2021-06-22 04:29:19 |
bugproxy |
bug |
|
|
added bug |
2021-06-22 04:29:22 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 |
|
2021-06-22 04:29:23 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2021-06-22 04:29:26 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2021-06-22 04:29:28 |
bugproxy |
bug |
|
|
added subscriber CDE Administration |
2021-06-22 04:29:29 |
bugproxy |
bug |
|
|
added subscriber Heinz-Werner Seeck |
2021-06-22 04:58:24 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2021-06-22 04:58:47 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2021-06-22 04:59:11 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2021-06-22 04:59:16 |
Frank Heimes |
ubuntu-z-systems: status |
New |
Incomplete |
|
2021-06-22 04:59:19 |
Frank Heimes |
linux (Ubuntu): status |
New |
Incomplete |
|
2021-06-22 07:14:27 |
Frank Heimes |
bug |
|
|
added subscriber Boris Barth |
2021-07-29 13:07:55 |
Frank Heimes |
linux (Ubuntu): status |
Incomplete |
Fix Committed |
|
2021-07-29 13:08:00 |
Frank Heimes |
ubuntu-z-systems: status |
Incomplete |
Fix Committed |
|
2021-07-29 13:08:07 |
Frank Heimes |
information type |
Private |
Public |
|
2021-08-04 06:00:02 |
Frank Heimes |
nominated for series |
|
Ubuntu Impish |
|
2021-08-04 06:00:02 |
Frank Heimes |
bug task added |
|
linux (Ubuntu Impish) |
|
2021-08-04 06:00:02 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
2021-08-04 06:00:02 |
Frank Heimes |
bug task added |
|
linux (Ubuntu Focal) |
|
2021-08-04 06:00:02 |
Frank Heimes |
nominated for series |
|
Ubuntu Hirsute |
|
2021-08-04 06:00:02 |
Frank Heimes |
bug task added |
|
linux (Ubuntu Hirsute) |
|
2021-08-04 06:00:16 |
Frank Heimes |
linux (Ubuntu Hirsute): assignee |
|
Frank Heimes (fheimes) |
|
2021-08-04 06:00:19 |
Frank Heimes |
linux (Ubuntu Focal): assignee |
|
Frank Heimes (fheimes) |
|
2021-08-04 10:54:40 |
Frank Heimes |
description |
Provide an indication in the guest that it's running securely. Cannot replace a real attestation and doesn't really provide additional security (or could even create the false impression of security), but has been frequently requested by customers.
Value: Usability, lower the effort to prepare and deploy secure workloads. |
SRU Justification:
==================
[Impact]
* It is difficult for customers to identify if a KVM guest on s390x runs in secure execution more or not. Hence several requests came up that asked about providing a better indication.
* If the mode is not known, one may venture oneself into deceptive security.
* Patches that allow a better indication via 'prot_virt_host' using the sysfs firmware interface were added to upstream kernel 5.13.
* Secure execution was initially introduced in Ubuntu with focal / 20.04, hence this request to SRU.
[Fix]
* 37564ed834aca26993b77b9b2a0119ec1ba6e00c 37564ed834ac "s390/uv: add prot virt guest/host indication files"
* df2e400e07ad53a582ee934ce8384479d5ddf48b df2e400e07ad "s390/uv: fix prot virt host indication compilation"
[Test Case]
* A z15 or LinuxONE III LPAR is needed that runs KVM in secure execution.
* Have a look for the 'prot_virt_host' key at the sysfs firmware interface - '1' indicates that the ultravisor is active and that the guest is running protected (in secure execution mode).
[Regression Potential]
* The patch is s390x specific and modifies file arch/s390/kernel/uv.c only.
* An entirely new new function 'uv_is_prot_virt_guest' was added and initialized and used in uv_info_init - hence the regression risk in existing code is rather small.
* However, in case the initialization was done errornously the indication might be wrong, maybe showing that the system is not protected in the way it should be (wrong indication).
* More general code deficiencies in these two functions will be largely indicated by the test compiles.
* But the code was already tested based on kernel 5.13 - and for SRU-ing a cherry-pick of the patches was sufficient, hence the exact same code as in 5.13 is used.
* Further tests of the SRU kernels (5.11 and 5.4) can be done based on the test kernel available from the PPA (see below).
[Other]
* Patches are upstream accepted with since 5.13-rc1.
* Request was to add the patches to focal / 20.04.
* To avoid potential regressions on upgrades, the patches need to be added to hirsute / 20.10, too.
__________
Provide an indication in the guest that it's running securely. Cannot replace a real attestation and doesn't really provide additional security (or could even create the false impression of security), but has been frequently requested by customers.
Value: Usability, lower the effort to prepare and deploy secure workloads. |
|
2021-08-04 12:24:44 |
Frank Heimes |
linux (Ubuntu Focal): status |
New |
In Progress |
|
2021-08-04 12:24:47 |
Frank Heimes |
linux (Ubuntu Hirsute): status |
New |
In Progress |
|
2021-08-04 12:25:02 |
Frank Heimes |
linux (Ubuntu Focal): assignee |
Frank Heimes (fheimes) |
Canonical Kernel Team (canonical-kernel-team) |
|
2021-08-04 12:25:11 |
Frank Heimes |
linux (Ubuntu Hirsute): assignee |
Frank Heimes (fheimes) |
Canonical Kernel Team (canonical-kernel-team) |
|
2021-08-06 21:20:14 |
Kelsey Steele |
linux (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2021-08-06 21:20:17 |
Kelsey Steele |
linux (Ubuntu Hirsute): status |
In Progress |
Fix Committed |
|
2021-08-17 14:42:02 |
Ubuntu Kernel Bot |
tags |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-needed-hirsute |
|
2021-08-17 15:39:31 |
bugproxy |
tags |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-needed-hirsute |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-done-hirsute |
|
2021-08-20 09:42:12 |
Ubuntu Kernel Bot |
tags |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-done-hirsute |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-done-hirsute verification-needed-focal |
|
2021-08-20 13:00:08 |
bugproxy |
tags |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-done-hirsute verification-needed-focal |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-done-hirsute verification-failed-focal |
|
2021-08-20 14:20:09 |
bugproxy |
attachment added |
|
changelog https://bugs.launchpad.net/bugs/1933173/+attachment/5519406/+files/changelog |
|
2021-08-23 09:59:46 |
bugproxy |
tags |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-done-hirsute verification-failed-focal |
architecture-s39064 bugnameltc-193309 severity-high targetmilestone-inin2110 verification-done-focal verification-done-hirsute |
|
2021-09-07 13:48:28 |
Launchpad Janitor |
linux (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-09-07 13:48:28 |
Launchpad Janitor |
cve linked |
|
2021-3653 |
|
2021-09-07 13:48:28 |
Launchpad Janitor |
cve linked |
|
2021-3656 |
|
2021-09-07 13:53:28 |
Launchpad Janitor |
linux (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
2021-09-07 13:53:28 |
Launchpad Janitor |
cve linked |
|
2020-26541 |
|
2021-09-07 14:58:03 |
Frank Heimes |
linux (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2021-09-07 14:58:08 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|