[21.10 FEAT] KVM: Provide a secure guest indication

Bug #1933173 reported by bugproxy
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
High
Skipper Bug Screeners
linux (Ubuntu)
Undecided
Skipper Bug Screeners
Focal
Undecided
Canonical Kernel Team
Hirsute
Undecided
Canonical Kernel Team
Impish
Undecided
Skipper Bug Screeners

Bug Description

SRU Justification:
==================

[Impact]

* It is difficult for customers to identify if a KVM guest on s390x runs in secure execution more or not. Hence several requests came up that asked about providing a better indication.

* If the mode is not known, one may venture oneself into deceptive security.

* Patches that allow a better indication via 'prot_virt_host' using the sysfs firmware interface were added to upstream kernel 5.13.

* Secure execution was initially introduced in Ubuntu with focal / 20.04, hence this request to SRU.

[Fix]

* 37564ed834aca26993b77b9b2a0119ec1ba6e00c 37564ed834ac "s390/uv: add prot virt guest/host indication files"

* df2e400e07ad53a582ee934ce8384479d5ddf48b df2e400e07ad "s390/uv: fix prot virt host indication compilation"

[Test Case]

* A z15 or LinuxONE III LPAR is needed that runs KVM in secure execution.

* Have a look for the 'prot_virt_host' key at the sysfs firmware interface - '1' indicates that the ultravisor is active and that the guest is running protected (in secure execution mode).

[Regression Potential]

* The patch is s390x specific and modifies file arch/s390/kernel/uv.c only.

* An entirely new new function 'uv_is_prot_virt_guest' was added and initialized and used in uv_info_init - hence the regression risk in existing code is rather small.

* However, in case the initialization was done errornously the indication might be wrong, maybe showing that the system is not protected in the way it should be (wrong indication).

* More general code deficiencies in these two functions will be largely indicated by the test compiles.

* But the code was already tested based on kernel 5.13 - and for SRU-ing a cherry-pick of the patches was sufficient, hence the exact same code as in 5.13 is used.

* Further tests of the SRU kernels (5.11 and 5.4) can be done based on the test kernel available from the PPA (see below).

[Other]

* Patches are upstream accepted with since 5.13-rc1.

* Request was to add the patches to focal / 20.04.

* To avoid potential regressions on upgrades, the patches need to be added to hirsute / 20.10, too.
__________

Provide an indication in the guest that it's running securely. Cannot replace a real attestation and doesn't really provide additional security (or could even create the false impression of security), but has been frequently requested by customers.

Value: Usability, lower the effort to prepare and deploy secure workloads.

CVE References

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
Frank Heimes (fheimes) wrote :

Changing to Incomplete until patch available.

Changed in ubuntu-z-systems:
importance: Undecided → High
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
status: New → Incomplete
Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2021-07-29 04:19 EDT-------
The code changes are in kernel 5.12, adding the commit ids for completeness.

df2e400e07ad s390/uv: fix prot virt host indication compilation
37564ed834ac s390/uv: add prot virt guest/host indication files

Revision history for this message
Frank Heimes (fheimes) wrote :

Hi Viktor - thx for the update.
That makes it easy, since we plan to go with a 5.13 kernel for Impish anyway.
(I nevertheless just double-checked and the two commits are in.)
Since we have the 5.13 not yet in impish release:
 linux-generic | 5.11.0.20.21+21.10.1 | impish | s390x
but at least in impish-proposed:
 linux-generic | 5.13.0.12.23 | impish-proposed | s390x
I'll update the status to Fix Committed.
(Once it reached the release pocket I'll update to Fix Released.)

Changed in linux (Ubuntu):
status: Incomplete → Fix Committed
Changed in ubuntu-z-systems:
status: Incomplete → Fix Committed
information type: Private → Public
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-08-03 15:31 EDT-------
Due to external requirements we need this feature to be also available in Ubuntu 20.04 LTS.

@Canonical / FH: We would like to ask you now to SRU the two commits (see comment #7) also back to focal/20.04.
Thanks

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-08-03 15:48 EDT-------
*** Bug 193869 has been marked as a duplicate of this bug. ***

Frank Heimes (fheimes)
Changed in linux (Ubuntu Hirsute):
assignee: nobody → Frank Heimes (fheimes)
Changed in linux (Ubuntu Focal):
assignee: nobody → Frank Heimes (fheimes)
Revision history for this message
Frank Heimes (fheimes) wrote :

Patched kernel for further testing are being built are are soon available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1933173/+packages

Frank Heimes (fheimes)
description: updated
Revision history for this message
Frank Heimes (fheimes) wrote :

SRU request submitted to the Ubuntu kernel team mailing list for hirsute and focal:
https://lists.ubuntu.com/archives/kernel-team/2021-August/thread.html#122959
Changing status to 'In Progress' for hirsute and focal.

Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in linux (Ubuntu Hirsute):
status: New → In Progress
Changed in linux (Ubuntu Focal):
assignee: Frank Heimes (fheimes) → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Hirsute):
assignee: Frank Heimes (fheimes) → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Hirsute):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-hirsute
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-08-17 11:34 EDT-------
Enabled proposed on a 21.04 host and updated the kernel to "5.11.0-33-generic #35-Ubuntu"

If PV is disabled both prot_virt_* files show 0.
If PV is enabled prot_virt_host shows 1 and prot_virt_guest shows 0.
If queried on a secure guest prot_virt_guest shows one and _host shows 0.

Code is successfully verified.

tags: added: verification-done-hirsute
removed: verification-needed-hirsute
Revision history for this message
Frank Heimes (fheimes) wrote :

Thx '<email address hidden>' for the verification!

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-08-20 08:53 EDT-------
Verification failed.

I installed a Ubuntu 20.04 guest and enabled focal-proposed which bumped up my kernel to 5.4.0-83-generic.

There's no "uv" directory in /sys/firmware/ on that kernel version.

I also tried the linked 5.4.0-81 deb with the same results.

tags: added: verification-failed-focal
removed: verification-needed-focal
Revision history for this message
Frank Heimes (fheimes) wrote :

Hmm - looks like the patches weren't applied to that kernel (for whatever reason).
Please could you share the out put of the following 3 commands here:
uname -a
apt-cache policy linux-generic
apt changelog linux-generic

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-08-20 10:13 EDT-------
janosch@u2004:~$ uname -a
Linux u2004 5.4.0-81-generic #91~lp1933173-Ubuntu SMP Wed Aug 4 09:35:44 UTC 2021 s390x s390x s390x GNU/Linux

janosch@u2004:~$ apt-cache policy linux-generic
linux-generic:
Installed: 5.4.0.83.87
Candidate: 5.4.0.83.87
Version table:
*** 5.4.0.83.87 500
500 http://ports.ubuntu.com/ubuntu-ports focal-proposed/main s390x Packages
100 /var/lib/dpkg/status
5.4.0.81.85 500
500 http://us.ports.ubuntu.com/ubuntu-ports focal-updates/main s390x Packages
500 http://us.ports.ubuntu.com/ubuntu-ports focal-security/main s390x Packages
5.4.0.26.32 500
500 http://us.ports.ubuntu.com/ubuntu-ports focal/main s390x Packages

Revision history for this message
bugproxy (bugproxy) wrote : changelog

------- Comment (attachment only) From <email address hidden> 2021-08-20 10:13 EDT-------

Revision history for this message
Frank Heimes (fheimes) wrote :

Thanks for sharing the output.

Looks like the active kernel on your system is still 5.4.0-81, but the installed kernel is already 5.4.0.83. So just a reboot is needed to get the recently installed kernel 5.4.0-83 active and running.

5.4.0.83 should have the patches in (I'm pretty sure, just need to update my clone to be absolutely sure.)

It should have been already in 5.4.0-82, but that got superseded by 83 on short notice due to security reasons (it incl. several CVE fixes).

(But I'm still wondering why this is not referenced [with pointing to this LP bug number] in the changelog ...)

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2021-08-20 11:02 EDT-------
Seems like I didn't state it obviously enough. I already tried 5.4.0-83-generic and since that wasn't working I then installed the -81 from the link but it also doesn't work.

Revision history for this message
Frank Heimes (fheimes) wrote :

Ok, so the commits are definitely _not_ in 81,
but got introduced with 82 (which is not available as binary kernel, since it got superseded by 83):

~/ubuntu-focal-master-next$ git describe --abbrev=0
Ubuntu-5.4.0-83.93
~/ubuntu-focal-master-next$ git log --oneline --grep "s390/uv: add prot virt guest/host indication files"
319423704db0 s390/uv: fix prot virt host indication compilation
aee56e7b76eb s390/uv: add prot virt guest/host indication files
~/ubuntu-focal-master-next$ git tag --contains 319423704db0 | grep ^Ubuntu
Ubuntu-5.4.0-82.92
Ubuntu-5.4.0-83.93
~/ubuntu-focal-master-next$ git tag --contains aee56e7b76eb | grep ^Ubuntu
Ubuntu-5.4.0-82.92
Ubuntu-5.4.0-83.93

Since the code obviously works if being integrated into the hirsute 5.11 kernel, I assume that some patches are missing that need to be picked for the 5.4 kernel on top of these two.

Would you mind reaching out to Vikor and checking what might be missing for the 5.4 kernel? (see comment #2)

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-08-23 05:56 EDT-------
Disregard what I said, I forgot that stfle 158 is in fact a prereq for the uv sysfs interface...

After moving the guest to secure mode the files showed up and had the right contents.
The files for a host also have the correct contents with PV enabled and without.

-> Setting verification done on focal

tags: added: verification-done-focal
removed: verification-failed-focal
Revision history for this message
Frank Heimes (fheimes) wrote :

Glad that you were able to successfully verify now - thanks for re-checking!

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (36.6 KiB)

This bug was fixed in the package linux - 5.4.0-84.94

---------------
linux (5.4.0-84.94) focal; urgency=medium

  * focal/linux: 5.4.0-84.94 -proposed tracker (LP: #1941767)

  * Server boot failure after adding checks for ACPI IRQ override (LP: #1941657)
    - Revert "ACPI: resources: Add checks for ACPI IRQ override"

linux (5.4.0-83.93) focal; urgency=medium

  * focal/linux: 5.4.0-83.93 -proposed tracker (LP: #1940159)

  * fails to launch linux L2 guests on AMD (LP: #1940134) // CVE-2021-3653
    - KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
      (CVE-2021-3653)

  * fails to launch linux L2 guests on AMD (LP: #1940134)
    - SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits
      from L2 in int_ctl"

linux (5.4.0-82.92) focal; urgency=medium

  * focal/linux: 5.4.0-82.92 -proposed tracker (LP: #1939799)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.08.16)

  * CVE-2021-3656
    - SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

  * CVE-2021-3653
    - SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

  * [regression] USB device is not detected during boot (LP: #1939638)
    - SAUCE: Revert "usb: core: reduce power-on-good delay time of root hub"

  * dev_forward_skb: do not scrub skb mark within the same name space
    (LP: #1935040)
    - dev_forward_skb: do not scrub skb mark within the same name space

  * XPS 9510 (TGL) Screen Brightness could not be changed (LP: #1933566)
    - SAUCE: drm/i915: Force DPCD backlight mode for Dell XPS 9510(TGL)

  * Acer Aspire 5 sound driver issues (LP: #1930188)
    - ALSA: hda/realtek: headphone and mic don't work on an Acer laptop

  * Sony Dualshock 4 usb dongle crashes the whole system (LP: #1935846)
    - HID: sony: Workaround for DS4 dongle hotplug kernel crash.

  * [21.10 FEAT] KVM: Provide a secure guest indication (LP: #1933173)
    - s390/uv: add prot virt guest/host indication files
    - s390/uv: fix prot virt host indication compilation

  * Skip rtcpie test in kselftests/timers if the default RTC device does not
    exist (LP: #1937991)
    - selftests: timers: rtcpie: skip test if default RTC device does not exist

  * Focal update: v5.4.133 upstream stable release (LP: #1938713)
    - drm/mxsfb: Don't select DRM_KMS_FB_HELPER
    - drm/zte: Don't select DRM_KMS_FB_HELPER
    - drm/amd/amdgpu/sriov disable all ip hw status by default
    - drm/vc4: fix argument ordering in vc4_crtc_get_margins()
    - net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
    - drm/amd/display: fix use_max_lb flag for 420 pixel formats
    - hugetlb: clear huge pte during flush function on mips platform
    - atm: iphase: fix possible use-after-free in ia_module_exit()
    - mISDN: fix possible use-after-free in HFC_cleanup()
    - atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
    - net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
    - drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init()
    - reiserfs: add check for invalid 1st journal block
    - drm/virtio: Fix double free on probe failure
    - dr...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (62.5 KiB)

This bug was fixed in the package linux - 5.11.0-34.36

---------------
linux (5.11.0-34.36) hirsute; urgency=medium

  * hirsute/linux: 5.11.0-34.36 -proposed tracker (LP: #1941766)

  * Server boot failure after adding checks for ACPI IRQ override (LP: #1941657)
    - Revert "ACPI: resources: Add checks for ACPI IRQ override"

linux (5.11.0-33.35) hirsute; urgency=medium

  * hirsute/linux: 5.11.0-33.35 -proposed tracker (LP: #1940101)

  * libvirtd fails to create VM (LP: #1940107)
    - sched: Stop PF_NO_SETAFFINITY from being inherited by various init system
      threads

linux (5.11.0-32.34) hirsute; urgency=medium

  * hirsute/linux: 5.11.0-32.34 -proposed tracker (LP: #1939769)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.08.16)

  * CVE-2021-3656
    - SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

  * CVE-2021-3653
    - SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

  * [regression] USB device is not detected during boot (LP: #1939638)
    - SAUCE: Revert "usb: core: reduce power-on-good delay time of root hub"

  * Support builtin revoked certificates (LP: #1932029)
    - [Packaging] build canonical-revoked-certs.pem from branch/arch certs
    - [Packaging] Revoke 2012 UEFI signing certificate as built-in
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679)
    - SAUCE: integrity: add informational messages when revoking certs

  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679) // CVE-2020-26541 when certificates are revoked via
    MokListXRT.
    - SAUCE: integrity: Load mokx certs from the EFI MOK config table

  * Include product_sku info to modalias (LP: #1938143)
    - firmware/dmi: Include product_sku info to modalias

  * Fix Ethernet not working by hotplug - RTL8106E (LP: #1930645)
    - net: phy: rename PHY_IGNORE_INTERRUPT to PHY_MAC_INTERRUPT
    - SAUCE: r8169: Use PHY_POLL when RTL8106E enable ASPM

  * [SRU][H/OEM-5.10/OEM-5.13/U] Fix system hang after unplug tbt dock
    (LP: #1938689)
    - SAUCE: igc: fix page fault when thunderbolt is unplugged

  * [Regression] Audio card [8086:9d71] not detected after upgrade from linux
    5.4 to 5.8 (LP: #1915117)
    - [Config] set CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC to y

  * Backlight (screen brightness) on Lenovo P14s AMD Gen2 inop (LP: #1934557)
    - drm/amdgpu/display: only enable aux backlight control for OLED panels

  * Touchpad not working with ASUS TUF F15 (LP: #1937056)
    - pinctrl: tigerlake: Fix GPIO mapping for newer version of software

  * dev_forward_skb: do not scrub skb mark within the same name space
    (LP: #1935040)
    - dev_forward_skb: do not scrub skb mark within the same name space

  * Fix display output on HP hybrid GFX laptops (LP: #1936296)
    - drm/i915: Invoke another _DSM to enable MUX on HP Workstation laptops

  * [SRU][OEM-5.10/H] UBUNTU: SAUCE: Fix backlight control on Samsung 16727
    panel (LP: #1930527)
    - SAUCE: drm/i915: Force DPCD backlight mode for Samsung 16727 pa...

Changed in linux (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Frank Heimes (fheimes) wrote :

Since 5.13 already landed in impish:
linux-generic | 5.13.0.14.25 | impish
and the patches are also upstream with 5.13,
I'll update the "affects impish" entry as Fix Released
and with that the entire ticket is Fix Released.

Changed in linux (Ubuntu Impish):
status: Fix Committed → Fix Released
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-09-07 11:34 EDT-------
Fix released, landed in impish / 21.10, hence closing the bug.
IBM BZ status:->CLOSED

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments