[Bug 2059303] Comment bridged from LTC Bugzilla
bugproxy
2059303 at bugs.launchpad.net
Tue Apr 2 13:20:06 UTC 2024
------- Comment From Steffen.Eiden at ibm.com 2024-04-02 09:17 EDT-------
(In reply to comment #11)
> Well, I already had a hard time to get the requested commits applied to
> noble (which is on 2.31.0).
>
> I figured out that:
> 1) commit f6c6f0cc712433221fb0588c754e0d09884453dd ("rust/pv/test: Code +
> Certificate refactoring") is needed on top as pre-requisite, otherwise the
> other patches do not apply.
> 2) the commit id for ("libpv: Support `Armonk` in IBM signing key subject")
> is d7c95265cdb6217b0203efa5893c3a27838af63c (and not
> 5e1cb58a21ae0707d1993de3c8fc078c5cffed88 - this commit id does not exist in
> upstream master)
> 3) the commit id for ("pvattest: Fix root-ca parsing") is
> 2b5e7b049123aff094c7de79ba57a5df09471b2e (and not
> a54daf459e7504c0f42d3eb028100b7ab07894ff - again this commit id does not
> exist in upstream master).
>
> I'm really wondering if it wouldn't be best to have a new minor version
> tagged upstream (like a 2.31.1) that includes everything needed, since I
> can't patch binary files with quilt (rust/pv/tests/assets/cert/der.crl and
> rust/pv/tests/assets/cert/der.crt), hence had to skip these hunks.
Your proposal makes sense. Let me see what we can do.
Steffen
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2059303
Title:
[UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
(s390-tools)
Status in Ubuntu on IBM z Systems:
New
Status in s390-tools package in Ubuntu:
New
Status in s390-tools-signed package in Ubuntu:
New
Status in s390-tools source package in Focal:
New
Status in s390-tools-signed source package in Focal:
New
Status in s390-tools source package in Jammy:
New
Status in s390-tools-signed source package in Jammy:
New
Status in s390-tools source package in Mantic:
New
Status in s390-tools-signed source package in Mantic:
New
Status in s390-tools source package in Noble:
New
Status in s390-tools-signed source package in Noble:
New
Bug description:
Description: SE-tooling: New IBM host-key subject locality
Symptom:
On April 24 (z15) / March 29 (z16) user will notice that the
tooling for Secure execution will no longer detect that the provided
IBM signing key for that generation is a valid IBM signing key. The
error message will contain "no IBM signing key found" or similar. The
respective tool will reject creating an encrypted request/image as it
could not verify the host-key for its validity. This affects
genprotimg, pvattest, and pvsecret.
Problem:
The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
locality' and 'Armonk' is used. The SE tooling checks, beside other
things, for the subject in the IBM signing key. If the subject is not
the expected one, the certificate is not recognized as a valid IBM
signing key. With no valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
Solution:
Mitigations are available upstream. The fixes allow Armonk as
additional locality in the subject and allow potential mismatches in
the locality of revocation list or host-key issuer subject that may
still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2
This is required for all Ubuntu releases in service that support secure execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions
More information about the foundations-bugs
mailing list