[22.04 FEAT] KVM: Secure Execution Attestation Userspace Tool (s390-tools)

Please share the s390-tools version and/or commit(s) that incl. this functionality.
Changing to Incomplete for now.

Ideally this should be part of the next and upcoming s390-tools version that is planned to be the one for jammy anyway.

[Expired for s390-tools-signed (Ubuntu) because there has been no activity for 60 days.]

------- Comment From <email address hidden> 2022-06-22 09:31 EDT-------
Feature is now in current s390-tools (2.22.0)

Hi Steffen, okay, that god to know. since we've already addressed the kernel side.
For 22.10/kinetic we plan to wait on a (probably) 2.23 version of the s390-tools.

For 22.04/jammy, we can't do version bumps (post GA), hence we would need to cherrypick the relevant commits. Can you share with us the relevant commits (that hopefully apply cleanly on jammy's s390-tools v2.20+)?

------- Comment From <email address hidden> 2022-06-22 10:31 EDT-------
The relevant commits are:

38639269 (libpv: New library for PV tools)
3ab06d77 (pvattest: Create, perform, and verify attestation measurements)
26148740 (pvattest/tools: Add tool for attestation)

They will add:
* a new library: libpv
* a new tool using libpv: pvattest

The code should apply without any complains (all new files).
The top level Makefile/common.mak however, will probably have some conflicts, as other tools/libs were added since 2.20. Just ask, if you need help resolving these conflicts.

This bug was fixed in the package s390-tools - 2.23.0-0ubuntu1

---------------
s390-tools (2.23.0-0ubuntu1) kinetic; urgency=medium

  * New upstream release, that solves LP: #1986991, but also the following:
    LP: #1986670, LP: #1929033, LP: #1852736, LP: #1959972, LP: #1982346,
    LP: #1982368, LP: #1982384, LP: #1982760, LP: #1982838 and LP: #1959987
  * Remove the following patches since they are included with this
    new upstream release:
    - d/p/e8fca95-zdev-Fix-off-by-one-errors-in-cio_ignore-handling.patch
    - d/p/455ad95-zdump-Fix-dev-mem-reading.patch
    - d/p/ee2c6d4-zipl-Allow-optional-entries-that-are-left-out-when-f.patch
    - d/p/a9e13a2d-genprotimg-introduce-macro-for-the-control-flags-and.patch
    - d/p/0906293c-genprotimg-enable-pckmo-and-disable-pckmo-are-mutual.patch
    - d/p/5394cd36-genprotimg-add-PV-guest-dump-support.patch
    - d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
    - d/p/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
    - d/p/0d15a07-chreipl-fcp-mpath-bundle-a-pre-cooked-man-page.patch
    - d/p/2515832-util_arch-Add-IBM-z16-as-known-machine.patch
    - d/p/cce5f51-cpumf-lscpumf-Add-IBM-z16-extended-counter-set-def.patch
    - d/p/b16a6d4f-lszcrypt-add-CEX8S-support.patch
    - d/p/bcbb6fca-zcryptstats-add-CEX8-support.patch
    - d/p/4382901d-lszcrypt-show-AP-bus-msg-size-limit-capability.patch
    - d/p/27dce331-lszcrypt-add-support-for-checkstop-state.patch
    - d/p/a29b3c89-lszcrypt-new-options-to-show-only-accel-cca-or-ep11-.patch
    - d/p/a8b0d7ac-lszcrypt-new-options-to-filter-cards-queues-only.patch
    - d/p/46fd42af-lszcrypt-new-option-to-show-the-serial-numbers-of-CC.patch
    - d/p/3a13cb4-dbginfo.sh-unify-console-output.patch
    - d/p/2eea614-dbginfo.sh-unify-indents-prettify-code.patch
    - d/p/fcb503e-dbginfo.sh-sync-excludes-in-sysfs-data-collection.patch
    - d/p/abec41f-dbginfo.sh-alphabetic-order-of-log-and-config-files.patch
    - d/p/164d481-dbginfo.sh-check-existence-of-dump2tar-before-execut.patch
    - d/p/50a4740-dbginfo.sh-replace-which-by-builtin-command-type-for.patch
    - d/p/2ab27bd-dbginfo.sh-update-copyright-date.patch
    - d/p/a8579a0-dbginfo.sh-replace-indents-with-8char-tab.patch
    - d/p/81920f7-dbginfo.sh-re-group-commands-for-network.patch
    - d/p/a0d6edf-dbginfo.sh-re-group-commands-by-long-output.patch
    - d/p/812df79-dbginfo.sh-re-group-commands-by-topic.patch
    - d/p/2677a41-dbginfo.sh-re-group-commands-by-system-state.patch
    - d/p/be47b51-dbginfo.sh-re-group-commands-by-z-device.patch
    - d/p/02a0d12-dbginfo.sh-re-group-commands-by-block-scsi.patch
    - d/p/0981df6-cmsfs-fuse-fix-enabling-of-hard_remove-option.patch
    - d/p/9e62005-genprotimg-boot-disable-Warray-bounds-for-now.patch
  * Remove d/p0010-no-pie-is-not-a-valid-option-for-ld.patch since it's solved
    upstream with 5e46632, 71fe581, b39bdfb, 9f6150d and ae72178.
  * Remove d/p/0001-zkey-add-initramfs-hook.patch since it's solved upstream
    with 3669fd4.
  * Remove d/p/0001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch
    since it's solved upstream with 51b9504.
  * Remove d/p/0001-dumpconf-Don-t-run-the-service-in-L...

A patched s390-tools package (version 2.20.0-0ubuntu3.2) got successfully build
and is available via the following PPA for further testing:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1974109+lp1959987
(the PPA also incl. s390-tools-signed 2.20.0-0ubuntu3.2 to fulfill dependencies)

Please notice that this s390-tools update incl. the fixes for this bug (LP#1959987) as well as LP#1974109.

------- Comment From <email address hidden> 2022-09-05 11:42 EDT-------
verified.

packages in that repo contain pvattest.
FVTs ran successfull.

Uploaded to Jammy.

Re-uploaded to Jammy with some new fixes (and fixed the -signed changelog)

> Re-uploaded to Jammy with some new fixes (and fixed the -signed changelog)

I do not see a new upload in the queue, I only see the upload from September.

The upload was rejected on 2022-11-16, presumably because fheimes asked for it to be removed due to the new bugfixes that were impending. That might have been a bit premature since I wasn't around to sponsor the new uploads, though.

I've uploaded both packages (with the new bugfixes) to Jammy.

Hello bugproxy, or anyone else affected,

Accepted s390-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello bugproxy, or anyone else affected,

Accepted s390-tools-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools-signed/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

------- Comment From <email address hidden> 2022-12-13 04:26 EDT-------
verified using s390-tools/jammy-proposed on an s390x machine.

$ pvattest -v
pvattest version 2.20.0-build-20221202
Copyright IBM Corp. 2022

Also ran the functional verification tests; all succeeded.

Feature verified.

Many thx Steffen!

This bug was fixed in the package s390-tools - 2.20.0-0ubuntu3.2

---------------
s390-tools (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Fix zipl segfaults when "parameters=" is missing (LP: #1974109) with:
    d/p/6ff8202f-zipl-Add-missing-check-for-a-nullpointer.patch
  * Add KVM Secure Execution Attestation Userspace Tool to enhance secure
    execution (hardware feature: FC 115) exploitation (LP: #1959987) with:
    d/p/38639269-libpv-New-library-for-PV-tools.patch
    d/p/3ab06d77-pvattest-Create-perform-and-verify-attestation-measu.patch
    d/p/26148740-pvattest-tools-Add-tool-for-attestation.patch
  * Fix re-enciphering of EP11 identity key of KMIP plugin (LP: #1990520) with:
    d/p/4e2ebe03-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
  * Fix KMIP plugin fails to connection to KMIP server (LP: #1990524) with:
    d/p/6c5c5f7e-libseckey-Adapt-keymgmt_match-implementation-to-Open.patch
  * d/p/5768d55-zipl-boot-add-secure-boot-trailer.patch
    Add secure boot trailer in zipl stage 3 to keep compatibility with
    upcoming IBM zSystems firmware updates. (LP: #1996069)
  * Add d/p/92b8409-dbginfo.sh-ensure-type-commands-compatible-with-dash.patch
    and d/p/9f93af6-dbginfo.sh-ensure-compatibility-with-bin-dash.patch
    to achieve dbginfo.sh compatibility with /bin/dash shell. (LP: #1996477)

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 18:14:00 +0200

This bug was fixed in the package s390-tools-signed - 2.20.0-0ubuntu3.2

---------------
s390-tools-signed (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Rebuild against 2.20.0-0ubuntu3.2:
    LP: #1974109, LP: #1959987, LP: #1990520,
    LP: #1990524, LP: #1996069, LP: #1996477

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 18:27:10 +0200

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.