[Bug 1968259] Re: [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)

Frank Heimes 1968259 at bugs.launchpad.net
Mon Apr 11 16:00:53 UTC 2022 

** Merge proposal linked:
   https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419218

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1968259

Title:
  [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too
  strictly (s390-tools)

Status in Ubuntu on IBM z Systems:
  New
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress
Status in s390-tools source package in Focal:
  New
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Impish:
  In Progress
Status in s390-tools-signed source package in Impish:
  In Progress
Status in s390-tools source package in Jammy:
  In Progress
Status in s390-tools-signed source package in Jammy:
  In Progress

Bug description:
  SRU Justification:
  ==================

  [Impact]

   * The s390-tools script check_hostkeydoc can be used to perform the
     verification of the chain of trust for Secure Execution host key documents.

   * The certificate verification is however too strict and doesn't match the
     checking performed by the genprotimg tool.

   * Affected is the OU field in the issuer DN of the host key document.
     As a consequence, verification failures will occur for host key documents
     issued for newer hardware generations like IBM z16.

   * While the original default issuer's organizationalUnitName (OU)
    was defined as "IBM Z Host Key Signing Service", any OU ending
    with "Key Signing Service" is considered legal by this fix/commit.

   * So the default issuer check got relaxed by stripping off characters
    preceding "Key Signing Service".

  [Fix]

   * 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d
  ("genprotimg/check_hostkeydoc: relax default issuer check")

  [Test Plan]

   * The usage of secure execution is nicely documented at the
     'Introducing IBM Secure Execution for Linux' docs.
     https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
     Relevant for this fix is paragraph 'Verifying the host key document'
     https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document

   * Especially notice the 'About this task' section that references the
     check_hostkeydoc script to perform the verification steps.

   + Due to the fact that Secure Execution requires z15 as a minimal
     hardware level, the testing is done by IBM.

  [Where problems could occur]

   * Problem can occur in the check_hostkeydoc helper script only.

   * The script cane become broken at all and may refuse to properly verify
     even valid signed keys.

   * The sed statement in the script might be wrong and  cut out a wrong
     organizationalUnitName.

   * And since this is a helper script and the verification can also be done
     without this script, the risk is not too high.

   * A verification can be done based with check_hostkeydoc and with the manual
     steps (with a valid and invalid signed key) to validate equal results.

   * The modification are relatively straight-formward:
     https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d

   * And overall this is an s390x topic only, and even there only relevant for
     Secure Execution (KVM) TEE environments only.

  [Other Info]
   
   * Even if the LP bug title references focal only, this fix is also needed
     for all newer Ubuntu releases - here: impish and jammy.

  __________

  == Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 09:16:49 ==
  The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
  The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
  Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.

  == Comment: #1 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 09:18:08 ==
  Fixed by:

  https://github.com/ibm-s390-linux/s390-tools

  commit 673ff375d939d3cde674f8f99a62d456f8b1673d
  Author: Viktor Mihajlovski <mihajlov at linux.ibm.com>
  Date:   Tue Mar 15 12:55:02 2022 +0100

      genprotimg/check_hostkeydoc: relax default issuer check

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968259/+subscriptions

More information about the Ubuntu-sponsors mailing list