2022-04-08 06:19:18 |
bugproxy |
bug |
|
|
added bug |
2022-04-08 06:19:20 |
bugproxy |
tags |
|
architecture-all bugnameltc-197551 severity-high targetmilestone-inin--- |
|
2022-04-08 06:19:21 |
bugproxy |
ubuntu: assignee |
|
Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
|
2022-04-08 06:19:24 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2022-04-08 06:34:04 |
Thomas Staudt |
bug |
|
|
added subscriber Frank Heimes |
2022-04-08 06:38:48 |
Frank Heimes |
affects |
linux (Ubuntu) |
s390-tools (Ubuntu) |
|
2022-04-08 06:39:35 |
Frank Heimes |
s390-tools (Ubuntu): assignee |
Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
Skipper Bug Screeners (skipper-screen-team) |
|
2022-04-08 06:39:54 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2022-04-08 06:40:34 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-04-08 06:40:42 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2022-04-08 06:56:30 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
2022-04-08 06:56:30 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Focal) |
|
2022-04-08 06:56:30 |
Frank Heimes |
nominated for series |
|
Ubuntu Impish |
|
2022-04-08 06:56:30 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Impish) |
|
2022-04-08 06:56:30 |
Frank Heimes |
nominated for series |
|
Ubuntu Jammy |
|
2022-04-08 06:56:30 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Jammy) |
|
2022-04-08 07:05:17 |
Frank Heimes |
summary |
[UBUNTU 22.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools) |
[UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools) |
|
2022-04-08 08:20:15 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu) |
|
2022-04-08 15:50:24 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419052 |
|
2022-04-08 16:02:23 |
Frank Heimes |
attachment added |
|
s390-tools debdiff for LP#1968259 and LP#1968260 / jammy https://bugs.launchpad.net/ubuntu/+source/s390-tools-signed/+bug/1968259/+attachment/5578279/+files/debdiff_lp1968259+lp1968260_s390-tools_patch_jammy.patch |
|
2022-04-08 16:02:42 |
Frank Heimes |
s390-tools-signed (Ubuntu Jammy): status |
New |
In Progress |
|
2022-04-08 16:02:47 |
Frank Heimes |
s390-tools (Ubuntu Jammy): status |
New |
In Progress |
|
2022-04-08 16:20:03 |
Ubuntu Foundations Team Bug Bot |
tags |
architecture-all bugnameltc-197551 severity-high targetmilestone-inin--- |
architecture-all bugnameltc-197551 patch severity-high targetmilestone-inin--- |
|
2022-04-08 16:20:10 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2022-04-08 16:55:35 |
Frank Heimes |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419135 |
|
2022-04-08 17:06:10 |
Frank Heimes |
attachment added |
|
s390-tools-signed debdiff for LP#1968259 and LP#1968260 / jammy https://bugs.launchpad.net/ubuntu/+source/s390-tools-signed/+bug/1968259/+attachment/5578284/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_patch_jammy.patch |
|
2022-04-08 17:14:20 |
Frank Heimes |
tags |
architecture-all bugnameltc-197551 patch severity-high targetmilestone-inin--- |
architecture-all bugnameltc-197551 jammy severity-high targetmilestone-inin--- |
|
2022-04-11 09:35:36 |
Frank Heimes |
description |
== Comment: #0 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 09:16:49 ==
The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.
== Comment: #1 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 09:18:08 ==
Fixed by:
https://github.com/ibm-s390-linux/s390-tools
commit 673ff375d939d3cde674f8f99a62d456f8b1673d
Author: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Date: Tue Mar 15 12:55:02 2022 +0100
genprotimg/check_hostkeydoc: relax default issuer check |
SRU Justification:
==================
[Impact]
* The s390-tools script check_hostkeydoc can be used to perform the
verification of the chain of trust for Secure Execution host key documents.
* The certificate verification is however too strict and doesn't match the
checking performed by the genprotimg tool.
* Affected is the OU field in the issuer DN of the host key document.
As a consequence, verification failures will occur for host key documents
issued for newer hardware generations like IBM z16.
* While the original default issuer's organizationalUnitName (OU)
was defined as "IBM Z Host Key Signing Service", any OU ending
with "Key Signing Service" is considered legal by this fix/commit.
* So the default issuer check got relaxed by stripping off characters
preceding "Key Signing Service".
[Fix]
* 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d ("genprotimg/check_hostkeydoc: relax default issuer check")
[Test Plan]
* The usage of secure execution is nicely documented at the
'Introducing IBM Secure Execution for Linux' docs.
https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
Relevant for this fix is paragraph 'Verifying the host key document'
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
* Especially notice the 'About this task' section that references the
check_hostkeydoc script to perform the verification steps.
+ Due to the fact that Secure Execution requires z15 as a minimal
hardware level, the testing is done by IBM.
[Where problems could occur]
* Problem can occur in the check_hostkeydoc helper script only.
* The script cane become broken at all and may refuse to properly verify
even valid signed keys.
* The sed statement in the script might be wrong and cut out a wrong
organizationalUnitName.
* And since this is a helper script and the verification can also be done
without this script, the risk is not too high.
* A verification can be done based with check_hostkeydoc and with the manual
steps (with a valid and invalid signed key) to validate equal results.
* The modification are relatively straight-formward:
https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d
* And overall this is an s390x topic only, and even there only relevant for
Secure Execution (KVM) TEE environments only.
[Other Info]
* Even if the LP bug title references focal only, this fix is also needed
for all newer Ubuntu releases - here: impish and jammy.
__________
== Comment: #0 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 09:16:49 ==
The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.
== Comment: #1 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 09:18:08 ==
Fixed by:
https://github.com/ibm-s390-linux/s390-tools
commit 673ff375d939d3cde674f8f99a62d456f8b1673d
Author: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Date: Tue Mar 15 12:55:02 2022 +0100
genprotimg/check_hostkeydoc: relax default issuer check |
|
2022-04-11 12:16:27 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419200 |
|
2022-04-11 12:24:25 |
Frank Heimes |
attachment added |
|
s390-tools debdiff for LP#1968259 and LP#1968260 / impish https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968259/+attachment/5579318/+files/debdiff_lp1968259+lp1968260_s390-tools_sru_impish.patch |
|
2022-04-11 16:00:53 |
Frank Heimes |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419218 |
|
2022-04-11 16:07:38 |
Frank Heimes |
attachment added |
|
s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968259/+attachment/5579393/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_sru_impish.patch |
|
2022-04-11 16:07:56 |
Frank Heimes |
s390-tools-signed (Ubuntu Impish): status |
New |
In Progress |
|
2022-04-11 16:08:01 |
Frank Heimes |
s390-tools (Ubuntu Impish): status |
New |
In Progress |
|
2022-04-12 07:15:27 |
Frank Heimes |
bug task deleted |
s390-tools (Ubuntu Focal) |
|
|
2022-04-12 07:15:34 |
Frank Heimes |
bug task deleted |
s390-tools-signed (Ubuntu Focal) |
|
|
2022-04-12 07:16:03 |
Frank Heimes |
summary |
[UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools) |
[UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools) |
|
2022-04-12 07:17:19 |
Frank Heimes |
description |
SRU Justification:
==================
[Impact]
* The s390-tools script check_hostkeydoc can be used to perform the
verification of the chain of trust for Secure Execution host key documents.
* The certificate verification is however too strict and doesn't match the
checking performed by the genprotimg tool.
* Affected is the OU field in the issuer DN of the host key document.
As a consequence, verification failures will occur for host key documents
issued for newer hardware generations like IBM z16.
* While the original default issuer's organizationalUnitName (OU)
was defined as "IBM Z Host Key Signing Service", any OU ending
with "Key Signing Service" is considered legal by this fix/commit.
* So the default issuer check got relaxed by stripping off characters
preceding "Key Signing Service".
[Fix]
* 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d ("genprotimg/check_hostkeydoc: relax default issuer check")
[Test Plan]
* The usage of secure execution is nicely documented at the
'Introducing IBM Secure Execution for Linux' docs.
https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
Relevant for this fix is paragraph 'Verifying the host key document'
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
* Especially notice the 'About this task' section that references the
check_hostkeydoc script to perform the verification steps.
+ Due to the fact that Secure Execution requires z15 as a minimal
hardware level, the testing is done by IBM.
[Where problems could occur]
* Problem can occur in the check_hostkeydoc helper script only.
* The script cane become broken at all and may refuse to properly verify
even valid signed keys.
* The sed statement in the script might be wrong and cut out a wrong
organizationalUnitName.
* And since this is a helper script and the verification can also be done
without this script, the risk is not too high.
* A verification can be done based with check_hostkeydoc and with the manual
steps (with a valid and invalid signed key) to validate equal results.
* The modification are relatively straight-formward:
https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d
* And overall this is an s390x topic only, and even there only relevant for
Secure Execution (KVM) TEE environments only.
[Other Info]
* Even if the LP bug title references focal only, this fix is also needed
for all newer Ubuntu releases - here: impish and jammy.
__________
== Comment: #0 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 09:16:49 ==
The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.
== Comment: #1 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 09:18:08 ==
Fixed by:
https://github.com/ibm-s390-linux/s390-tools
commit 673ff375d939d3cde674f8f99a62d456f8b1673d
Author: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Date: Tue Mar 15 12:55:02 2022 +0100
genprotimg/check_hostkeydoc: relax default issuer check |
SRU Justification:
==================
[Impact]
* The s390-tools script check_hostkeydoc can be used to perform the
verification of the chain of trust for Secure Execution host key documents.
* The certificate verification is however too strict and doesn't match the
checking performed by the genprotimg tool.
* Affected is the OU field in the issuer DN of the host key document.
As a consequence, verification failures will occur for host key documents
issued for newer hardware generations like IBM z16.
* While the original default issuer's organizationalUnitName (OU)
was defined as "IBM Z Host Key Signing Service", any OU ending
with "Key Signing Service" is considered legal by this fix/commit.
* So the default issuer check got relaxed by stripping off characters
preceding "Key Signing Service".
[Fix]
* 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d ("genprotimg/check_hostkeydoc: relax default issuer check")
[Test Plan]
* The usage of secure execution is nicely documented at the
'Introducing IBM Secure Execution for Linux' docs.
https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
Relevant for this fix is paragraph 'Verifying the host key document'
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
* Especially notice the 'About this task' section that references the
check_hostkeydoc script to perform the verification steps.
+ Due to the fact that Secure Execution requires z15 as a minimal
hardware level, the testing is done by IBM.
[Where problems could occur]
* Problem can occur in the check_hostkeydoc helper script only.
* The script cane become broken at all and may refuse to properly verify
even valid signed keys.
* The sed statement in the script might be wrong and cut out a wrong
organizationalUnitName.
* And since this is a helper script and the verification can also be done
without this script, the risk is not too high.
* A verification can be done based with check_hostkeydoc and with the manual
steps (with a valid and invalid signed key) to validate equal results.
* The modification are relatively straight-formward:
https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d
* And overall this is an s390x topic only, and even there only relevant for
Secure Execution (KVM) TEE environments only.
[Other Info]
* This does not affect focal (like initiall indicated),
since focal's s390-tools version does not include the
check_hostkeydoc file.
__________
== Comment: #0 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 09:16:49 ==
The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.
== Comment: #1 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 09:18:08 ==
Fixed by:
https://github.com/ibm-s390-linux/s390-tools
commit 673ff375d939d3cde674f8f99a62d456f8b1673d
Author: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Date: Tue Mar 15 12:55:02 2022 +0100
genprotimg/check_hostkeydoc: relax default issuer check |
|
2022-04-12 09:14:54 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2022-04-12 09:50:53 |
Graham Inggs |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2022-04-12 09:50:56 |
Graham Inggs |
s390-tools (Ubuntu Jammy): assignee |
Skipper Bug Screeners (skipper-screen-team) |
Graham Inggs (ginggs) |
|
2022-04-12 09:51:01 |
Graham Inggs |
s390-tools-signed (Ubuntu Jammy): assignee |
|
Graham Inggs (ginggs) |
|
2022-04-12 10:18:12 |
Graham Inggs |
s390-tools (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-04-12 10:18:16 |
Graham Inggs |
s390-tools-signed (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-04-13 09:54:50 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419218 |
|
|
2022-04-13 09:55:33 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419200 |
|
|
2022-04-13 09:55:53 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419135 |
|
|
2022-04-13 09:56:17 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419052 |
|
|
2022-04-13 09:58:12 |
Frank Heimes |
attachment removed |
s390-tools-signed debdiff for LP#1968259 and LP#1968260 / jammy https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968259/+attachment/5578284/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_patch_jammy.patch |
|
|
2022-04-13 09:58:46 |
Frank Heimes |
attachment removed |
s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968259/+attachment/5579393/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_sru_impish.patch |
|
|
2022-04-13 10:01:04 |
Frank Heimes |
attachment added |
|
debdiff_s390-tools-signed_2.20-0ubuntu1_to_2.20-0ubuntu2 https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968259/+attachment/5580378/+files/debdiff_s390-tools-signed_2.20-0ubuntu1_to_2.20-0ubuntu2.diff |
|
2022-04-13 10:02:12 |
Frank Heimes |
attachment added |
|
debdiff_s390-tools-signed_2.17.0-0ubuntu2_to_2.17.0-0ubuntu2.1 https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968259/+attachment/5580379/+files/debdiff_s390-tools-signed_2.17.0-0ubuntu2_to_2.17.0-0ubuntu2.1.diff |
|
2022-04-13 10:09:16 |
bugproxy |
attachment added |
|
s390-tools-signed debdiff for LP#1968259 and LP#1968260 / jammy https://bugs.launchpad.net/bugs/1968259/+attachment/5580383/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_patch_jammy.patch |
|
2022-04-13 10:09:18 |
bugproxy |
attachment added |
|
s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish https://bugs.launchpad.net/bugs/1968259/+attachment/5580384/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_sru_impish.patch |
|
2022-04-13 15:36:09 |
Launchpad Janitor |
s390-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-05-03 06:04:04 |
Frank Heimes |
s390-tools-signed (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-05-03 16:41:52 |
Graham Inggs |
s390-tools (Ubuntu Impish): assignee |
|
Graham Inggs (ginggs) |
|
2022-05-03 16:41:55 |
Graham Inggs |
s390-tools-signed (Ubuntu Impish): assignee |
|
Graham Inggs (ginggs) |
|
2022-05-06 19:27:02 |
Steve Langasek |
s390-tools (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
2022-05-06 19:27:05 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-05-06 19:27:08 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2022-05-06 19:27:11 |
Steve Langasek |
tags |
architecture-all bugnameltc-197551 jammy severity-high targetmilestone-inin--- |
architecture-all bugnameltc-197551 jammy severity-high targetmilestone-inin--- verification-needed verification-needed-impish |
|
2022-05-09 08:50:04 |
bugproxy |
tags |
architecture-all bugnameltc-197551 jammy severity-high targetmilestone-inin--- verification-needed verification-needed-impish |
architecture-all bugnameltc-197551 jammy severity-high targetmilestone-inin--- verification-done-impish verification-needed |
|
2022-05-09 17:54:28 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2022-05-09 17:54:36 |
Frank Heimes |
s390-tools-signed (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
2022-05-11 14:20:03 |
bugproxy |
tags |
architecture-all bugnameltc-197551 jammy severity-high targetmilestone-inin--- verification-done-impish verification-needed |
architecture-all bugnameltc-197551 jammy severity-high targetmilestone-inin2004 verification-done-impish verification-needed |
|
2022-05-17 08:56:06 |
Launchpad Janitor |
s390-tools (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2022-05-17 08:56:18 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-05-17 09:37:02 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|
2022-05-17 09:37:15 |
Frank Heimes |
s390-tools-signed (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2022-05-17 09:37:18 |
Frank Heimes |
s390-tools-signed (Ubuntu): status |
Fix Committed |
Fix Released |
|