** Description changed:
+ SRU Justification:
+
+ [ Impact ]
+
+ * Symptom:
+
+ * There is an issue with the Secure Execution (SE) tooling,
+ especially the new IBM host-key subject locality,
+ that leads to the fact that on April 24 (z15) / March 29 (z16)
+ users will notice that the tooling for Secure execution will no
+ longer detect that the provided IBM signing key for that generation
+ is a valid IBM signing key.
+
+ * The error message will contain "no IBM signing key found" or similar.
+ The respective tool will reject creating an encrypted request/image
+ as it could not verify the host-key for its validity.
+
+ * This affects the genprotimg, pvattest, and pvsecret tools.
+ (Please notice that these tools got introduced over time with different
+ s390-tools versions that belong to different Ubuntu releases).
+
+ * Problem:
+
+ * The new IBM signing keys no longer contain 'Poughkeepsie' as
+ 'subject locality' and 'Armonk' is used.
+
+ * The SE tooling checks, beside other things, for the subject in the
+ IBM signing key.
+
+ * If the subject is not the expected one, the certificate is not
+ recognized as a valid IBM signing key.
+ And without a valid IBM signing key, the host-key verification
+ cannot succeed and users cannot build trustable SE images and
+ attestation or add-secret requests.
+
+ * Solution:
+
+ * Mitigations are available upstream.
+
+ * The fixes allow Armonk as additional locality in the subject
+ and allow potential mismatches in the locality of revocation list
+ or host-key issuer subject that may still contain Poughkeepsie
+ instead of Armonk.
+
+ [ Test Plan ]
+
+ * <detailed instructions how to reproduce the bug>
+
+ * The testing is required for all three affected tools:
+ genprotimg, pvattest, and pvsecret
+
+ * Without the fixed code, but with the new IBM signing keys
+ (that have 'Armonk' as 'subject locality'), users will get a msgs like:
+ "no IBM signing key found"
+ and the validation will fail.
+
+ * With the patches included, the validation will succeed.
+
+ [ Where problems could occur ]
+
+ * The tools genprotimg, pvattest, and pvsecret tools are affected.
+ Since they got introduced over time with different s390-tools versions
+ that belong to different Ubuntu releases, it's important to figure out the
+ commits/patches that are required for each release.
+
+ * The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
+ ("rust/pv/test: Code + Certificate refactoring") is needed
+ for noble and mantic, but needs several adjustments due to context changes.
+ The code could be negatively affected and the build might even break.
+ (A test build in PPA mitigates such issues.)
+
+ * As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
+ If the conditional statements are not properly coded, either Poughkeepsie
+ or Armonk might be allowed, which would fails in case the opposite is used.
+ (Testing if the IBM signing key is valid will mitigate this.)
+
+ * In worst case a broken detection of the host-key issuer subject may lead
+ to positive validations, regardless of the subject content.
+ (Testing if the IBM signing key is valid will mitigate this.)
+
+ * A test build for all affected Ubuntu releases (N, M, J and F) succeeded
+ and is available via this PPA:
+ https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
+
+ * These test packages will be pre-tested by IBM.
+
+ * This affected Secure Execution (SE) functionality only on s390x.
+ No other tools that are part of the s390-tools packages are affected
+ (or got modified in any way).
+
+ [ Other Info ]
+
+ * Secure Execution (SE) was introduced with in Ubuntu Server for s390x
+ with 20.04 LTS, hence 20.04 LTS and higher is affected.
+
+ * And with that the s390-tools versions that are still in service:
+ 2.12.0-0ubuntu3.7 | focal-updates
+ 2.20.0-0ubuntu3.2 | jammy-updates
+ 2.29.0-0ubuntu2.1 | mantic-updates
+ 2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed
+
+ * The following commits / patches need to be applied to the following
+ s390-tools versions:
+ * f6c6f0cc712433221fb0588c754e0d09884453dd
+ ("rust/pv/test: Code + Certificate refactoring")
+ to noble, mantic
+ * 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
+ ("rust/pv: Support `Armonk` in IBM signing key subject")
+ to noble, mantic
+ * d14e7593cc6380911ca42b09e11c53477ae13d5c
+ ("genprotimg: support `Armonk` in IBM signing key subject")
+ to noble, mantic, jammy, focal
+ * d7c95265cdb6217b0203efa5893c3a27838af63c
+ ("libpv: Support `Armonk` in IBM signing key subject")
+ to noble, mantic, jammy
+ * 2b5e7b049123aff094c7de79ba57a5df09471b2e
+ ("pvattest: Fix root-ca parsing")
+ to noble, mantic, jammy
+ __________
+
Description: SE-tooling: New IBM host-key subject locality
- Symptom:
- On April 24 (z15) / March 29 (z16) user will notice that the
- tooling for Secure execution will no longer detect that the provided
- IBM signing key for that generation is a valid IBM signing key. The
- error message will contain "no IBM signing key found" or similar. The
- respective tool will reject creating an encrypted request/image as it
- could not verify the host-key for its validity. This affects
- genprotimg, pvattest, and pvsecret.
- Problem:
- The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
- locality' and 'Armonk' is used. The SE tooling checks, beside other
- things, for the subject in the IBM signing key. If the subject is not
- the expected one, the certificate is not recognized as a valid IBM
- signing key. With no valid IBM signing key, the host-key verification
- cannot succeed and users cannot build trustable SE images and
- attestation or add-secret requests.
- Solution:
- Mitigations are available upstream. The fixes allow Armonk as
- additional locality in the subject and allow potential mismatches in
- the locality of revocation list or host-key issuer subject that may
- still contain Poughkeepsie instead of Armonk.
+ Symptom:
+ On April 24 (z15) / March 29 (z16) user will notice that the
+ tooling for Secure execution will no longer detect that the provided
+ IBM signing key for that generation is a valid IBM signing key. The
+ error message will contain "no IBM signing key found" or similar. The
+ respective tool will reject creating an encrypted request/image as it
+ could not verify the host-key for its validity. This affects
+ genprotimg, pvattest, and pvsecret.
+ Problem:
+ The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
+ locality' and 'Armonk' is used. The SE tooling checks, beside other
+ things, for the subject in the IBM signing key. If the subject is not
+ the expected one, the certificate is not recognized as a valid IBM
+ signing key. With no valid IBM signing key, the host-key verification
+ cannot succeed and users cannot build trustable SE images and
+ attestation or add-secret requests.
+ Solution:
+ Mitigations are available upstream. The fixes allow Armonk as
+ additional locality in the subject and allow potential mismatches in
+ the locality of revocation list or host-key issuer subject that may
+ still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2
- This is required for all Ubuntu releases in service that support secure
execution.
+ This is required for all Ubuntu releases in service that support secure
execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be
fixed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303
Title:
[UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
(s390-tools)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
