[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

Seth Arnold 2059303 at bugs.launchpad.net
Tue Apr 23 00:48:44 UTC 2024


I've been asked to try to help these updates along; I'm not on the SRU
team so I can't give concrete directions, only suggestions.

My assumption is that these package updates should be published first to
-updates for autopkgtest testing, and once they have passed testing and
phased to users, then we should republish these updates to -security so
that they are available to all users. Does this sound correct?

This is much easier to execute if the updates have been built in a PPA
with only -security enabled, and not -updates. (The -security pocket is
built with only packages from -release and -security, not -updates.) Do
packages built in such a PPA exist?

The SRU workflow asks for packages to be either uploaded with dput to
the queue or debdiffs provided. I see some debdiffs here, but some
additional work was performed after most of the debdiffs were uploaded.
Are the posted debdiffs something that the SRU team should work with?
The Ubuntu Sponsors team was added around three weeks ago, before much
of the work was done, it's entirely possible that this has fallen off
their radar as a result. (And, the general hustle of responding to the
xz-utils issue, release time goals, etc.)

So, with the reminder that I'm not on the SRU team, I think the next
steps should be:

- prepare a PPA with only -security enabled
- build packages
- ask SRU team to move the packages to -proposed and see how autopkgtests go
- phase the update
- ask the security team to binary copy the packages to -security once it's proven in the field

What do you think?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Released
Status in s390-tools source package in Focal:
  In Progress
Status in s390-tools-signed source package in Focal:
  In Progress
Status in s390-tools source package in Jammy:
  In Progress
Status in s390-tools-signed source package in Jammy:
  In Progress
Status in s390-tools source package in Mantic:
  In Progress
Status in s390-tools-signed source package in Mantic:
  In Progress
Status in s390-tools source package in Noble:
  Fix Released
Status in s390-tools-signed source package in Noble:
  Fix Released

Bug description:
  SRU Justification:

  [ Impact ]

   * Symptom:

     * There is an issue with the Secure Execution (SE) tooling,
       especially the new IBM host-key subject locality,
       that leads to the fact that on April 24 (z15) / March 29 (z16)
       users will notice that the tooling for Secure execution will no
       longer detect that the provided IBM signing key for that generation
       is a valid IBM signing key.

     * The error message will contain "no IBM signing key found" or similar.
       The respective tool will reject creating an encrypted request/image
       as it could not verify the host-key for its validity.

     * This affects the genprotimg, pvattest, and pvsecret tools.
       (Please notice that these tools got introduced over time with different
        s390-tools versions that belong to different Ubuntu releases).

   * Problem:

     * The new IBM signing keys no longer contain 'Poughkeepsie' as
       'subject locality' and 'Armonk' is used.

     * The SE tooling checks, beside other things, for the subject in the
       IBM signing key.

     * If the subject is not the expected one, the certificate is not
       recognized as a valid IBM signing key.
       And without a valid IBM signing key, the host-key verification
       cannot succeed and users cannot build trustable SE images and
       attestation or add-secret requests.

   * Solution:

     * Mitigations are available upstream.

     * The fixes allow Armonk as additional locality in the subject
       and allow potential mismatches in the locality of revocation list
       or host-key issuer subject that may still contain Poughkeepsie
       instead of Armonk.

  [ Test Plan ]

   * The testing is required for all three affected tools:
     genprotimg, pvattest, and pvsecret

   * Obtain a (z15) Host-key document e.g. via the official channel
     see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document

   * Get a signing key (z15) + intermediate certificate
     see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document

   * (optional) verify that the signing key is a new one
     check for: Locality Armonk
     $ openssl x509 -text -in international_business_machines_corporation.crt | grep Subject
     Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation
     Here "L" **must** be Armonk, and not Poughkeepsie!

   * Run the tools (if available, depends on the s390-tools version):
     The fixed tools will accept the cert chain and exit with exit code 0
     and the output generated.
     The non-fixed will print n error message, abort, and report exit != 0

   * $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
     # BEFORE_FIX:
     Failed to verify host-key document: please specify at least one IBM Z signing key
     # AFTER_FIX:
     # exit code 0

   * $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
     # BEFORE_FIX:
     ERROR: Creating the attestation request failed:
     Specify at least one IBM Z signing key
     # AFTER_FIX:
     # exit code 0

   * $ pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertCA.crt meta
     # BEFORE_FIX:
     error: Host-key verification failed: Specify one IBM Z signing key
     # AFTER FIX:
     Successfully generated the request

   * Note: You can use any z15 host-key you like.
     It does not has to match to the machine you are running on.
     For the secure-guest.hdr in pvsecret you can use any se-header you like.
     You can use a test-asset from s390-tools repository:
     https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr

  [ Where problems could occur ]

   * The tools genprotimg, pvattest, and pvsecret tools are affected.
     Since they got introduced over time with different s390-tools versions
     that belong to different Ubuntu releases, it's important to figure out the
     commits/patches that are required for each release.

   * The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
     ("rust/pv/test: Code + Certificate refactoring") is needed
     for noble and mantic, but needs several adjustments due to context changes.
     The code could be negatively affected and the build might even break.
     (A test build in PPA mitigates such issues.)

   * As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
     If the conditional statements are not properly coded, either Poughkeepsie
     or Armonk might be allowed, which would fails in case the opposite is used.
     (Testing if the IBM signing key is valid will mitigate this.)

   * In worst case a broken detection of the host-key issuer subject may lead
     to positive validations, regardless of the subject content.
     (Testing if the IBM signing key is valid will mitigate this.)

   * A test build for all affected Ubuntu releases (N, M, J and F) succeeded
     and is available via this PPA:
     https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303

   * These test packages will be pre-tested by IBM.

   * This affected Secure Execution (SE) functionality only on s390x.
     No other tools that are part of the s390-tools packages are affected
     (or got modified in any way).

  [ Other Info ]

   * Secure Execution (SE) was introduced with in Ubuntu Server for s390x
     with 20.04 LTS, hence 20.04 LTS and higher is affected.

   * And with that the s390-tools versions that are still in service:
     2.12.0-0ubuntu3.7  | focal-updates
     2.20.0-0ubuntu3.2  | jammy-updates
     2.29.0-0ubuntu2.1  | mantic-updates
     2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed

   * The following commits / patches need to be applied to the following
     s390-tools versions:
     * f6c6f0cc712433221fb0588c754e0d09884453dd
       ("rust/pv/test: Code + Certificate refactoring")
       to noble, mantic
     * 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
       ("rust/pv: Support `Armonk` in IBM signing key subject")
       to noble, mantic
     * d14e7593cc6380911ca42b09e11c53477ae13d5c
       ("genprotimg: support `Armonk` in IBM signing key subject")
       to noble, mantic, jammy, focal
     * d7c95265cdb6217b0203efa5893c3a27838af63c
       ("libpv: Support `Armonk` in IBM signing key subject")
       to noble, mantic, jammy
     * 2b5e7b049123aff094c7de79ba57a5df09471b2e
       ("pvattest: Fix root-ca parsing")
       to noble, mantic, jammy
     * 8723dbce048add87ce10fe8c72eea75c4f828ef8
       ("genprotimg: add OpenSSL 3.0 support")
       c5d566a4dab559f4d42c62181fcf314a4042bc6d
       ("genprotimg/crypto: use X509_get0_not(After|Before)")
       f5744b95db93fa9d5cfd6fb206767ad2dcc3c804
       ("genprotimg: Fix build with OpenSSL 1.1")
       all to focal only
  __________

  Description: SE-tooling: New IBM host-key subject locality
  Symptom:
          On April 24 (z15) / March 29 (z16) user will notice that the
          tooling for Secure execution will no longer detect that the provided
          IBM signing key for that generation is a valid IBM signing key. The
          error message will contain "no IBM signing key found" or similar. The
          respective tool will reject creating an encrypted request/image as it
          could not verify the host-key for its validity. This affects
          genprotimg, pvattest, and pvsecret.
  Problem:
          The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
          locality' and 'Armonk' is used. The SE tooling checks, beside other
          things, for the subject in the IBM signing key. If the subject is not
          the expected one, the certificate is not recognized as a valid IBM
          signing key. With no valid IBM signing key, the host-key verification
          cannot succeed and users cannot build trustable SE images and
          attestation or add-secret requests.
  Solution:
          Mitigations are available upstream. The fixes allow Armonk as
          additional locality in the subject and allow potential mismatches in
          the locality of revocation list or host-key issuer subject that may
          still contain Poughkeepsie instead of Armonk.
  Reproduction:  Use a new IBM signing key in the unpatched tooling.

  The fix is required due to the circumstances described here:
  https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2

  This is required for all Ubuntu releases in service that support secure execution.
  Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions




More information about the Ubuntu-sponsors mailing list