linux-azure: Update SGX version and udev rules

Bug #1867820 reported by Marcelo Cerri
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-azure (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Invalid
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Eoan
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
linux-azure-5.4 (Ubuntu)
New
Undecided
Unassigned
Trusty
Invalid
Undecided
Unassigned
Xenial
Invalid
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Eoan
Invalid
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
linux-base (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Invalid
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Eoan
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

We will use the official Intel's DCAP git repository to keep SGX up-to-date. We need to update the driver included to the linux-azure kernels to the version located at:

https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/LD_1.22/driver/linux

Including the provided udev rules.

[Test Case]

The driver should continue to work normally. The main difference should be the permissions and groups for the /dev/sgx (0666) and /dev/sgx_prv (0660 with sgx_prv group).

[Regression Potential]

The regression potential is low since the functional changes are not meaningful and the permissions are less restrictive.

CVE References

Marcelo Cerri (mhcerri)
Changed in linux-azure (Ubuntu Trusty):
status: New → Invalid
no longer affects: linux-azure (Ubuntu Disco)
no longer affects: linux-base (Ubuntu Disco)
Changed in linux-azure (Ubuntu Bionic):
status: New → In Progress
Changed in linux-base (Ubuntu Bionic):
status: New → In Progress
Revision history for this message
Marcelo Cerri (mhcerri) wrote :
Revision history for this message
Marcelo Cerri (mhcerri) wrote :
tags: added: patch
Revision history for this message
Marcelo Cerri (mhcerri) wrote :
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

linux-base should be rebased with latest archive version (is at 4.5ubuntu2 now), and the version fixed for the backports

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

I mean for eoan/focal it needs to be rebased, bionic would use 4.5ubuntu1.1, eoan 4.5ubuntu2.1..

Revision history for this message
Marcelo Cerri (mhcerri) wrote :

Linux

Revision history for this message
Marcelo Cerri (mhcerri) wrote :
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello Marcelo, or anyone else affected,

Accepted linux-base into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/linux-base/4.5ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in linux-base (Ubuntu Eoan):
status: New → Fix Committed
Changed in linux-base (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Marcelo, or anyone else affected,

Accepted linux-base into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/linux-base/4.5ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-base - 4.5ubuntu3

---------------
linux-base (4.5ubuntu3) focal; urgency=medium

  * Add linux-base-sgx package with SGX udev rules (LP: #1867820).

 -- Timo Aaltonen <email address hidden> Wed, 18 Mar 2020 13:05:24 +0200

Changed in linux-base (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Marcelo, or anyone else affected,

Accepted linux-base into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/linux-base/4.5ubuntu1.1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in linux-base (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-azure - 5.3.0-1016.17

---------------
linux-azure (5.3.0-1016.17) eoan; urgency=medium

  * eoan/linux-azure: 5.3.0-1016.17 -proposed tracker (LP: #1867852)

  * linux-azure: Update SGX version and udev rules (LP: #1867820)
    - SAUCE: linux-azure: Update SGX to version LD_1.22
    - [Packaging] linux-azure: Add dependency to linux-base-sgx

 -- Marcelo Henrique Cerri <email address hidden> Wed, 18 Mar 2020 13:51:06 -0300

Changed in linux-azure (Ubuntu Eoan):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-azure - 5.0.0-1035.37

---------------
linux-azure (5.0.0-1035.37) bionic; urgency=medium

  * bionic/linux-azure: 5.0.0-1035.37 -proposed tracker (LP: #1867856)

  * linux-azure: Update SGX version and udev rules (LP: #1867820)
    - SAUCE: linux-azure: Update SGX to version LD_1.22
    - [Packaging] linux-azure: Add dependency to linux-base-sgx

 -- Marcelo Henrique Cerri <email address hidden> Wed, 18 Mar 2020 00:38:02 -0300

Changed in linux-azure (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-azure - 4.15.0-1075.80

---------------
linux-azure (4.15.0-1075.80) xenial; urgency=medium

  * xenial/linux-azure: 4.15.0-1075.80 -proposed tracker (LP: #1867860)

  * linux-azure: Update SGX version and udev rules (LP: #1867820)
    - SAUCE: linux-azure: Update SGX to version LD_1.22
    - [Packaging] linux-azure: Add dependency to linux-base-sgx

 -- Marcelo Henrique Cerri <email address hidden> Wed, 18 Mar 2020 09:06:32 -0300

Changed in linux-azure (Ubuntu Xenial):
status: New → Fix Released
Marcelo Cerri (mhcerri)
Changed in linux-base (Ubuntu Trusty):
status: New → Invalid
Revision history for this message
Marcelo Cerri (mhcerri) wrote :

I already tested the following linux-base versions with linux-azure on an ACC instance:

- xenial: 4.5ubuntu1.1~16.04.1
- bionic: 4.5ubuntu1.1
- eoan: 4.5ubuntu2.1

ACC instances can be created via:

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoft-azure-compute.confidentialcompute?tab=Overview

tags: added: verification-done verification-done-bionic verification-done-eoan verification-done-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-base - 4.5ubuntu2.1

---------------
linux-base (4.5ubuntu2.1) eoan; urgency=medium

  * Add linux-base-sgx package with SGX udev rules (LP: #1867820).

 -- Timo Aaltonen <email address hidden> Wed, 18 Mar 2020 13:05:24 +0200

Changed in linux-base (Ubuntu Eoan):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-base - 4.5ubuntu1.1

---------------
linux-base (4.5ubuntu1.1) bionic; urgency=medium

  * Add linux-base-sgx package with SGX udev rules (LP: #1867820).

 -- Marcelo Henrique Cerri <email address hidden> Tue, 17 Mar 2020 16:17:43 -0300

Changed in linux-base (Ubuntu Bionic):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-base - 4.5ubuntu1.1~16.04.1

---------------
linux-base (4.5ubuntu1.1~16.04.1) xenial; urgency=medium

  * Add linux-base-sgx package with SGX udev rules (LP: #1867820).

 -- Marcelo Henrique Cerri <email address hidden> Wed, 18 Mar 2020 08:32:20 -0300

Changed in linux-base (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-azure - 5.4.0-1008.8

---------------
linux-azure (5.4.0-1008.8) focal; urgency=medium

  [ Ubuntu: 5.4.0-21.25 ]

  * CVE-2020-8835
    - SAUCE: bpf: undo incorrect __reg_bound_offset32 handling

 -- Thadeu Lima de Souza Cascardo <email address hidden> Fri, 27 Mar 2020 17:57:04 -0300

Changed in linux-azure (Ubuntu Focal):
status: New → Fix Released
Tim Gardner (timg-tpi)
Changed in linux-azure-5.4 (Ubuntu Trusty):
status: New → Invalid
Changed in linux-azure-5.4 (Ubuntu Xenial):
status: New → Invalid
Changed in linux-azure-5.4 (Ubuntu Bionic):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → Triaged
Changed in linux-azure-5.4 (Ubuntu Eoan):
status: New → Invalid
Changed in linux-azure-5.4 (Ubuntu Focal):
status: New → Invalid
description: updated
Changed in linux-azure-5.4 (Ubuntu Bionic):
status: Triaged → In Progress
Tim Gardner (timg-tpi)
Changed in linux-azure-5.4 (Ubuntu Bionic):
assignee: Tim Gardner (timg-tpi) → nobody
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers