verification steps.

   + Due to the fact that Secure Execution requires z15 as a minimal
     hardware level, the testing is done by IBM.

   * (Test can be done in combination with LP#1968259.)

  [Where problems could occur]

   * The removal of the DigiCert root CA pinning can - if not carefully done)
     lead to wrong - in worst case false positive checks by genprotimg.

   * The main code changes decouple the checks from DigiCert root (ca_skid) 
     and to allow more general X509 certificates.
     If not done thoroughly (pv_crypto_def.h, pv_args.c, pv_image.c,
     crypto..h and crypto.c), issues will be caused while checking
     certificates. Maybe not only new ones, but also old ones.

   * Overall this is an s390x topic only, and even there only relevant for
     Secure Execution (KVM) TEE environments.

  [Other Info]
   
   * Even if the LP bug title references focal only, this fix is also needed
     for all newer Ubuntu releases - here: impish and jammy.
  __________

  == Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:55:11 ==
  DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
  As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
  Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.

  Contact Information = Viktor Mihajlovski <mihajlov at de.ibm.com>

  == Comment: #2 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:57:47 ==
  Fixed by:

  https://github.com/ibm-s390-linux/s390-tools

  commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
  Author: Marc Hartmayer <mhartmay at linux.ibm.com>
  Date:   Thu Mar 31 14:00:31 2022 +0000

      genprotimg: remove DigiCert root CA pinning

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968260/+subscriptions

More information about the foundations-bugs mailing list