[23.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
qemu (Ubuntu) |
Fix Released
|
High
|
Skipper Bug Screeners | ||
Jammy |
In Progress
|
Undecided
|
Sergio Durigan Junior |
Bug Description
SRU Justification:
[ Impact ]
* Hypervisor-
guests are not helpful because memory and CPU state is encrypted by a
transient key only available to the Ultravisor.
* Workload owners can still configure kdump in order to obtain kernel crash
information, but there are situation where kdump doesn't work.
* In such situations problem determination is severely impeded.
* This patch set solves this by implementing dumps created in a way
that can only be decrypted by the owner of the guest image
and be used for problem determination.
[ Test Plan ]
* The setup of a Secure Execution environment is not trivial
and requires a certain set of hardware (IBM z15 or higher)
with FC 115).
* On top of the modification of qemu that are handled in this
LP bug, modifications of the Kernel (LP#1959940) and
the s390-tools (LP#1959965) are required on top.
* So at least a modified kernel and qemu test builds are needed
or both should be in -proposed at the same time (which might
be difficult).
A modified s390-tools is not urgently needed, since for the
verification of the kernel and qemu part a newer version
can be used (but a modified s390-tools is also available in PPA).
* A detailed description (using Ubuntu as example) on how to setup
secure execution is available here:
Introducing IBM Secure Execution for Linux, April 2024 update
https:/
* And information on 'Working with dumps of KVM guests in
IBM Secure Execution mode' is available here:
https:/
[ Where problems could occur ]
* Mainly dump code (dump/dump.c and include/
which may lead to broken or incorrect dumps,
also for non-secure-
* Modifications in the elf header header handling
as well as wrong hardware address and offset calculation can
(in worst case) lead to unusable files.
* Modification in dump state handling may cause issue generating
the dump itself.
* Modifications need to be endianess-aware, since this secure
execution dump is for s390x - if not dumps become useless.
* Functions for writing the header got modified (and split),
which may lead to wrong headers (if done erroneously).
* It's a big patch set in general, which may bring further unforeseen
effects, but it's worth to mention that the code is upstream accepted
since quite a while (qemu 7.2) and already included in Ubuntu
since 23.04 and successfully in use.
* On top the packages from the PPA test build were tested upfront.
[ Other Info ]
* Since 22.04 is a popular LTS release, it is already in use by many
secure execution customers.
But in case of severe crashes or issues in the secure execution
(KVM) guests dumps cannot be used as of today.
* This enables customers, IBM and Canonical to get support in case of
crashes/dumps on hardware that runs secure execution environments.
__________
KVM: Secure Execution guest dump encryption with customer keys - qemu part
Description:
Hypervisor-
Request Type: Package - Update Version
Upstream Acceptance: In Progress
Code Contribution: IBM code
Related branches
- git-ubuntu bot: Approve
- Christian Ehrhardt (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 4746 lines (+4526/-0)36 files modifieddebian/changelog (+9/-0)
debian/patches/series (+34/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-01.patch (+409/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-02.patch (+165/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-03.patch (+125/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-04.patch (+58/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-05.patch (+127/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-06.patch (+107/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-07.patch (+158/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-08.patch (+83/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-09.patch (+56/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-10.patch (+46/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-11.patch (+130/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-12.patch (+91/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-13.patch (+176/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-14.patch (+62/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-15.patch (+162/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-16.patch (+57/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-17.patch (+64/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-18.patch (+162/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-19.patch (+139/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-20.patch (+93/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-21.patch (+34/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-22.patch (+344/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-23.patch (+456/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-24.patch (+76/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-25.patch (+102/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-26.patch (+29/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-27.patch (+160/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-28.patch (+113/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-29.patch (+431/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-30.patch (+39/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-31.patch (+76/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-32.patch (+37/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-33.patch (+51/-0)
debian/patches/ubuntu/lp1959966-kvm-secure-guest-exec-34.patch (+65/-0)
- git-ubuntu bot: Approve
- Andreas Hasenack: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 6922 lines (+6313/-13)16 files modifieddebian/changelog (+4885/-3)
debian/control (+55/-8)
debian/control-in (+5/-2)
debian/patches/series (+6/-0)
debian/patches/ubuntu/define-ubuntu-machine-types.patch (+911/-0)
debian/patches/ubuntu/enable-svm-by-default.patch (+34/-0)
debian/patches/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch (+62/-0)
debian/patches/ubuntu/qboot-Disable-LTO-for-ELF-binary-build-step.patch (+44/-0)
debian/qemu-block-extra.postinst (+59/-0)
debian/qemu-kvm-init (+89/-0)
debian/qemu-system-common.install (+1/-0)
debian/qemu-system-common.qemu-kvm.default (+8/-0)
debian/qemu-system-common.qemu-kvm.service (+16/-0)
debian/qemu-system-x86.NEWS (+80/-0)
debian/qemu-system-x86.README.Debian (+47/-0)
debian/rules (+11/-0)
CVE References
tags: | added: architecture-s39064 bugnameltc-196317 severity-high targetmilestone-inin2204 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → qemu (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in qemu (Ubuntu): | |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
Changed in qemu (Ubuntu): | |
status: | New → Incomplete |
Changed in ubuntu-z-systems: | |
status: | New → Incomplete |
tags: | added: qemu-22.04 |
summary: |
- [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer + [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part |
summary: |
- [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer + [23.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part |
tags: |
added: qemu-23.04 removed: qemu-22.04 |
Changed in ubuntu-z-systems: | |
status: | Incomplete → New |
Changed in qemu (Ubuntu): | |
status: | Incomplete → New |
Changed in ubuntu-z-systems: | |
status: | New → Confirmed |
Changed in qemu (Ubuntu): | |
status: | New → Confirmed |
Changed in qemu (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in ubuntu-z-systems: | |
status: | Confirmed → In Progress |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
information type: | Private → Public |
description: | updated |
Changed in qemu (Ubuntu Jammy): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
------- Comment From <email address hidden> 2022-02-03 17:25 EDT-------
This also has an kernel and s390-tools part:
IBM BZ 196316 - LP#1959940 : [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - kernel part
IBM BZ 196318 - LP1#959965 : [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - s390-tools part