[Bug 1968260] Re: [UBUNTU 20.04] genprotimg fails to process z15 host key documents after April 2022 (s390-tools)

Frank Heimes 1968260 at bugs.launchpad.net
Mon Apr 11 16:08:37 UTC 2022 

s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish

** Patch added: "s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish"
   https://bugs.launchpad.net/ubuntu/+source/s390-tools-signed/+bug/1968260/+attachment/5579394/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_sru_impish.patch

** Changed in: s390-tools-signed (Ubuntu Impish)
       Status: New => In Progress

** Changed in: s390-tools (Ubuntu Impish)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1968260

Title:
  [UBUNTU 20.04] genprotimg fails to process z15 host key documents
  after April 2022 (s390-tools)

Status in Ubuntu on IBM z Systems:
  New
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress
Status in s390-tools source package in Focal:
  New
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Impish:
  In Progress
Status in s390-tools-signed source package in Impish:
  In Progress
Status in s390-tools source package in Jammy:
  In Progress
Status in s390-tools-signed source package in Jammy:
  In Progress

Bug description:
  SRU Justification:
  ==================

  [Impact]

   * DigiCert is the CA issuing the signing certificate for Secure Execution
     host key documents. This certificate is used for the verification of the
     host key document validity.

   * Recently, DigiCert has changed the root CA certificate used for issuance
     of the signing certificates.

   * As genprotimg is checking the CA serial, the verification of the chain of
     trust will fail.

   * As a workaround, it is possible to disable certificate verification,
     but this is of course not recommended, because it makes it easier to
     provide a fake host key document.

   * Since the previously issued host key documents are expiring in April 2022,
     it is necessary to fix genprotimg to accept the newly issued host key
     documents.

   * The situation is now addressed by removing the DigiCert root CA
  pinning.

   * The root CA used for the chain of trust can change in the future,
     therefore it makes sense to remove this check.

   * If someone wants to enforce the usage of a specific root CA, it can be
     selected by the genprotimg command line option `--root-ca $CA`.

   * Make it transparent to the user which root CA is actually being used by
     printing the subject name of the root CA to stdout in verbose mode.

  [Fix]

   * 78b0533 78b053326c504c0535b5ec1c244ad7bb5a1df29d ("genprotimg:
  remove DigiCert root CA pinning")

  [Test Plan]

   * The usage of secure execution is nicely documented at the
     'Introducing IBM Secure Execution for Linux' docs.
     https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
     Relevant for this fix is paragraph 'Verifying the host key document'
     https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document

   * Especially notice the 'About this task' section that references the
     check_hostkeydoc script to perform the verification steps.

   + Due to the fact that Secure Execution requires z15 as a minimal
     hardware level, the testing is done by IBM.

   * (Test can be done in combination with LP#1968259.)

  [Where problems could occur]

   * The removal of the DigiCert root CA pinning can - if not carefully done)
     lead to wrong - in worst case false positive checks by genprotimg.

   * The main code changes decouple the checks from DigiCert root (ca_skid) 
     and to allow more general X509 certificates.
     If not done thoroughly (pv_crypto_def.h, pv_args.c, pv_image.c,
     crypto..h and crypto.c), issues will be caused while checking
     certificates. Maybe not only new ones, but also old ones.

   * Overall this is an s390x topic only, and even there only relevant for
     Secure Execution (KVM) TEE environments.

  [Other Info]
   
   * Even if the LP bug title references focal only, this fix is also needed
     for all newer Ubuntu releases - here: impish and jammy.
  __________

  == Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:55:11 ==
  DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
  As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
  Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.

  Contact Information = Viktor Mihajlovski <mihajlov at de.ibm.com>

  == Comment: #2 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 08:57:47 ==
  Fixed by:

  https://github.com/ibm-s390-linux/s390-tools

  commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
  Author: Marc Hartmayer <mhartmay at linux.ibm.com>
  Date:   Thu Mar 31 14:00:31 2022 +0000

      genprotimg: remove DigiCert root CA pinning

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968260/+subscriptions

More information about the Ubuntu-sponsors mailing list