** Changed in: linux (Ubuntu Focal)
Status: In Progress => Fix Committed
** Changed in: linux (Ubuntu Hirsute)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1933173
Title:
[21.10 FEAT] KVM: Provide a secure guest indication
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Hirsute:
Fix Committed
Status in linux source package in Impish:
Fix Committed
Bug description:
SRU Justification:
==================
[Impact]
* It is difficult for customers to identify if a KVM guest on s390x
runs in secure execution more or not. Hence several requests came up
that asked about providing a better indication.
* If the mode is not known, one may venture oneself into deceptive
security.
* Patches that allow a better indication via 'prot_virt_host' using
the sysfs firmware interface were added to upstream kernel 5.13.
* Secure execution was initially introduced in Ubuntu with focal /
20.04, hence this request to SRU.
[Fix]
* 37564ed834aca26993b77b9b2a0119ec1ba6e00c 37564ed834ac "s390/uv: add
prot virt guest/host indication files"
* df2e400e07ad53a582ee934ce8384479d5ddf48b df2e400e07ad "s390/uv: fix
prot virt host indication compilation"
[Test Case]
* A z15 or LinuxONE III LPAR is needed that runs KVM in secure
execution.
* Have a look for the 'prot_virt_host' key at the sysfs firmware
interface - '1' indicates that the ultravisor is active and that the
guest is running protected (in secure execution mode).
[Regression Potential]
* The patch is s390x specific and modifies file arch/s390/kernel/uv.c
only.
* An entirely new new function 'uv_is_prot_virt_guest' was added and
initialized and used in uv_info_init - hence the regression risk in
existing code is rather small.
* However, in case the initialization was done errornously the
indication might be wrong, maybe showing that the system is not
protected in the way it should be (wrong indication).
* More general code deficiencies in these two functions will be
largely indicated by the test compiles.
* But the code was already tested based on kernel 5.13 - and for SRU-
ing a cherry-pick of the patches was sufficient, hence the exact same
code as in 5.13 is used.
* Further tests of the SRU kernels (5.11 and 5.4) can be done based on
the test kernel available from the PPA (see below).
[Other]
* Patches are upstream accepted with since 5.13-rc1.
* Request was to add the patches to focal / 20.04.
* To avoid potential regressions on upgrades, the patches need to be added to
hirsute / 20.10, too.
__________
Provide an indication in the guest that it's running securely. Cannot
replace a real attestation and doesn't really provide additional
security (or could even create the false impression of security), but
has been frequently requested by customers.
Value: Usability, lower the effort to prepare and deploy secure
workloads.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1933173/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
