[Bug 1942908] Comment bridged from LTC Bugzilla
bugproxy
1942908 at bugs.launchpad.net
Tue Oct 5 10:00:20 UTC 2021
------- Comment From MHartmay at de.ibm.com 2021-10-05 05:55 EDT-------
I've tested the new packages for Ubuntu Focal:
Package: s390-tools
Version: 2.12.0-0ubuntu3.4
and Ubuntu Hursuit:
Package: s390-tools
Version: 2.16.0-0ubuntu1.1
What I did:
1. Regression testing for genprotimg (e.g. verified that the generation of a IBM Secure Execution image is still working)
2. Verified that the feature 'host-key document verification' works as expected
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1942908
Title:
Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in s390-tools package in Ubuntu:
Fix Released
Status in s390-tools-signed package in Ubuntu:
Fix Released
Status in s390-tools source package in Focal:
Fix Committed
Status in s390-tools-signed source package in Focal:
New
Status in s390-tools source package in Hirsute:
Fix Committed
Status in s390-tools-signed source package in Hirsute:
New
Bug description:
SRU Justification:
==================
[Impact]
* Fix of 'genprotimg' allowing the tool to verify the validity
of IBM Secure Execution host key documents.
* Without that, customers must verify the host key document by themselves,
which is error prone and may impact security.
[Test Plan]
* A z15 or LinuxONE III LPAR with FC 115 is needed,
running Ubuntu Server 20.04 (respectively 21.04).
* Obtain the host-key document,
the IBM signing key (ibm-z-host-key-signing.crt)
and the intermediate DigiCert CA (DigiCertCA.crt)
from 'IBM Resource Link':
(https://www.ibm.com/servers/resourcelink/lib03060.nsf/pages/IBM-Secure-Execution-for-Linux)
* The systems needs to be online (access to the internet) to
be able to automatically download the latest revocation lists.
* Create an IBM Secure Execution image, using the obtained host key like:
$ genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
--no-verify -k HKD-8651-00020089A8.crt -o /boot/secure-linux
(optional, host key can also be verified w/o having created an image)
* With the above patches applied, the 'genprotimg' command
can be used to verify the host key document automatically:
$ genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
-k HKD-8651-00020089A8.crt -o /boot/secure-linux \
--cert DigiCertCA.crt --cert ibm-z-host-key-signing.crt
(in this case ‘--no-verify‘ get obsolete)
* More detailed information is available here:
http://public.dhe.ibm.com/software/dw/linux390/docu/l110se01.pdf
* Due to the lack of hardware, the verification needs to be done by
IBM.
[Where problems could occur]
* If the 'genprotimg' way of verifying the host key document
is erroneous, tool based verification can be broken,
which may force people having to use '--no-verify'
and fall back to manual (openssl based) verification again.
* In worst case a 'false positive' verification
of a host key document may occur,
that might provide a false sense of security.
Hence proper testing is crucial!
* Quite some code was added that is only used for this verification
(like 'curl'), which may break things indirectly.
Using '--no-verify' may allow to overcome such issues again.
* Overall this is all unique to s390x,
and again special to 'secure execution' and would affect
only z15 or LinuxONE III systems with FC 115 enabled.
* The system where the Host-Key document is verified or
where the image is built, needs to be online - otherwise the
verification is not possible, because the needed up-to-date
CRLs cannot be downloaded.
[Fixes]
* For Hirsute, only the following upstream patch is needed:
d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg: check return value of BIO_reset")
* For Focal, the following patches are needed (the first one as
backport):
* 074de1e14ed785c18f55ecf9762ac3f5de3465b4 074de1e ("genprotimg: add host-key document verification support")
To get this commit in, the attached backport is needed:
https://launchpadlibrarian.net/559224229/0001-genprotimg-add-host-key-document-verification-suppor.patch
* 7827a791c98dbf14f7e5dfd1c9ea14365cac6272 7827a79 ("genprotimg: add
missing return")
* d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg:
check return value of BIO_reset")
[Other Info]
* Test builds were created for both, hirsute and focal,
each s390-tools and s390-tools-signed,
and have been published at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908
__________
Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS
Description:
Fix of genprotimg allowing the tool to verify the validity of IBM Secure Execution host key documents.
Without that, customers must verify the host key document by themselves,which is error prone and may impact security.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1942908/+subscriptions
More information about the Ubuntu-sponsors
mailing list