Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Frank Heimes | ||
s390-tools (Ubuntu) |
Fix Released
|
High
|
Skipper Bug Screeners | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Hirsute |
Fix Released
|
High
|
Unassigned | ||
s390-tools-signed (Ubuntu) |
Fix Released
|
High
|
Skipper Bug Screeners | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Hirsute |
Fix Released
|
High
|
Unassigned |
Bug Description
SRU Justification:
==================
[Impact]
* Fix of 'genprotimg' allowing the tool to verify the validity
of IBM Secure Execution host key documents.
* Without that, customers must verify the host key document by themselves,
which is error prone and may impact security.
[Test Plan]
* A z15 or LinuxONE III LPAR with FC 115 is needed,
running Ubuntu Server 20.04 (respectively 21.04).
* Obtain the host-key document,
the IBM signing key (ibm-z-
and the intermediate DigiCert CA (DigiCertCA.crt)
from 'IBM Resource Link':
(https:/
* The systems needs to be online (access to the internet) to
be able to automatically download the latest revocation lists.
* Create an IBM Secure Execution image, using the obtained host key like:
$ genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
--no-verify -k HKD-8651-
(optional, host key can also be verified w/o having created an image)
* With the above patches applied, the 'genprotimg' command
can be used to verify the host key document automatically:
$ genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \
-k HKD-8651-
--cert DigiCertCA.crt --cert ibm-z-host-
(in this case ‘--no-verify‘ get obsolete)
* More detailed information is available here:
http://
* Due to the lack of hardware, the verification needs to be done by IBM.
[Where problems could occur]
* If the 'genprotimg' way of verifying the host key document
is erroneous, tool based verification can be broken,
which may force people having to use '--no-verify'
and fall back to manual (openssl based) verification again.
* In worst case a 'false positive' verification
of a host key document may occur,
that might provide a false sense of security.
Hence proper testing is crucial!
* Quite some code was added that is only used for this verification
(like 'curl'), which may break things indirectly.
Using '--no-verify' may allow to overcome such issues again.
* Overall this is all unique to s390x,
and again special to 'secure execution' and would affect
only z15 or LinuxONE III systems with FC 115 enabled.
* The system where the Host-Key document is verified or
where the image is built, needs to be online - otherwise the
verification is not possible, because the needed up-to-date
CRLs cannot be downloaded.
[Fixes]
* For Hirsute, only the following upstream patch is needed:
d90344a2d5ca
* For Focal, the following patches are needed (the first one as backport):
* 074de1e14ed785c
To get this commit in, the attached backport is needed:
https:/
* 7827a791c98dbf1
* d90344a2d5ca3a0
[Other Info]
* Test builds were created for both, hirsute and focal,
each s390-tools and s390-tools-signed,
and have been published at PPA:
https:/
__________
Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS
Description:
Fix of genprotimg allowing the tool to verify the validity of IBM Secure Execution host key documents.
Without that, customers must verify the host key document by themselves,which is error prone and may impact security.
Related branches
- Lukas Märdian (community): Approve
-
Diff: 2556 lines (+2510/-1)6 files modifieddebian/changelog (+15/-0)
debian/control (+1/-1)
debian/patches/0001-genprotimg-add-host-key-document-verification.patch (+2379/-0)
debian/patches/0002-genprotimg-add-missing-return.patch (+42/-0)
debian/patches/0003-genprotimg-check-return-value-of-BIO_reset.patch (+70/-0)
debian/patches/series (+3/-0)
- Lukas Märdian (community): Approve
-
Diff: 14 lines (+6/-0)1 file modifieddebian/changelog (+6/-0)
- Lukas Märdian (community): Approve
-
Diff: 14 lines (+6/-0)1 file modifieddebian/changelog (+6/-0)
- Lukas Märdian (community): Approve
-
Diff: 104 lines (+82/-0)3 files modifieddebian/changelog (+9/-0)
debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch (+72/-0)
debian/patches/series (+1/-0)
tags: | added: architecture-s39064 bugnameltc-194437 severity-high targetmilestone-inin2004 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
no longer affects: | linux (Ubuntu Impish) |
no longer affects: | linux (Ubuntu Hirsute) |
no longer affects: | linux (Ubuntu Focal) |
no longer affects: | linux (Ubuntu) |
Changed in s390-tools (Ubuntu): | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in s390-tools-signed (Ubuntu): | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
tags: | added: focal hirsute |
Changed in s390-tools (Ubuntu): | |
importance: | Undecided → High |
Changed in s390-tools (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in s390-tools (Ubuntu Hirsute): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu Hirsute): | |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
status: | New → In Progress |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Frank Heimes (fheimes) |
description: | updated |
tags: | added: ubuntu-release |
tags: | removed: ubuntu-release |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: | removed: verification-needed verification-needed-focal verification-needed-hirsute |
Changed in s390-tools-signed (Ubuntu Hirsute): | |
status: | New → Fix Released |
Changed in s390-tools-signed (Ubuntu Focal): | |
status: | New → Fix Released |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Since this is already completed for Impish (with LP#1882807),
I'm updating the Impish entries to Fix Released.
The SRU to F (and therefore also to H) now came on top.