[25.04 FEAT] [VS2304] KVM: Support retrievable secrets in Secure Execution guests - kernel part
Bug #2097534 reported by
bugproxy
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
| linux (Ubuntu) |
Fix Released
|
High
|
Skipper Bug Screeners | ||
Bug Description
Feature Description:
For crypto passthrough, so far it was necessary to pass guest-specific secrets (Item binding keys) to the Ultravisor to ensure that passed-through APQNs can only be used by authorized guests. In a next step the Ultravisor interface can be extended for generalized secrets management (storing, listing, retrieving), e.g. for key material to encrypt disk and network I/O. With this capability it will not be necessary any more to store secrets in the secure image (the initramfs) itself, which greatly simplifies image construction, specifically of generic/vendor images and also the image update process (e.g. kernel or initramfs security updates).
| tags: | added: architecture-s39064 bugnameltc-211470 severity-high targetmilestone-inin2504 |
| Changed in ubuntu: | |
| assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
| affects: | ubuntu → linux (Ubuntu) |
Revision history for this message
| bugproxy (bugproxy) wrote Comment bridged from LTC Bugzilla | #1 |
| Changed in ubuntu-z-systems: | |
| assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
| Changed in linux (Ubuntu): | |
| importance: | Undecided → High |
| Changed in ubuntu-z-systems: | |
| importance: | Undecided → High |
| status: | New → Incomplete |
| Changed in linux (Ubuntu): | |
| status: | New → Incomplete |
Revision history for this message
| Frank Heimes (fheimes) wrote | #2 |
| Changed in ubuntu-z-systems: | |
| status: | Incomplete → Fix Released |
| Changed in linux (Ubuntu): | |
| status: | Incomplete → Fix Released |
| information type: | Private → Public |
To post a comment you must log in.
------- Comment From <email address hidden> 2025-02-06 07:21 EDT-------
The kernel part of this item was included in kernel v6.13
These are the commits:
3fad3bdac4de s390/uvdevice: Support longer secret lists
f00469a6420e s390/uv: Retrieve UV secrets sysfs support
d35613718784 s390/uvdevice: Increase indent in IOCTL definitions
99961593e364 s390/uvdevice: Add Retrieve Secret IOCTL
7c9137af2042 s390/uv: Retrieve UV secrets support
da59c71cc727 s390/uv: Use a constant for more-data rc