[Bug 1942908] Re: Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

Lukas Märdian 1942908 at bugs.launchpad.net
Mon Sep 27 11:35:43 UTC 2021 

For focal the patches look good, too. The cherry-picks match upstream
and the backport looks sane.

I only have two small questions regarding the backpor:

1/ Should we cherry-pick
https://github.com/ibm-s390-linux/s390-tools/commit/db6f272607842a6279fee589fb101f3a1f6148f3
as well? This would reduce some delta from the backport patch.

2/ the genprotimg/src/utils/curl.{c,h} files are created with 644
permissions upstream, while we ship them as 664 (like all the other
genprotimg files). Both should work IMO and this should not have any
significance, or does it?

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1942908

Title:
  Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Released
Status in s390-tools source package in Focal:
  New
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Hirsute:
  New
Status in s390-tools-signed source package in Hirsute:
  New

Bug description:
  SRU Justification:
  ==================

  [Impact]

   * Fix of 'genprotimg' allowing the tool to verify the validity
     of IBM Secure Execution host key documents.

   * Without that, customers must verify the host key document by themselves,
     which is error prone and may impact security.

  [Test Plan]

   * A z15 or LinuxONE III LPAR with FC 115 is needed,
     running Ubuntu Server 20.04 (respectively 21.04).

   * Obtain a host key document from 'IBM Resource Link'.
     (A public host key is X.509 certificate, signed with an IBM key.)

   * Create an IBM Secure Execution image, using the obtained host key like:
     genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
      --no-verify -k HKD-8651-00020089A8.crt -o /boot/secure-linux
     (optional, host key can also be verified w/o having created an image)

   * Use the 'genprotimg' command to automatically verify the
     host key document automatically
     (instead of using the manual and error prone verification procedure
      using plain openssl command-line).

   * More detailed information is available here:
     http://public.dhe.ibm.com/software/dw/linux390/docu/l110se01.pdf

   * Due to the lack of hardware, the verification needs to be done by
  IBM.

  [Where problems could occur]

   * If the 'genprotimg' way of verifying the host key document
     is erroneous, tool based verification can be broken,
     which may force people having to use '--no-verify'
     and fall back to manual (openssl based) verification again.

   * In worst case a 'false positive' verification
     of a host key document may occur,
     that might provide a false sense of security.
     Hence proper testing is crucial!

   * Quite some code was added that is only used for this verification
     (like 'curl'), which may break things indirectly.
     Using '--no-verify' may allow to overcome such issues again.

   * Overall this is all unique to s390x,
     and again special to 'secure execution' and would affect
     only z15 or LinuxONE III systems with FC 115 enabled.

  [Fixes]

   * For Hirsute, only the following upstream patch is needed:
     d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg: check return value of BIO_reset")

   * For Focal, the following patches are needed (the first one as backport):
   
   * 074de1e14ed785c18f55ecf9762ac3f5de3465b4 074de1e ("genprotimg: add host-key document verification support")
     To get this commit in, the attached backport is needed:
     https://launchpadlibrarian.net/559224229/0001-genprotimg-add-host-key-document-verification-suppor.patch

   * 7827a791c98dbf14f7e5dfd1c9ea14365cac6272 7827a79 ("genprotimg: add
  missing return")

   * d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg:
  check return value of BIO_reset")

  [Other Info]
   
   * Test builds were created for both, hirsute and focal,
     each s390-tools and s390-tools-signed,
     and have been published at PPA: 
     https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908

  __________

  Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

  Description:
  Fix of genprotimg allowing the tool to verify the validity of IBM Secure Execution host key documents.
  Without that, customers must verify the host key document by themselves,which is error prone and may impact security.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1942908/+subscriptions

More information about the Ubuntu-sponsors mailing list