[Bug 1959987] Re: [22.04 FEAT] KVM: Secure Execution Attestation Userspace Tool (s390-tools)

Simon Chopin 1959987 at bugs.launchpad.net
Wed Nov 2 10:38:28 UTC 2022 

Re-uploaded to Jammy with some new fixes (and fixed the -signed
changelog)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1959987

Title:
  [22.04 FEAT] KVM: Secure Execution Attestation Userspace Tool
  (s390-tools)

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Released
Status in s390-tools source package in Jammy:
  Fix Committed
Status in s390-tools-signed source package in Jammy:
  Fix Committed
Status in s390-tools source package in Kinetic:
  Fix Released
Status in s390-tools-signed source package in Kinetic:
  Fix Released

Bug description:
  SRU Justification:
  ------------------

  [Impact]

   * In order to facilitate attestation of Secure Execution guests,
     a userspace tool is required that will receive the attestation
     request, translate it to the appropriate ultravisor calls and
     return the result to the caller.

   * Secure Execution is a firmware based Trusted Execution
     Environment (TEE) and is with that a hardware feature (FC 115).

   * And this attestation tool enriches Secure Execution, hence
     this can be considered as a hardware enablement SRU.

  [Test Plan]

   * Setup a Secure Execution environment in a z15 (or newer) LPAR
     with Ubuntu Server 22.04(.x) for s390x.

   * More details on howto setup Secure Executation can be found here:
     https://www.ibm.com/docs/en/linuxonibm/pdf/l120se02.pdf

   * Install the updated packages in version 2.20.0-0ubuntu3.2
     (s390-tools and s390-tools-signed).

   * Create, perform, and verify attestation measurements for the
     Secure Execution guest systems by using the 'pvatest' tool:
     /usr/bin/pvattest

   * In a trusted environment, to get a measurement of an untrusted
     IBM Secure Execution guest call 'pvattest perform'.
     and call 'pvattest verify' to verify that the measurement
     is the expected one.

   * Verification needs to be done by IBM.

  [Where problems could occur]

   * The patches/commits for the attestation tools, that complements
     secure execution, largely add new files and new lines.
     Only in Makefile and common.mak files are deleted,
     but even there only to enlarge them.

   * So there is a low risk for regression of existing functionality,
     beyond build time (and a test build was done).

   * However the tool itself, that consists of a statically linked
     library and the tool itself might cause issues:
     - for example if it fails, segfaults or causes any other issue
     - or if the attestation function itself is wrong

   * The status and output must be absolutely correct to not 
     lull someone into a false sense of security.

  [Other Info]
   
   * The attestation tool was brought upstream with s390-tools 2.22,
     and since kinetic ships version 2.23 it's already incl. there.
  __________

  KVM: Secure Execution Attestation Userspace Tool (s390-tools)

  Description:
  In order to facilitate attestation of Secure Execution guests, a userspace tool is required that will receive the attestation request, translate it to the appropriate ultravisor calls and return the result to the caller.

  Request Type: Package - Update Version
  Upstream Acceptance: In Progress

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1959987/+subscriptions

More information about the foundations-bugs mailing list