[Bug 1959987] Re: [22.04 FEAT] KVM: Secure Execution Attestation Userspace Tool (s390-tools)
Simon Chopin
1959987 at bugs.launchpad.net
Fri Nov 25 15:28:30 UTC 2022
The upload was rejected on 2022-11-16, presumably because fheimes asked
for it to be removed due to the new bugfixes that were impending. That
might have been a bit premature since I wasn't around to sponsor the new
uploads, though.
I've uploaded both packages (with the new bugfixes) to Jammy.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1959987
Title:
[22.04 FEAT] KVM: Secure Execution Attestation Userspace Tool
(s390-tools)
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in s390-tools package in Ubuntu:
Fix Released
Status in s390-tools-signed package in Ubuntu:
Fix Released
Status in s390-tools source package in Jammy:
Incomplete
Status in s390-tools-signed source package in Jammy:
Fix Committed
Status in s390-tools source package in Kinetic:
Fix Released
Status in s390-tools-signed source package in Kinetic:
Fix Released
Bug description:
SRU Justification:
------------------
[Impact]
* In order to facilitate attestation of Secure Execution guests,
a userspace tool is required that will receive the attestation
request, translate it to the appropriate ultravisor calls and
return the result to the caller.
* Secure Execution is a firmware based Trusted Execution
Environment (TEE) and is with that a hardware feature (FC 115).
* And this attestation tool enriches Secure Execution, hence
this can be considered as a hardware enablement SRU.
[Test Plan]
* Setup a Secure Execution environment in a z15 (or newer) LPAR
with Ubuntu Server 22.04(.x) for s390x.
* More details on howto setup Secure Executation can be found here:
https://www.ibm.com/docs/en/linuxonibm/pdf/l120se02.pdf
* Install the updated packages in version 2.20.0-0ubuntu3.2
(s390-tools and s390-tools-signed).
* Create, perform, and verify attestation measurements for the
Secure Execution guest systems by using the 'pvatest' tool:
/usr/bin/pvattest
* In a trusted environment, to get a measurement of an untrusted
IBM Secure Execution guest call 'pvattest perform'.
and call 'pvattest verify' to verify that the measurement
is the expected one.
* Verification needs to be done by IBM.
[Where problems could occur]
* The patches/commits for the attestation tools, that complements
secure execution, largely add new files and new lines.
Only in Makefile and common.mak files are deleted,
but even there only to enlarge them.
* So there is a low risk for regression of existing functionality,
beyond build time (and a test build was done).
* However the tool itself, that consists of a statically linked
library and the tool itself might cause issues:
- for example if it fails, segfaults or causes any other issue
- or if the attestation function itself is wrong
* The status and output must be absolutely correct to not
lull someone into a false sense of security.
[Other Info]
* The attestation tool was brought upstream with s390-tools 2.22,
and since kinetic ships version 2.23 it's already incl. there.
__________
KVM: Secure Execution Attestation Userspace Tool (s390-tools)
Description:
In order to facilitate attestation of Secure Execution guests, a userspace tool is required that will receive the attestation request, translate it to the appropriate ultravisor calls and return the result to the caller.
Request Type: Package - Update Version
Upstream Acceptance: In Progress
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1959987/+subscriptions
More information about the foundations-bugs
mailing list