[22.04 FEAT] KVM: Secure Execution Attestation Userspace Tool (s390-tools)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
s390-tools (Ubuntu) |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
Jammy |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
Kinetic |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
s390-tools-signed (Ubuntu) |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
Jammy |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
Kinetic |
Fix Released
|
Medium
|
Skipper Bug Screeners |
Bug Description
SRU Justification:
------------------
[Impact]
* In order to facilitate attestation of Secure Execution guests,
a userspace tool is required that will receive the attestation
request, translate it to the appropriate ultravisor calls and
return the result to the caller.
* Secure Execution is a firmware based Trusted Execution
Environment (TEE) and is with that a hardware feature (FC 115).
* And this attestation tool enriches Secure Execution, hence
this can be considered as a hardware enablement SRU.
[Test Plan]
* Setup a Secure Execution environment in a z15 (or newer) LPAR
with Ubuntu Server 22.04(.x) for s390x.
* More details on howto setup Secure Executation can be found here:
https:/
* Install the updated packages in version 2.20.0-0ubuntu3.2
(s390-tools and s390-tools-signed).
* Create, perform, and verify attestation measurements for the
Secure Execution guest systems by using the 'pvatest' tool:
/usr/
* In a trusted environment, to get a measurement of an untrusted
IBM Secure Execution guest call 'pvattest perform'.
and call 'pvattest verify' to verify that the measurement
is the expected one.
* Verification needs to be done by IBM.
[Where problems could occur]
* The patches/commits for the attestation tools, that complements
secure execution, largely add new files and new lines.
Only in Makefile and common.mak files are deleted,
but even there only to enlarge them.
* So there is a low risk for regression of existing functionality,
beyond build time (and a test build was done).
* However the tool itself, that consists of a statically linked
library and the tool itself might cause issues:
- for example if it fails, segfaults or causes any other issue
- or if the attestation function itself is wrong
* The status and output must be absolutely correct to not
lull someone into a false sense of security.
[Other Info]
* The attestation tool was brought upstream with s390-tools 2.22,
and since kinetic ships version 2.23 it's already incl. there.
__________
KVM: Secure Execution Attestation Userspace Tool (s390-tools)
Description:
In order to facilitate attestation of Secure Execution guests, a userspace tool is required that will receive the attestation request, translate it to the appropriate ultravisor calls and return the result to the caller.
Request Type: Package - Update Version
Upstream Acceptance: In Progress
tags: | added: architecture-s39064 bugnameltc-196327 severity-high targetmilestone-inin2204 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in s390-tools-signed (Ubuntu): | |
status: | New → Incomplete |
Changed in s390-tools-signed (Ubuntu Kinetic): | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
importance: | Undecided → Medium |
Changed in s390-tools-signed (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in s390-tools (Ubuntu Kinetic): | |
importance: | High → Medium |
Changed in s390-tools (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in s390-tools-signed (Ubuntu Kinetic): | |
status: | New → Fix Released |
Changed in ubuntu-z-systems: | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Please share the s390-tools version and/or commit(s) that incl. this functionality.
Changing to Incomplete for now.
Ideally this should be part of the next and upcoming s390-tools version that is planned to be the one for jammy anyway.