Ubuntu
linux package

[20.04 FEAT] Base KVM setup for secure guests - kernel part

Bug #1835531 reported by bugproxy on 2019-07-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu on IBM z Systems	Fix Released	High	Frank Heimes
	linux (Ubuntu)	Fix Released	Undecided	Frank Heimes

Bug Description

Enable KVM guests to start and control a guest running in secure mode.
With that Customers can securely run sensitive workloads in KVM on premise and in the cloud.
Feature Request for kernel contribution

Target kernel will be 5.3. Currently not available.
Git-commit / backport will be provided

Tags:

CVE References

2020-8835

bugproxy (bugproxy) on 2019-07-05

tags:	added: architecture-s39064 bugnameltc-177556 severity-high targetmilestone-inin1910
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Revision history for this message

Frank Heimes (fheimes) wrote on 2019-07-05:

So far the planned target kernel for 'eoan' is 5.2 - hence in case this can be picked up, it needs to be added on top.
Once the patches are upstream accepted in 5.3 and are listed here, we will see if they can be added. Setting to Incomplete for now.

Changed in linux (Ubuntu):
status:	New → Incomplete
Changed in ubuntu-z-systems:
status:	New → Incomplete
importance:	Undecided → High
assignee:	nobody → Frank Heimes (frank-heimes)

Revision history for this message

Frank Heimes (fheimes) wrote on 2019-07-19:

New planned target kernel for eoan is 5.3.
Leaving as Incomplete for now - will be changed to Fix Committed once 5.3 arrived in eoan-proposed.

Changed in linux (Ubuntu):
assignee:	Skipper Bug Screeners (skipper-screen-team) → Frank Heimes (frank-heimes)

Heinz-Werner Seeck (heinz-werner-seeck) on 2019-07-30

summary:

- [19.10 FEAT] Base KVM setup for secure guests - kernel part
+ [20.04 FEAT] Base KVM setup for secure guests - kernel part

Revision history for this message

bugproxy (bugproxy) wrote on 2019-07-30: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2019-07-30 07:23 EDT-------
Moved target to 20.04, will not make it in time for 19.10

tags:

added: targetmilestone-inin2004
removed: targetmilestone-inin1910

Revision history for this message

bugproxy (bugproxy) wrote on 2019-11-22:

------- Comment From <email address hidden> 2019-11-22 08:03 EDT-------
Planned Target : kernel 5.4

Revision history for this message

Frank Heimes (fheimes) wrote on 2019-12-16:

Since kernel 5.4 landed in focal proposed:
linux-generic | 5.4.0.8.9 | focal-proposed | s390x
I'm updating the status to Fix Committed.

Changed in linux (Ubuntu):
status:	Incomplete → Fix Committed
Changed in ubuntu-z-systems:
status:	Incomplete → Fix Committed

Revision history for this message

bugproxy (bugproxy) wrote on 2019-12-16:

------- Comment From <email address hidden> 2019-12-16 08:51 EDT-------
Kernel target update:

Target: kernel >=5.6 .

Please reset to "incomplete"

Revision history for this message

Frank Heimes (fheimes) wrote on 2019-12-16:

Changing back to Incomplete according to comment #6

Changed in linux (Ubuntu):
status:	Fix Committed → Incomplete
Changed in ubuntu-z-systems:
status:	Fix Committed → Incomplete

Revision history for this message

bugproxy (bugproxy) wrote on 2020-02-03:

------- Comment From <email address hidden> 2020-02-03 08:45 EDT-------
Initial git-commits as an heads up..

https://<email address hidden>/T/#t

Final information will follow once available.

Revision history for this message

bugproxy (bugproxy) wrote on 2020-02-26:

------- Comment From <email address hidden> 2020-02-26 10:33 EDT-------
A backport of the patches on top of 5.4 can be found at https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git?h=54_pv

Revision history for this message

bugproxy (bugproxy) wrote on 2020-02-26:

#10

------- Comment From <email address hidden> 2020-02-26 11:06 EDT-------
The direct link is
https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/log/?h=54_pv
and it's on top of 5.4.22

Frank Heimes (fheimes) on 2020-02-26

Changed in ubuntu-z-systems:
status:	Incomplete → Triaged
Changed in linux (Ubuntu):
status:	Incomplete → New

Revision history for this message

Seth Forshee (sforshee) wrote on 2020-02-26:

#11

Those patches don't look to be upstream yet. Are they in linux-next? A maintainer tree? With changes of this magnitude we'd at least like to see them in linux-next before applying them (and with references to the sha1's from linux-next as with 'git cherry-pick -x').

Revision history for this message

bugproxy (bugproxy) wrote on 2020-02-27:

#12

------- Comment From <email address hidden> 2020-02-27 04:46 EDT-------
These patches can be applied seamlessly on top of the focal/next branch.
And after build also the test went fine.

We would like to get a PPA, build by Canonical build system.

Then we will this PPA to make sure that the process and code quality is good for integration after Feature Freeze.

Can we get this PPA as soon as possible?

Many thanks in advance

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-02:

#13

------- Comment From <email address hidden> 2020-03-02 04:37 EDT-------
@CAN. Is it possible to get an PPA for our internal testing. Many thanks in advance

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-02:

#14

------- Comment From <email address hidden> 2020-03-02 05:42 EDT-------
As requested (the commit IDs) I redid this branch to now also contain the cherry-pick commit ids (except for the last one).
I also rebased on top of 5.4.23

https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/log/?h=54_pv

the commit IDs are based on the kvms390 next branch (and tomorrows linux-next). All are scheduled for 5.7
The last patch is currently under discussion and Andrew Morton indicated that he will pick the next version for his mm tree for 5.7

Frank Heimes (fheimes) on 2020-03-10

information type:

Private → Public

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-03-10:

#15

fyi: https://www.spinics.net/lists/kvm/msg209387.html

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-12:

#16

------- Comment From <email address hidden> 2020-03-12 06:15 EDT-------
the common code change is now part of Linux next:

commit ed02ecf746194c260308819892b08372c0078723
Author: Claudio Imbrenda <email address hidden>
AuthorDate: Thu Mar 12 15:29:05 2020 +1100
Commit: Stephen Rothwell <email address hidden>
CommitDate: Thu Mar 12 15:29:05 2020 +1100

mm/gup/writeback: add callbacks for inaccessible pages

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-03-12:

#17

That's good news - thx for the heads-up !

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-12:

#18

------- Comment From <email address hidden> 2020-03-12 07:49 EDT-------
I have updated the 5.4 backport branch and replaced the last patch with a backport of the variant from linux-next.

https://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git/log/?h=54_pv

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-16:

#19

------- Comment From <email address hidden> 2020-03-16 06:36 EDT-------
Initial tests performed using the PPA packages (kernel, s390-tools and QEMU): everything works stable and as expected.

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-03-16:

#20

Many thx for the feedback!

Ethan Lin (mainsystemadmin) on 2020-03-17

Changed in linux (Ubuntu):
status:	New → Invalid

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-03-17:

#21

Since the kernel team is currently evaluating the patch set the status for the kernel entry should be New or even Triaged - it's not Invalid.
I assigned the ticket to me - hence I'm happy to do the status updates ...

Changed in linux (Ubuntu):
status:	Invalid → Triaged

Revision history for this message

Seth Forshee (sforshee) wrote on 2020-03-21:

#22

Patches applied for focal.

Changed in linux (Ubuntu):
status:	Triaged → Fix Committed

Frank Heimes (fheimes) on 2020-03-21

Changed in ubuntu-z-systems:
status:	Triaged → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-03-24:

#23

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-25:

#24

------- Comment From <email address hidden> 2020-03-25 03:24 EDT-------
Test started on 5.4.0-20-generic.

Basic test and unit test finished successfully. Some more tests peding.

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-25:

#25

------- Comment From <email address hidden> 2020-03-25 04:28 EDT-------
further testing looks good.

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Frank Heimes (fheimes) wrote on 2020-03-25:

#26

Many thx for test, verification and feedback, Christian!

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-25:

#27

------- Comment From <email address hidden> 2020-03-25 05:14 EDT-------
I can confirm, upgrade went seamlessly. Everything looks good.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-03-31:

#28

This bug was fixed in the package linux - 5.4.0-21.25

---------------
linux (5.4.0-21.25) focal; urgency=medium

* CVE-2020-8835
- SAUCE: bpf: undo incorrect __reg_bound_offset32 handling

-- Thadeu Lima de Souza Cascardo <email address hidden> Thu, 26 Mar 2020 17:51:28 -0300

Changed in linux (Ubuntu):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2020-03-31

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2020-03-31:

#29

------- Comment From <email address hidden> 2020-03-31 07:31 EDT-------
IBM Bugzilla status->closed, Fix Released with focal

Revision history for this message

bugproxy (bugproxy) wrote on 2020-04-03:

#30

------- Comment From <email address hidden> 2020-04-03 02:46 EDT-------
For reference (in case Canoninical wants to track upstream commit IDs)
Linus Torvalds has finally pulled the KVM/Kernel changes scheduled for 5.7-rc1.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c1b724ddb218f221612d4c649bc9c7819d8d7a6

the commit IDs have not changed.

Same for the common code memory management patch
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f28d43636d6f940e60abef4f0131119836c8ebd4

which now has a stable commit ID.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

[20.04 FEAT] Base KVM setup for secure guests - kernel part

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package