[UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
s390-tools (Ubuntu) |
Fix Released
|
Undecided
|
Graham Inggs | ||
Impish |
Fix Released
|
Undecided
|
Graham Inggs | ||
Jammy |
Fix Released
|
Undecided
|
Graham Inggs | ||
s390-tools-signed (Ubuntu) |
Fix Released
|
Undecided
|
Graham Inggs | ||
Impish |
Fix Released
|
Undecided
|
Graham Inggs | ||
Jammy |
Fix Released
|
Undecided
|
Graham Inggs |
Bug Description
SRU Justification:
==================
[Impact]
* The s390-tools script check_hostkeydoc can be used to perform the
verification of the chain of trust for Secure Execution host key documents.
* The certificate verification is however too strict and doesn't match the
checking performed by the genprotimg tool.
* Affected is the OU field in the issuer DN of the host key document.
As a consequence, verification failures will occur for host key documents
issued for newer hardware generations like IBM z16.
* While the original default issuer's organizationalU
was defined as "IBM Z Host Key Signing Service", any OU ending
with "Key Signing Service" is considered legal by this fix/commit.
* So the default issuer check got relaxed by stripping off characters
preceding "Key Signing Service".
[Fix]
* 673ff37 673ff375d939d3c
[Test Plan]
* The usage of secure execution is nicely documented at the
'Introducing IBM Secure Execution for Linux' docs.
https:/
Relevant for this fix is paragraph 'Verifying the host key document'
https:/
* Especially notice the 'About this task' section that references the
check_hostkeydoc script to perform the verification steps.
+ Due to the fact that Secure Execution requires z15 as a minimal
hardware level, the testing is done by IBM.
[Where problems could occur]
* Problem can occur in the check_hostkeydoc helper script only.
* The script cane become broken at all and may refuse to properly verify
even valid signed keys.
* The sed statement in the script might be wrong and cut out a wrong
organization
* And since this is a helper script and the verification can also be done
without this script, the risk is not too high.
* A verification can be done based with check_hostkeydoc and with the manual
steps (with a valid and invalid signed key) to validate equal results.
* The modification are relatively straight-formward:
https:/
* And overall this is an s390x topic only, and even there only relevant for
Secure Execution (KVM) TEE environments only.
[Other Info]
* This does not affect focal (like initiall indicated),
since focal's s390-tools version does not include the
check_hostkeydoc file.
__________
== Comment: #0 - Viktor Mihajlovski <email address hidden> - 2022-04-07 09:16:49 ==
The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.
== Comment: #1 - Viktor Mihajlovski <email address hidden> - 2022-04-07 09:18:08 ==
Fixed by:
https:/
commit 673ff375d939d3c
Author: Viktor Mihajlovski <email address hidden>
Date: Tue Mar 15 12:55:02 2022 +0100
genprotimg/
tags: | added: architecture-all bugnameltc-197551 severity-high targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → s390-tools (Ubuntu) |
Changed in s390-tools (Ubuntu): | |
assignee: | Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → Skipper Bug Screeners (skipper-screen-team) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
importance: | Undecided → High |
tags: |
added: jammy removed: patch |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | New → In Progress |
Changed in s390-tools (Ubuntu Jammy): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Graham Inggs (ginggs) |
Changed in s390-tools-signed (Ubuntu Jammy): | |
assignee: | nobody → Graham Inggs (ginggs) |
Changed in s390-tools (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | Fix Committed → Fix Released |
Changed in s390-tools (Ubuntu Impish): | |
assignee: | nobody → Graham Inggs (ginggs) |
Changed in s390-tools-signed (Ubuntu Impish): | |
assignee: | nobody → Graham Inggs (ginggs) |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in s390-tools-signed (Ubuntu Impish): | |
status: | In Progress → Fix Committed |
tags: |
added: targetmilestone-inin2004 removed: targetmilestone-inin--- |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Changed in s390-tools-signed (Ubuntu Impish): | |
status: | Fix Committed → Fix Released |
Changed in s390-tools-signed (Ubuntu): | |
status: | Fix Committed → Fix Released |
------- Comment From <email address hidden> 2022-04-08 02:44 EDT-------
Hello Frank,
thanks for taking care of the bug.
The title should say [UBUNTU 20.04] - I can't seem to change that in Launchpad.
Boris should be back next week to take care of anything I missed.