[Bug 2059303] [NEW] [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

Launchpad Bug Tracker 2059303 at bugs.launchpad.net
Tue Apr 2 17:22:09 UTC 2024 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Frank Heimes (fheimes):

Description: SE-tooling: New IBM host-key subject locality
Symptom:       
        On April 24 (z15) / March 29 (z16) user will notice that the
        tooling for Secure execution will no longer detect that the provided
        IBM signing key for that generation is a valid IBM signing key. The
        error message will contain "no IBM signing key found" or similar. The
        respective tool will reject creating an encrypted request/image as it
        could not verify the host-key for its validity. This affects
        genprotimg, pvattest, and pvsecret.
Problem:        
        The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
        locality' and 'Armonk' is used. The SE tooling checks, beside other
        things, for the subject in the IBM signing key. If the subject is not
        the expected one, the certificate is not recognized as a valid IBM
        signing key. With no valid IBM signing key, the host-key verification
        cannot succeed and users cannot build trustable SE images and
        attestation or add-secret requests.
Solution:       
        Mitigations are available upstream. The fixes allow Armonk as
        additional locality in the subject and allow potential mismatches in
        the locality of revocation list or host-key issuer subject that may
        still contain Poughkeepsie instead of Armonk.
Reproduction:  Use a new IBM signing key in the unpatched tooling.

The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2

This is required for all Ubuntu releases in service that support secure execution. 
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed.

** Affects: ubuntu-z-systems
     Importance: Critical
     Assignee: Skipper Bug Screeners (skipper-screen-team)
         Status: New

** Affects: s390-tools (Ubuntu)
     Importance: High
     Assignee: Frank Heimes (fheimes)
         Status: In Progress

** Affects: s390-tools-signed (Ubuntu)
     Importance: High
     Assignee: Frank Heimes (fheimes)
         Status: In Progress

** Affects: s390-tools (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: s390-tools-signed (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: s390-tools (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: s390-tools-signed (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: s390-tools (Ubuntu Mantic)
     Importance: Undecided
         Status: New

** Affects: s390-tools-signed (Ubuntu Mantic)
     Importance: Undecided
         Status: New

** Affects: s390-tools (Ubuntu Noble)
     Importance: High
     Assignee: Frank Heimes (fheimes)
         Status: In Progress

** Affects: s390-tools-signed (Ubuntu Noble)
     Importance: High
     Assignee: Frank Heimes (fheimes)
         Status: In Progress


** Tags: architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin---
-- 
[UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
https://bugs.launchpad.net/bugs/2059303
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list