** Changed in: linux (Ubuntu Jammy)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1959940
Title:
[22.10 FEAT] KVM: Secure Execution guest dump encryption with customer
keys - kernel part
Status in Ubuntu on IBM z Systems:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Jammy:
Fix Committed
Bug description:
SRU Justification:
[ Impact ]
* Hypervisor-initiated dumps for Secure Execution
(aka confidential computing) guests are not helpful,
because memory and CPU state is encrypted by a
transient key only available to the Ultravisor (uv).
* Workload owners can still configure kdump in order to obtain kernel
crash information, but there are situation where kdump doesn't work.
* In such situations problem determination is severely impeded.
* This patch set solves this by implementing dumps created in a way
that can only be decrypted by the owner of the guest image
and be used for problem determination.
[ Test Plan ]
* The setup of a Secure Execution environment is not trivial
and requires a certain set of hardware (IBM z15 or higher)
with FC 115).
* On top of the modification of qemu that are handled in this
LP bug, modifications of the Kernel (LP#1959940) and
the s390-tools (LP#1959965) are required on top.
* So at least a modified kernel and qemu test builds are needed
or both should be in -proposed at the same time (which might
be difficult).
A modified s390-tools is not urgently needed, since for the
verification of the kernel and qemu part a newer version
can be used (but a modified s390-tools is also available in PPA).
* A detailed description (using Ubuntu as example) on how to setup
secure execution is available here:
Introducing IBM Secure Execution for Linux, April 2024 update
https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf
* And information on 'Working with dumps of KVM guests in
IBM Secure Execution mode' is available here:
https://www.ibm.com/docs/en/linux-on-systems?topic=commands-zgetdump#czgetdump__se_dump_examples
[ Where problems could occur ]
* Ultravisor (uv) return codes are introduced, which is
generally appreciated. Just the right return codes need to be set
(and reacted upon).
* Protected virtual machine dumps are newly introduced on top of
dump of 'normal' KVM VMs.
Since code is shared, it could have an unforeseen impact.
* The doc renaming could lead to confusion,
if people rely on old doc structure.
* The new capability case (217) could cause issues,
for example is case of issues during initialization..
* CPU dump functionality was added (mainly as new s390x specific code
under s390/kvm), but CPU dump is only one part,
if not working correctly, it may lead to partially useless dump data.
* Configuration dump functionality was also added
(again mainly as new s390x specific code under s390/kvm),
similar to CPU dump.
And moving from dumping inside of a VM to dumping from outside
(due to potential failures if done inside), might lead to a more
complex flow (now involving the uv), hence could be more error prone.
* Adding query dump information, requires user space buffers.
Here it's crucial that buffer size is big enough.
* The newly added constants and structure definitions that are
needed for dump support could become problematic in case wrong
data types were used (applies to all header modifications).
* IOCTL for PV information retrieval got introduced
(kvm_s390_handle_pv_info, kvm_s390_handle_pv).
There are potential side effect (see man ioctl),
hence all potential failure cases should be covered.
* New dump feature requires to know how much memory is needed, but if
this call for this is incorrect, it could break the dump process.
* uv_cb_header struct changed to offset representation,
but using wrong offsets will lead to a wrong struct,
dump issues and potential crashes.
[ Other Info ]
* Since 22.04 is a popular LTS release, it is already in use by many
secure execution customers.
But in case of severe crashes or issues in the secure execution
(KVM) guests dumps cannot be used as of today.
* This enables customers, IBM and Canonical to get support in case of
crashes/dumps on hardware that runs secure execution environments.
__________
KVM: Secure Execution guest dump encryption with customer keys -
kernel part
Description:
Hypervisor-initiated dumps for Secure Execution guests are not helpful
because memory and CPU state is encrypted by a transient key only available to
the Ultravisor. Workload owners can still configure kdump in order to obtain
kernel crash infomation, but there are situation where kdump doesn't work. In
such situations problem determination is severely impeded. This feature will
implement dumps created in a way that can only be decrypted by the owner of the
guest image and be used for problem determination.
Request Type: Kernel - Enhancement from IBM
Upstream Acceptance: In Progress
Code Contribution: IBM code
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1959940/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
