[UBUNTU 20.04] OpenCryptoki >= 3.13 with upgraded EP11 host library - Dilithium support not available
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
opencryptoki (Ubuntu) |
Fix Released
|
Undecided
|
Simon Chopin | ||
Focal |
Fix Released
|
Undecided
|
Simon Chopin | ||
Impish |
Fix Released
|
Undecided
|
Simon Chopin | ||
Jammy |
Fix Released
|
Undecided
|
Simon Chopin | ||
Kinetic |
Fix Released
|
Undecided
|
Simon Chopin |
Bug Description
SRU Justification:
==================
[Impact]
* With upgraded EP11 host libraries,
which are needed for the IBM Z hardware crypto stack
(especially the Crypto Express EP11 coprocessor),
support for Dilithium algorithm (CKM_IBM_DILITHIUM)
does not show up as supported by the EP11 token.
* This can be considered as a regression is not fixed.
[Test Plan]
* An IBM zSystems machine (either LPAR or z/VM) is needed
with a CryptoExpress adapter running on EP11 coprocessor mode
'EP11-Coproc'
(and supporting Dilithium, e.g. '5S' or newer)
and at least one available crypto domain online.
verify with 'lszcrypt -V' / 'lszcrypt -b'.
* Ubuntu focal (impish, jammy or kinetic) needs to run.
and the IBM EP11 package (latest v3.0.1) and opencryptoki
package installed (from -proposed).
* Then check the API with 'pkcsconf -m -c <slot>'
for the supported 'mechanisms' and look for 'CKM_IBM_
* More details can be found here:
https:/
* To verify the Dilithium functionality in general
(and to avoid any follow-on surprises) it's probably best to
run 'testcases/
* Since the testcases folder is not part of the Ubuntu package
it needs to be taken from upstream (same version like the Ubuntu
package) and locally compiled (using 'configure --enable-
* (a compiled upstream v3.13 is attached)
* Test needs to be done by IBM.
[Fix]
* b40982e1 b40982e19e27b22
"EP11: Dilithium: Specify OID of key strength at key generation"
* 6759faed 6759faed4c7a2e1
"EP11: Fix host library version query"
* Respectively their backports attached here.
[Where problems could occur]
* Erroneous patches may have an impact on algorithms other than
Dilithium. But this is very unlikely since 'ep11_specific.c' is
the only file that is touched (by both patches).
* Broken fixes for opencryptoki may harm cases with older EP11 package,
that were not impacted so far, for example due to bugs in the
handling of the lib/host version query.
* Problems with the handling of tokens could occur.
[Other Info]
* b40982e1 is the pre-requisite for 6759faed
* Both patches are upstream in opencryptoki 3.18.
* Since opencryptoki jammy and kinetic includes several commits on
top of 3.17, b40982e1 is already included.
* Hence only opencryptoki impish and focal require both patches.
__________
openCryptoki version 3.13.0 or higher need a fix to continue to support the Dilithium mechanisms when using an upgraded EP11 host library.
https:/
https:/
Without these fixes, CKM_IBM_DILITHIUM mechanism do not show up as supported by the EP11 token when an upgraded EP11 host library is used, which would be a regression.
affects: | linux (Ubuntu) → opencryptoki (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: targetmilestone-inin2004 verification-needed verification-needed-impish verification-needed-jammy removed: targetmilestone-inin--- verification-don verification-done-impish verification-done-jammy |
tags: |
added: verification-done-impish verification-done-jammy removed: verification-needed verification-needed-impish verification-needed-jammy |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Default Comment by Bridge