APPLIED: [SRU][H][F][PATCH 0/2] KVM: Provide a secure guest indication (LP: 1933173)

Kelsey Skunberg kelsey.skunberg at canonical.com
Fri Aug 6 21:19:53 UTC 2021 

Applied to hirsute and focal master-next. Thank you! 

-Kelsey

On 2021-08-04 14:19:37 , frank.heimes at canonical.com wrote:
> BugLink: https://bugs.launchpad.net/bugs/1933173
> 
> SRU Justification:
> 
> [Impact]
> 
> * It is difficult for customers to identify if a KVM guest on s390x runs in secure execution more or not.
>   Hence several requests came up that asked about providing a better indication.
> 
> * If the mode is not known, one may venture oneself into deceptive security.
> 
> * Patches that allow a better indication via 'prot_virt_host' using the sysfs firmware interface were added to upstream kernel 5.13.
> 
> * Secure execution was initially introduced in Ubuntu with focal / 20.04, hence this request to SRU.
> 
> [Fix]
> 
> * 37564ed834aca26993b77b9b2a0119ec1ba6e00c 37564ed834ac "s390/uv: add prot virt guest/host indication files"
> 
> * df2e400e07ad53a582ee934ce8384479d5ddf48b df2e400e07ad "s390/uv: fix prot virt host indication compilation"
> 
> [Test Case]
> 
> * A z15 or LinuxONE III LPAR is needed that runs KVM in secure execution.
> 
> * Have a look for the 'prot_virt_host' key at the sysfs firmware interface
>   '1' indicates that the ultravisor is active and that the guest is running protected (in secure execution mode).
> 
> [Regression Potential]
> 
> * The patch is s390x specific and modifies file arch/s390/kernel/uv.c only.
> 
> * An entirely new new function 'uv_is_prot_virt_guest' was added and initialized and used in uv_info_init,
>   hence the regression risk in existing code is rather small.
> 
> * However, in case the initialization was done errornously the indication might be wrong,
>   maybe showing that the system is not protected in the way it should be (wrong indication).
> 
> * More general code deficiencies in these two functions will be largely indicated by the test compiles.
> 
> * But the code was already tested based on kernel 5.13 - and for SRU-ing a cherry-pick of the patches was sufficient,
>   hence the exact same code as in 5.13 is used.
> 
> * Further tests of the SRU kernels (5.11 and 5.4) can be done based on the test kernel available from the PPA (see below).
> 
> [Other]
> 
> * Patches are upstream accepted with since 5.13-rc1.
> 
> * Request was to add the patches to focal / 20.04.
> 
> * To avoid potential regressions on upgrades, the patches need to be added to hirsute / 20.10, too.
> 
> Janosch Frank (2):
>   s390/uv: add prot virt guest/host indication files
>   s390/uv: fix prot virt host indication compilation
> 
>  arch/s390/kernel/uv.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 42 insertions(+), 1 deletion(-)
> 
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list