Ubuntu
s390-tools package

[UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)

Bug #1968259 reported by bugproxy
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Fix Released
Undecided
Graham Inggs
Impish
Fix Released
Undecided
Graham Inggs
Jammy
Fix Released
Undecided
Graham Inggs
s390-tools-signed (Ubuntu)
Fix Released
Undecided
Graham Inggs
Impish
Fix Released
Undecided
Graham Inggs
Jammy
Fix Released
Undecided
Graham Inggs

Bug Description

SRU Justification:
==================

[Impact]

 * The s390-tools script check_hostkeydoc can be used to perform the
   verification of the chain of trust for Secure Execution host key documents.

 * The certificate verification is however too strict and doesn't match the
   checking performed by the genprotimg tool.

 * Affected is the OU field in the issuer DN of the host key document.
   As a consequence, verification failures will occur for host key documents
   issued for newer hardware generations like IBM z16.

 * While the original default issuer's organizationalUnitName (OU)
  was defined as "IBM Z Host Key Signing Service", any OU ending
  with "Key Signing Service" is considered legal by this fix/commit.

 * So the default issuer check got relaxed by stripping off characters
  preceding "Key Signing Service".

[Fix]

 * 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d ("genprotimg/check_hostkeydoc: relax default issuer check")

[Test Plan]

 * The usage of secure execution is nicely documented at the
   'Introducing IBM Secure Execution for Linux' docs.
   https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
   Relevant for this fix is paragraph 'Verifying the host key document'
   https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document

 * Especially notice the 'About this task' section that references the
   check_hostkeydoc script to perform the verification steps.

 + Due to the fact that Secure Execution requires z15 as a minimal
   hardware level, the testing is done by IBM.

[Where problems could occur]

 * Problem can occur in the check_hostkeydoc helper script only.

 * The script cane become broken at all and may refuse to properly verify
   even valid signed keys.

 * The sed statement in the script might be wrong and cut out a wrong
   organizationalUnitName.

 * And since this is a helper script and the verification can also be done
   without this script, the risk is not too high.

 * A verification can be done based with check_hostkeydoc and with the manual
   steps (with a valid and invalid signed key) to validate equal results.

 * The modification are relatively straight-formward:
   https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d

 * And overall this is an s390x topic only, and even there only relevant for
   Secure Execution (KVM) TEE environments only.

[Other Info]

 * This does not affect focal (like initiall indicated),
   since focal's s390-tools version does not include the
   check_hostkeydoc file.

__________

== Comment: #0 - Viktor Mihajlovski <email address hidden> - 2022-04-07 09:16:49 ==
The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.

== Comment: #1 - Viktor Mihajlovski <email address hidden> - 2022-04-07 09:18:08 ==
Fixed by:

https://github.com/ibm-s390-linux/s390-tools

commit 673ff375d939d3cde674f8f99a62d456f8b1673d
Author: Viktor Mihajlovski <email address hidden>
Date: Tue Mar 15 12:55:02 2022 +0100

    genprotimg/check_hostkeydoc: relax default issuer check

See original description
bugproxy (bugproxy)
tags: added: architecture-all bugnameltc-197551 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in s390-tools (Ubuntu):
assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → Skipper Bug Screeners (skipper-screen-team)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
importance: Undecided → High
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-04-08 02:44 EDT-------
Hello Frank,

thanks for taking care of the bug.
The title should say [UBUNTU 20.04] - I can't seem to change that in Launchpad.
Boris should be back next week to take care of anything I missed.

Revision history for this message
Frank Heimes (fheimes) wrote : Re: [UBUNTU 22.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)

Hi - np. I can change that here in Launchpad at least (and already marked it as affecting all releases in service down to 20.04 - means 22.04, 21.10 ans 22.04). Thx

summary: - [UBUNTU 22.04] check_hostkeydoc is checking the certificate issuer too
+ [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too
strictly (s390-tools)
Revision history for this message
Frank Heimes (fheimes) wrote : Re: [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)

s390-tools debdiff for LP#1968259 and LP#1968260 / jammy

Changed in s390-tools-signed (Ubuntu Jammy):
status: New → In Progress
Changed in s390-tools (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "s390-tools debdiff for LP#1968259 and LP#1968260 / jammy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools-signed debdiff for LP#1968259 and LP#1968260 / jammy

Frank Heimes (fheimes)
tags: added: jammy
removed: patch
Frank Heimes (fheimes)
description: updated
Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools debdiff for LP#1968259 and LP#1968260 / impish

Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish

Changed in s390-tools-signed (Ubuntu Impish):
status: New → In Progress
Changed in s390-tools (Ubuntu Impish):
status: New → In Progress
Revision history for this message
Frank Heimes (fheimes) wrote :

Removing focal as affected Ubuntu release
since focal's latest s390-tools version 2.12.0-0ubuntu3.4 (in focal-updates)
does not ship /usr/share/s390-tools/genprotimg/check_hostkeydoc.

no longer affects: s390-tools (Ubuntu Focal)
no longer affects: s390-tools-signed (Ubuntu Focal)
summary: - [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too
- strictly (s390-tools)
+ [UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate
+ issuer too strictly (s390-tools)
description: updated
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → In Progress
Graham Inggs (ginggs)
Changed in s390-tools (Ubuntu Jammy):
assignee: Skipper Bug Screeners (skipper-screen-team) → Graham Inggs (ginggs)
Changed in s390-tools-signed (Ubuntu Jammy):
assignee: nobody → Graham Inggs (ginggs)
Graham Inggs (ginggs)
Changed in s390-tools (Ubuntu Jammy):
status: In Progress → Fix Committed
Changed in s390-tools-signed (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Frank Heimes (fheimes) wrote (last edit ):

uploaded new debdiff of the s390-tools-signed package for jammy that incl. the needed d/c update

Revision history for this message
Frank Heimes (fheimes) wrote (last edit ):

uploaded new debdiff of the s390-tools-signed package for impish that incl. the needed d/c update

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

uploaded new debidff of the s390-tools-signed package for jammy that incl. the needed d/c update

uploaded new debidff of the s390-tools-signed package for impish that incl. the needed d/c update

Revision history for this message
bugproxy (bugproxy) wrote : s390-tools-signed debdiff for LP#1968259 and LP#1968260 / jammy

Default Comment by Bridge

Revision history for this message
bugproxy (bugproxy) wrote : s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish

Default Comment by Bridge

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.20.0-0ubuntu3

---------------
s390-tools (2.20.0-0ubuntu3) jammy; urgency=medium

  * No-change rebuild to match s390-tools-signed version

 -- Graham Inggs <email address hidden> Wed, 13 Apr 2022 10:32:45 +0000

Changed in s390-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in s390-tools-signed (Ubuntu Jammy):
status: Fix Committed → Fix Released
Graham Inggs (ginggs)
Changed in s390-tools (Ubuntu Impish):
assignee: nobody → Graham Inggs (ginggs)
Changed in s390-tools-signed (Ubuntu Impish):
assignee: nobody → Graham Inggs (ginggs)
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted s390-tools into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.17.0-0ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Impish):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-impish
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-05-09 04:40 EDT-------
Verified successfully on impish.

tags: added: verification-done-impish
removed: verification-needed-impish
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Changed in s390-tools-signed (Ubuntu Impish):
status: In Progress → Fix Committed
bugproxy (bugproxy)
tags: added: targetmilestone-inin2004
removed: targetmilestone-inin---
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.17.0-0ubuntu2.1

---------------
s390-tools (2.17.0-0ubuntu2.1) impish; urgency=medium

  * d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
    Fix for genprotimg failing to process z15 host key documents
    after April 2022.
    (LP: #1968260)
  * d/p/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
    Fixing check_hostkeydoc since it's checking the certificate issuer
    too strictly.
    (LP: #1968259)

 -- Frank Heimes <email address hidden> Mon, 11 Apr 2022 13:38:11 +0200

Changed in s390-tools (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Changed in s390-tools-signed (Ubuntu Impish):
status: Fix Committed → Fix Released
Changed in s390-tools-signed (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-05-18 07:40 EDT-------
Fix has been verified and released to -updates, hence closing the bug.
Thanks everybody for your help & contribution.

Changing BZ Status: => CLOSED

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.