[21.10 FEAT] zcrypt DD: CEX8 toleration

Bug #1933805 reported by bugproxy
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
linux (Ubuntu)
Fix Released
Undecided
Canonical Kernel Team

Bug Description

The CEX8 adapter shall support quantum-safe crypto and therefore requires message sizes > 12kB.
This change is mainly required to support EP11 responses to admin requests at zNext which due to QS certificates can grow larger than 12kB.

This is to cover a minimal patch to provide toleration support for this feature which shall be back-ported to all distribution releases in service at zNext

Kernel level >= 5.14

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-193340 severity-high targetmilestone-inin2110
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
importance: Undecided → High
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
status: New → Incomplete
Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2021-08-12 16:46 EDT-------
Fix available upstream in kernel 5.14
upstream commit: bd39654a2282 s390/AP: support new dynamic AP bus size limit

Frank Heimes (fheimes)
Changed in linux (Ubuntu):
status: Incomplete → Triaged
Changed in ubuntu-z-systems:
status: Incomplete → Triaged
Changed in linux (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → Frank Heimes (fheimes)
Revision history for this message
Frank Heimes (fheimes) wrote :

A patched impish kernel 5.13 is being build here for further testing:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1933805

Revision history for this message
Frank Heimes (fheimes) wrote :

Patch request submitted:
https://lists.ubuntu.com/archives/kernel-team/2021-August/thread.html#123207
changing status to 'In Progress'.

Changed in linux (Ubuntu):
status: Triaged → In Progress
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Changed in linux (Ubuntu):
assignee: Frank Heimes (fheimes) → Canonical Kernel Team (canonical-kernel-team)
information type: Private → Public
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Frank Heimes (fheimes)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Though this is not at all clear, this focal verification request is for focal:linux-oem-5.13.

Revision history for this message
Frank Heimes (fheimes) wrote :

Ok, since there is no linux-oem-5.13 for s390x, I'm setting the tags to "verification done on focal", to unblock this ticket. (Thx for the clarification apw.)

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-09-14 08:09 EDT-------
(In reply to comment #9)
> This bug is awaiting verification that the kernel in -proposed solves the
> problem. Please test the kernel and update this bug with the results. If the
> problem is solved, change the tag 'verification-needed-focal' to
> 'verification-done-focal'. If the problem still exists, change the tag
> 'verification-needed-focal' to 'verification-failed-focal'.
>
> If verification is not done by 5 working days from today, this fix will be
> dropped from the source code, and this bug will be closed.
>
> See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
> enable and use -proposed. Thank you!

It would be nice to have something to verify ...
Could you please give me a git repo to pick and build from or a kernel package which I could install ? And please note that as of now I don't have any access to a 21.10 ubuntu either. However, I think I could use a 21.04 for the verification if I would get something to verify.

Revision history for this message
Frank Heimes (fheimes) wrote :

Hi Harald,
you can test the patched kernel packages that I created and referenced in comment #2:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1933805/comments/2

Or in case you want to have a look at the code, you may have a look at the submission mails that I've sent to the kernel teams mailing list and that I referened in comment #3:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1933805/comments/3
which actually points to:
https://lists.ubuntu.com/archives/kernel-team/2021-August/thread.html#123207

But there can be challenges to install an 21.10 5.13 kernel on a different Ubuntu release, due to glibc updates.

And btw. Impish daily build ISO images can be found here:
https://cdimage.ubuntu.com/ubuntu-server/daily-live/current/

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-09-15 11:54 EDT-------
Ok, with the help of Christian I finally could upgrade a system to Ubuntu 21.10.
Then I downloaded the dep files from franks build and installed them. Here is the uname output:
root@t8314009:~# uname -a
Linux t8314009.lnxne.boe 5.13.0-14-generic #14~lp1933805-Ubuntu SMP Mon Aug 16 07:17:43 UTC 2021 s390x s390x s390x GNU/Linux
So Frank's kernel is running.

I ran my zcrypt tests and also checked that everything I would expect is there (for example the new /sys/devices/ap/cardxx/max_msg_size sysfs attributes).

However, as there is currently worldwide no s390 Linux system running with access to the new crypto card generation this part of the test needs to be postponed to a later time ... I guess, I'll have access in about 4 weeks.

I take this as 'verified' now.

Revision history for this message
Frank Heimes (fheimes) wrote :

Looks like did the best that is currently possible.
So thx for the verification, Harald!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.13.0-16.16

---------------
linux (5.13.0-16.16) impish; urgency=medium

  * impish/linux: 5.13.0-16.16 -proposed tracker (LP: #1942611)

  * Miscellaneous Ubuntu changes
    - [Config] update toolchain in configs

  * Miscellaneous upstream changes
    - Revert "UBUNTU: [Config] Enable CONFIG_UBSAN_BOUNDS"

 -- Andrea Righi <email address hidden> Fri, 03 Sep 2021 16:21:14 +0200

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-09-17 04:59 EDT-------
Fix verified and landed in impish / U21.10, hence closing the bug.
IBM BZ status: ->CLOSED

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers