[Bug 1942908] Re: Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

Thu Sep 30 19:52:06 UTC 2021

** Changed in: ubuntu-z-systems
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1942908

Title:
  Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Released
Status in s390-tools source package in Focal:
  Fix Committed
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Hirsute:
  Fix Committed
Status in s390-tools-signed source package in Hirsute:
  New

Bug description:
  SRU Justification:
  ==================

  [Impact]

   * Fix of 'genprotimg' allowing the tool to verify the validity
     of IBM Secure Execution host key documents.

   * Without that, customers must verify the host key document by themselves,
     which is error prone and may impact security.

  [Test Plan]

   * A z15 or LinuxONE III LPAR with FC 115 is needed,
     running Ubuntu Server 20.04 (respectively 21.04).

   * Obtain the host-key document,
     the IBM signing key (ibm-z-host-key-signing.crt)
     and the intermediate DigiCert CA (DigiCertCA.crt)
     from 'IBM Resource Link':
     (https://www.ibm.com/servers/resourcelink/lib03060.nsf/pages/IBM-Secure-Execution-for-Linux)

   * The systems needs to be online (access to the internet) to
     be able to automatically download the latest revocation lists.

   * Create an IBM Secure Execution image, using the obtained host key like:
     $ genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
      --no-verify -k HKD-8651-00020089A8.crt -o /boot/secure-linux
     (optional, host key can also be verified w/o having created an image)

   * With the above patches applied, the 'genprotimg' command
    can be used to verify the host key document automatically:
    $ genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
     -k HKD-8651-00020089A8.crt -o /boot/secure-linux \
     --cert DigiCertCA.crt --cert ibm-z-host-key-signing.crt
    (in this case ‘--no-verify‘ get obsolete)

   * More detailed information is available here:
     http://public.dhe.ibm.com/software/dw/linux390/docu/l110se01.pdf

   * Due to the lack of hardware, the verification needs to be done by
  IBM.

  [Where problems could occur]

   * If the 'genprotimg' way of verifying the host key document
     is erroneous, tool based verification can be broken,
     which may force people having to use '--no-verify'
     and fall back to manual (openssl based) verification again.

   * In worst case a 'false positive' verification
     of a host key document may occur,
     that might provide a false sense of security.
     Hence proper testing is crucial!

   * Quite some code was added that is only used for this verification
     (like 'curl'), which may break things indirectly.
     Using '--no-verify' may allow to overcome such issues again.

   * Overall this is all unique to s390x,
     and again special to 'secure execution' and would affect
     only z15 or LinuxONE III systems with FC 115 enabled.

   * The system where the Host-Key document is verified or
     where the image is built, needs to be online - otherwise the 
     verification is not possible, because the needed up-to-date
     CRLs cannot be downloaded.

  [Fixes]

   * For Hirsute, only the following upstream patch is needed:
     d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg: check return value of BIO_reset")

   * For Focal, the following patches are needed (the first one as
  backport):

   * 074de1e14ed785c18f55ecf9762ac3f5de3465b4 074de1e ("genprotimg: add host-key document verification support")
     To get this commit in, the attached backport is needed:
     https://launchpadlibrarian.net/559224229/0001-genprotimg-add-host-key-document-verification-suppor.patch

   * 7827a791c98dbf14f7e5dfd1c9ea14365cac6272 7827a79 ("genprotimg: add
  missing return")

   * d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg:
  check return value of BIO_reset")

  [Other Info]

   * Test builds were created for both, hirsute and focal,
     each s390-tools and s390-tools-signed,
     and have been published at PPA:
     https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908

  __________

  Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

  Description:
  Fix of genprotimg allowing the tool to verify the validity of IBM Secure Execution host key documents.
  Without that, customers must verify the host key document by themselves,which is error prone and may impact security.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1942908/+subscriptions