[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

Frank Heimes 2059303 at bugs.launchpad.net
Tue Apr 2 08:33:23 UTC 2024 

** Package changed: linux (Ubuntu) => s390-tools (Ubuntu)

** Also affects: s390-tools-signed (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: ubuntu-z-systems
   Importance: Undecided
       Status: New

** Changed in: ubuntu-z-systems
     Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)

** Changed in: s390-tools (Ubuntu)
     Assignee: Skipper Bug Screeners (skipper-screen-team) => (unassigned)

** Changed in: ubuntu-z-systems
   Importance: Undecided => Critical

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

Status in Ubuntu on IBM z Systems:
  New
Status in s390-tools package in Ubuntu:
  New
Status in s390-tools-signed package in Ubuntu:
  New

Bug description:
  Description: SE-tooling: New IBM host-key subject locality
  Symptom:       
          On April 24 (z15) / March 29 (z16) user will notice that the
          tooling for Secure execution will no longer detect that the provided
          IBM signing key for that generation is a valid IBM signing key. The
          error message will contain "no IBM signing key found" or similar. The
          respective tool will reject creating an encrypted request/image as it
          could not verify the host-key for its validity. This affects
          genprotimg, pvattest, and pvsecret.
  Problem:        
          The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
          locality' and 'Armonk' is used. The SE tooling checks, beside other
          things, for the subject in the IBM signing key. If the subject is not
          the expected one, the certificate is not recognized as a valid IBM
          signing key. With no valid IBM signing key, the host-key verification
          cannot succeed and users cannot build trustable SE images and
          attestation or add-secret requests.
  Solution:       
          Mitigations are available upstream. The fixes allow Armonk as
          additional locality in the subject and allow potential mismatches in
          the locality of revocation list or host-key issuer subject that may
          still contain Poughkeepsie instead of Armonk.
  Reproduction:  Use a new IBM signing key in the unpatched tooling.

  The fix is required due to the circumstances described here:
  https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2

  This is required for all Ubuntu releases in service that support secure execution. 
  Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions

More information about the foundations-bugs mailing list