2022-05-13 09:49:22 |
bugproxy |
bug |
|
|
added bug |
2022-05-13 09:49:24 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-198153 severity-high targetmilestone-inin--- |
|
2022-05-13 09:49:26 |
bugproxy |
attachment added |
|
Backported patches for OCK v3.17.0 https://bugs.launchpad.net/bugs/1973296/+attachment/5589513/+files/Patches-for_OCK-v3.17.0.zip |
|
2022-05-13 09:49:27 |
bugproxy |
attachment added |
|
Backported patches for OCK v3.13.0 https://bugs.launchpad.net/bugs/1973296/+attachment/5589514/+files/v3.13.0.zip |
|
2022-05-13 09:49:29 |
bugproxy |
attachment added |
|
Backported patches for OCK v3.16.0 https://bugs.launchpad.net/bugs/1973296/+attachment/5589515/+files/v3.16.0.zip |
|
2022-05-13 09:49:31 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-05-13 09:49:35 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2022-05-13 09:53:43 |
Frank Heimes |
affects |
linux (Ubuntu) |
opencryptoki (Ubuntu) |
|
2022-05-13 09:55:48 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2022-05-13 09:56:08 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-05-13 09:56:25 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2022-05-13 11:34:07 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
2022-05-13 11:34:07 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Focal) |
|
2022-05-13 11:34:07 |
Frank Heimes |
nominated for series |
|
Ubuntu Jammy |
|
2022-05-13 11:34:07 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Jammy) |
|
2022-05-13 11:34:07 |
Frank Heimes |
nominated for series |
|
Ubuntu Impish |
|
2022-05-13 11:34:07 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Impish) |
|
2022-05-13 11:34:07 |
Frank Heimes |
nominated for series |
|
Ubuntu Kinetic |
|
2022-05-13 11:34:07 |
Frank Heimes |
bug task added |
|
opencryptoki (Ubuntu Kinetic) |
|
2022-05-13 18:39:52 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/opencryptoki/+git/opencryptoki/+merge/422526 |
|
2022-05-13 19:16:44 |
Frank Heimes |
opencryptoki (Ubuntu Kinetic): status |
New |
In Progress |
|
2022-05-13 19:16:48 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2022-05-13 19:18:13 |
Frank Heimes |
attachment added |
|
debdiff kinetic https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5589639/+files/debdiff_kinetic.patch |
|
2022-05-13 20:22:54 |
Ubuntu Foundations Team Bug Bot |
tags |
architecture-s39064 bugnameltc-198153 severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- |
|
2022-05-13 20:23:00 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2022-05-16 11:36:10 |
Frank Heimes |
attachment removed |
debdiff kinetic https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5589639/+files/debdiff_kinetic.patch |
|
|
2022-05-16 11:38:44 |
Frank Heimes |
attachment added |
|
from 3.17.0+dfsg+20220202.b40982e-0ubuntu1 to 3.17.0+dfsg+20220202.b40982e-0ubuntu2 https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590037/+files/debdiff_kinetic.patch |
|
2022-05-16 11:49:05 |
bugproxy |
attachment added |
|
debdiff kinetic https://bugs.launchpad.net/bugs/1973296/+attachment/5590038/+files/debdiff_kinetic.patch |
|
2022-05-16 12:08:18 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/opencryptoki/+git/opencryptoki/+merge/422622 |
|
2022-05-16 12:16:35 |
Frank Heimes |
attachment added |
|
debdiff for jammy https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590039/+files/debdiff_jammy.patch |
|
2022-05-16 12:17:39 |
Frank Heimes |
opencryptoki (Ubuntu Jammy): status |
New |
In Progress |
|
2022-05-17 18:12:45 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/opencryptoki/+git/opencryptoki/+merge/422759 |
|
2022-05-17 18:22:41 |
Frank Heimes |
attachment added |
|
debdiff for impish https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590488/+files/debdiff_impish.patch |
|
2022-05-18 09:10:28 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/opencryptoki/+git/opencryptoki/+merge/422813 |
|
2022-05-18 10:12:17 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/opencryptoki/+git/opencryptoki/+merge/422813 |
|
|
2022-05-18 10:12:53 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/opencryptoki/+git/opencryptoki/+merge/422759 |
|
|
2022-05-18 10:13:24 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/opencryptoki/+git/opencryptoki/+merge/422622 |
|
|
2022-05-18 10:13:54 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/opencryptoki/+git/opencryptoki/+merge/422526 |
|
|
2022-05-18 10:14:47 |
Frank Heimes |
attachment removed |
debdiff for kinetic https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590037/+files/debdiff_kinetic.patch |
|
|
2022-05-18 10:15:02 |
Frank Heimes |
attachment removed |
debdiff kinetic https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590038/+files/debdiff_kinetic.patch |
|
|
2022-05-18 10:15:27 |
Frank Heimes |
attachment removed |
debdiff for jammy https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590039/+files/debdiff_jammy.patch |
|
|
2022-05-18 10:15:50 |
Frank Heimes |
attachment removed |
debdiff for impish https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590488/+files/debdiff_impish.patch |
|
|
2022-05-18 11:00:13 |
Frank Heimes |
description |
openCryptoki version 3.13.0 or higher need a fix to continue to support the Dilithium mechanisms when using an upgraded EP11 host library.
https://github.com/opencryptoki/opencryptoki/commit/b40982e19e27b22ef724c7431a1a475f1858e199 "EP11: Dilithium: Specify OID of key strength at key generation"
https://github.com/opencryptoki/opencryptoki/commit/6759faed4c7a2e154ca2f2c56a5b51aec68227fc "EP11: Fix host library version query"
Without these fixes, CKM_IBM_DILITHIUM mechanism do not show up as supported by the EP11 token when an upgraded EP11 host library is used, which would be a regression. |
SRU Justification:
==================
[Impact]
* With upgraded EP11 host libraries,
which are needed for the IBM Z hardware crypto stack
(especially the Crypto Express EP11 coprocessor),
support for Dilithium algorithm (CKM_IBM_DILITHIUM)
does not show up as supported by the EP11 token.
* This can be considered as a regression is not fixed.
[Test Plan]
* An IBM zSystems machine (either LPAR or z/VM) is needed
with a CryptoExpress adapter running on EP11 coprocessor mode
(and supporting Dilithium, e.g. '8S')
and at least one available crypto domain online.
* Ubuntu focal, impish, jammy or kinetic needs to run.
and the ep11 and opencryptoki packages installed.
* Then check with pkcsconf -m -c <slot>
for the supported 'mechanism'.
* Look for 'CKM_IBM_DILITHIUM'.
* More details can be found here:
https://www.ibm.com/docs/en/linux-on-systems?topic=token-supported-mechanisms-ep11
* Test will be done by IBM.
[Fix]
* b40982e1 b40982e19e27b22ef724c7431a1a475f1858e199
"EP11: Dilithium: Specify OID of key strength at key generation"
* 6759faed 6759faed4c7a2e154ca2f2c56a5b51aec68227fc
"EP11: Fix host library version query"
* Respectively their backports attached here.
[Where problems could occur]
* Erroneous patches may have an impact on algorithms other than
Dilithium. But this is very unlikely since 'ep11_specific.c' is
the only file that is touched (by both patches).
* Broken fixes for opencryptoki may harm cases with older EP11 package,
that were not impacted so far, for example due to bugs in the
handling of the lib/host version query.
* Problems with the handling of tokens could occur.
[Other Info]
* b40982e1 is the pre-requisite for 6759faed
* Both patches are upstream in opencryptoki 3.18.
* Since opencryptoki jammy and kinetic includes several commits on
top of 3.17, b40982e1 is already included.
* Hence only opencryptoki impish and focal require both patches.
__________
openCryptoki version 3.13.0 or higher need a fix to continue to support the Dilithium mechanisms when using an upgraded EP11 host library.
https://github.com/opencryptoki/opencryptoki/commit/b40982e19e27b22ef724c7431a1a475f1858e199 "EP11: Dilithium: Specify OID of key strength at key generation"
https://github.com/opencryptoki/opencryptoki/commit/6759faed4c7a2e154ca2f2c56a5b51aec68227fc "EP11: Fix host library version query"
Without these fixes, CKM_IBM_DILITHIUM mechanism do not show up as supported by the EP11 token when an upgraded EP11 host library is used, which would be a regression. |
|
2022-05-18 11:05:08 |
Frank Heimes |
attachment added |
|
debdiff for kinetic https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590662/+files/debdiff_kinetic_from_3.17.0+dfsg+20220202.b40982e-0ubuntu1_to_3.17.0+dfsg+20220202.b40982e-0ubuntu2.patch |
|
2022-05-18 11:05:36 |
Frank Heimes |
attachment added |
|
debdiff for jammy https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590663/+files/debdiff_jammy_from_3.17.0+dfsg+20220202.b40982e-0ubuntu1_to_3.17.0+dfsg+20220202.b40982e-0ubuntu1.1.patch |
|
2022-05-18 11:06:07 |
Frank Heimes |
attachment added |
|
debdiff for impish https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590664/+files/debdiff_impish_from_3.16.0+dfsg-0ubuntu1_to_3.16.0+dfsg-0ubuntu1.1.patch |
|
2022-05-18 11:06:34 |
Frank Heimes |
attachment added |
|
debdiff for focal https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1973296/+attachment/5590665/+files/debdiff_focal_from_3.13.0+dfsg-0ubuntu5.1_to_3.13.0+dfsg-0ubuntu5.2.patch |
|
2022-05-18 11:06:43 |
Frank Heimes |
opencryptoki (Ubuntu Impish): status |
New |
In Progress |
|
2022-05-18 11:06:48 |
Frank Heimes |
opencryptoki (Ubuntu Focal): status |
New |
In Progress |
|
2022-05-18 15:51:58 |
Simon Chopin |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2022-05-18 15:52:01 |
Simon Chopin |
opencryptoki (Ubuntu Focal): assignee |
|
Simon Chopin (schopin) |
|
2022-05-18 15:52:02 |
Simon Chopin |
opencryptoki (Ubuntu Impish): assignee |
|
Simon Chopin (schopin) |
|
2022-05-18 15:52:04 |
Simon Chopin |
opencryptoki (Ubuntu Jammy): assignee |
|
Simon Chopin (schopin) |
|
2022-05-18 15:52:06 |
Simon Chopin |
opencryptoki (Ubuntu Kinetic): assignee |
Skipper Bug Screeners (skipper-screen-team) |
Simon Chopin (schopin) |
|
2022-05-18 15:54:13 |
Simon Chopin |
opencryptoki (Ubuntu Kinetic): status |
In Progress |
Fix Released |
|
2022-05-25 11:14:29 |
Robie Basak |
opencryptoki (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
2022-05-25 11:14:31 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-05-25 11:14:32 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
2022-05-25 11:14:34 |
Robie Basak |
tags |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-needed verification-needed-impish |
|
2022-05-25 11:16:07 |
Robie Basak |
opencryptoki (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-05-25 11:16:11 |
Robie Basak |
tags |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-needed verification-needed-impish |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-needed verification-needed-impish verification-needed-jammy |
|
2022-05-25 11:16:24 |
Robie Basak |
opencryptoki (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2022-05-25 11:16:28 |
Robie Basak |
tags |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-needed verification-needed-impish verification-needed-jammy |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-needed verification-needed-focal verification-needed-impish verification-needed-jammy |
|
2022-06-01 05:45:20 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2022-06-07 14:30:04 |
bugproxy |
tags |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-needed verification-needed-focal verification-needed-impish verification-needed-jammy |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-done-focal verification-needed verification-needed-impish verification-needed-jammy |
|
2022-06-08 07:08:54 |
Frank Heimes |
attachment added |
|
opencryptoki-3.13.0_upstream_compiled.tgz https://bugs.launchpad.net/ubuntu-z-systems/+bug/1973296/+attachment/5595521/+files/opencryptoki-3.13.0_upstream_compiled.tgz |
|
2022-06-08 07:09:35 |
Frank Heimes |
description |
SRU Justification:
==================
[Impact]
* With upgraded EP11 host libraries,
which are needed for the IBM Z hardware crypto stack
(especially the Crypto Express EP11 coprocessor),
support for Dilithium algorithm (CKM_IBM_DILITHIUM)
does not show up as supported by the EP11 token.
* This can be considered as a regression is not fixed.
[Test Plan]
* An IBM zSystems machine (either LPAR or z/VM) is needed
with a CryptoExpress adapter running on EP11 coprocessor mode
(and supporting Dilithium, e.g. '8S')
and at least one available crypto domain online.
* Ubuntu focal, impish, jammy or kinetic needs to run.
and the ep11 and opencryptoki packages installed.
* Then check with pkcsconf -m -c <slot>
for the supported 'mechanism'.
* Look for 'CKM_IBM_DILITHIUM'.
* More details can be found here:
https://www.ibm.com/docs/en/linux-on-systems?topic=token-supported-mechanisms-ep11
* Test will be done by IBM.
[Fix]
* b40982e1 b40982e19e27b22ef724c7431a1a475f1858e199
"EP11: Dilithium: Specify OID of key strength at key generation"
* 6759faed 6759faed4c7a2e154ca2f2c56a5b51aec68227fc
"EP11: Fix host library version query"
* Respectively their backports attached here.
[Where problems could occur]
* Erroneous patches may have an impact on algorithms other than
Dilithium. But this is very unlikely since 'ep11_specific.c' is
the only file that is touched (by both patches).
* Broken fixes for opencryptoki may harm cases with older EP11 package,
that were not impacted so far, for example due to bugs in the
handling of the lib/host version query.
* Problems with the handling of tokens could occur.
[Other Info]
* b40982e1 is the pre-requisite for 6759faed
* Both patches are upstream in opencryptoki 3.18.
* Since opencryptoki jammy and kinetic includes several commits on
top of 3.17, b40982e1 is already included.
* Hence only opencryptoki impish and focal require both patches.
__________
openCryptoki version 3.13.0 or higher need a fix to continue to support the Dilithium mechanisms when using an upgraded EP11 host library.
https://github.com/opencryptoki/opencryptoki/commit/b40982e19e27b22ef724c7431a1a475f1858e199 "EP11: Dilithium: Specify OID of key strength at key generation"
https://github.com/opencryptoki/opencryptoki/commit/6759faed4c7a2e154ca2f2c56a5b51aec68227fc "EP11: Fix host library version query"
Without these fixes, CKM_IBM_DILITHIUM mechanism do not show up as supported by the EP11 token when an upgraded EP11 host library is used, which would be a regression. |
SRU Justification:
==================
[Impact]
* With upgraded EP11 host libraries,
which are needed for the IBM Z hardware crypto stack
(especially the Crypto Express EP11 coprocessor),
support for Dilithium algorithm (CKM_IBM_DILITHIUM)
does not show up as supported by the EP11 token.
* This can be considered as a regression is not fixed.
[Test Plan]
* An IBM zSystems machine (either LPAR or z/VM) is needed
with a CryptoExpress adapter running on EP11 coprocessor mode
'EP11-Coproc'
(and supporting Dilithium, e.g. '5S' or newer)
and at least one available crypto domain online.
verify with 'lszcrypt -V' / 'lszcrypt -b'.
* Ubuntu focal (impish, jammy or kinetic) needs to run.
and the IBM EP11 package (latest v3.0.1) and opencryptoki
package installed (from -proposed).
* Then check the API with 'pkcsconf -m -c <slot>'
for the supported 'mechanisms' and look for 'CKM_IBM_DILITHIUM'.
* More details can be found here:
https://www.ibm.com/docs/en/linux-on-systems?topic=token-supported-mechanisms-ep11
* To verify the Dilithium functionality in general
(and to avoid any follow-on surprises) it's probably best to
run 'testcases/crypto/dilithium_tests'.
* Since the testcases folder is not part of the Ubuntu package
it needs to be taken from upstream (same version like the Ubuntu
package) and locally compiled (using 'configure --enable-testcases').
* (a compiled upstream v3.13 is attached)
* Test needs to be done by IBM.
[Fix]
* b40982e1 b40982e19e27b22ef724c7431a1a475f1858e199
"EP11: Dilithium: Specify OID of key strength at key generation"
* 6759faed 6759faed4c7a2e154ca2f2c56a5b51aec68227fc
"EP11: Fix host library version query"
* Respectively their backports attached here.
[Where problems could occur]
* Erroneous patches may have an impact on algorithms other than
Dilithium. But this is very unlikely since 'ep11_specific.c' is
the only file that is touched (by both patches).
* Broken fixes for opencryptoki may harm cases with older EP11 package,
that were not impacted so far, for example due to bugs in the
handling of the lib/host version query.
* Problems with the handling of tokens could occur.
[Other Info]
* b40982e1 is the pre-requisite for 6759faed
* Both patches are upstream in opencryptoki 3.18.
* Since opencryptoki jammy and kinetic includes several commits on
top of 3.17, b40982e1 is already included.
* Hence only opencryptoki impish and focal require both patches.
__________
openCryptoki version 3.13.0 or higher need a fix to continue to support the Dilithium mechanisms when using an upgraded EP11 host library.
https://github.com/opencryptoki/opencryptoki/commit/b40982e19e27b22ef724c7431a1a475f1858e199 "EP11: Dilithium: Specify OID of key strength at key generation"
https://github.com/opencryptoki/opencryptoki/commit/6759faed4c7a2e154ca2f2c56a5b51aec68227fc "EP11: Fix host library version query"
Without these fixes, CKM_IBM_DILITHIUM mechanism do not show up as supported by the EP11 token when an upgraded EP11 host library is used, which would be a regression. |
|
2022-06-08 14:04:40 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-done-focal verification-needed verification-needed-impish verification-needed-jammy |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-don verification-done-focal verification-done-impish verification-done-jammy |
|
2022-06-09 07:20:25 |
bugproxy |
tags |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin--- verification-don verification-done-focal verification-done-impish verification-done-jammy |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin2004 verification-done-focal verification-needed verification-needed-impish verification-needed-jammy |
|
2022-06-09 11:51:34 |
bugproxy |
tags |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin2004 verification-done-focal verification-needed verification-needed-impish verification-needed-jammy |
architecture-s39064 bugnameltc-198153 patch severity-high targetmilestone-inin2004 verification-done-focal verification-done-impish verification-done-jammy |
|
2022-07-13 17:59:21 |
Launchpad Janitor |
opencryptoki (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2022-07-13 17:59:25 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-07-13 17:59:39 |
Launchpad Janitor |
opencryptoki (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2022-07-13 17:59:56 |
Launchpad Janitor |
opencryptoki (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-07-13 18:07:56 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|