Ubuntu
s390-tools package

[21.10 FEAT] KVM: Change Secure Execution Header defaults for plaintext control flags (PCF) (s390-tools)

Bug #1932177 reported by bugproxy
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Fix Released
Undecided
Skipper Bug Screeners

Bug Description

The plaintext control flags (PCF) in the Secure Execution header have safe default settings. Specifically the protected key support (PCKMO) is disabled by default. This is however in contrast to the defaults used by regular KVM guests, which are allowed to use protected keys. This may lead (and has lead) to confusion. To improve usability the default SE header PCF settings should be set to allow all PCKMO types. While doing that, an explicit option to enable/disable PCKMO should be added, so that clients have no need to use the 'experimental/expert' flags.

Value: Lowers the hurdles to deploy secure execution guests by maintaining commonality with the non-secure behavior.

Feature will be part of s390-tools >= 2.17

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-193308 severity-high targetmilestone-inin2110
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
summary: - {21.10 FEAT] KVM: Change Secure Execution Header defaults for plaintext
+ [21.10 FEAT] KVM: Change Secure Execution Header defaults for plaintext
control flags (PCF) (s390-tools)
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
importance: Undecided → High
Changed in s390-tools (Ubuntu):
status: New → Incomplete
Changed in ubuntu-z-systems:
status: New → Incomplete
Revision history for this message
Frank Heimes (fheimes) wrote :

I cannot find this in v2.17 https://github.com/ibm-s390-linux/s390-tools/releases/tag/v2.17.0
So I guess it did not made it into 2.17 ?

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2021-08-12 07:30 EDT-------
@Canonical (Frank):
Yes, this feature is part of the s390-tools 2.17 release. Here are the commit IDs:

8db32a8c genprotimg: add `--(enable|disable)-pckmo` flag
4cf73238 genprotimg: allow PCKMO functions by default
27120f28 genprotimg: rename PV_CFLAG_NO_DECRYPTION to PV_PCF_NO_DECRYPTION

Revision history for this message
Frank Heimes (fheimes) wrote :

Thx Boris for sharing.
In this case we can close this ticket as Fix Released based on the closure of the tickets LP#1929024 and LP#1934988.

Changed in s390-tools (Ubuntu):
status: Incomplete → Fix Released
Changed in ubuntu-z-systems:
status: Incomplete → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-08-15 21:06 EDT-------
feature is part of the s390-tools 2.17 release which goes into impish / 21.10, hence closing this bug.
Status: ->CLOSED

Frank Heimes (fheimes)
information type: Private → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.