2022-04-08 06:19:28 |
bugproxy |
bug |
|
|
added bug |
2022-04-08 06:19:30 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-197550 severity-high targetmilestone-inin--- |
|
2022-04-08 06:19:31 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-04-08 06:19:36 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2022-04-08 06:31:30 |
Thomas Staudt |
bug |
|
|
added subscriber Frank Heimes |
2022-04-08 06:39:00 |
Frank Heimes |
affects |
linux (Ubuntu) |
s390-tools (Ubuntu) |
|
2022-04-08 06:40:04 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2022-04-08 06:40:22 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-04-08 06:40:46 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2022-04-08 06:51:42 |
Frank Heimes |
nominated for series |
|
Ubuntu Jammy |
|
2022-04-08 06:51:42 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Jammy) |
|
2022-04-08 06:51:42 |
Frank Heimes |
nominated for series |
|
Ubuntu Impish |
|
2022-04-08 06:51:42 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Impish) |
|
2022-04-08 06:51:42 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
2022-04-08 06:51:42 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Focal) |
|
2022-04-08 08:20:36 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu) |
|
2022-04-08 15:50:24 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419052 |
|
2022-04-08 16:04:44 |
Frank Heimes |
attachment added |
|
s390-tools debdiff for LP#1968259 and LP#1968260 / jammy https://bugs.launchpad.net/ubuntu/+source/s390-tools-signed/+bug/1968260/+attachment/5578280/+files/debdiff_lp1968259+lp1968260_s390-tools_patch_jammy.patch |
|
2022-04-08 16:04:53 |
Frank Heimes |
s390-tools-signed (Ubuntu Jammy): status |
New |
In Progress |
|
2022-04-08 16:04:57 |
Frank Heimes |
s390-tools (Ubuntu Jammy): status |
New |
In Progress |
|
2022-04-08 16:20:14 |
Ubuntu Foundations Team Bug Bot |
tags |
architecture-s39064 bugnameltc-197550 severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-197550 patch severity-high targetmilestone-inin--- |
|
2022-04-08 16:20:22 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2022-04-08 16:55:46 |
Frank Heimes |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419135 |
|
2022-04-08 17:07:54 |
Frank Heimes |
attachment added |
|
s390-tools-signed debdiff for LP#1968259 and LP#1968260 https://bugs.launchpad.net/ubuntu/+source/s390-tools-signed/+bug/1968260/+attachment/5578285/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_patch_jammy.patch |
|
2022-04-08 17:14:11 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-197550 patch severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin--- |
|
2022-04-11 10:32:58 |
Frank Heimes |
description |
== Comment: #0 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 08:55:11 ==
DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.
Contact Information = Viktor Mihajlovski <mihajlov@de.ibm.com>
== Comment: #2 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 08:57:47 ==
Fixed by:
https://github.com/ibm-s390-linux/s390-tools
commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
Author: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Thu Mar 31 14:00:31 2022 +0000
genprotimg: remove DigiCert root CA pinning |
SRU Justification:
==================
[Impact]
* DigiCert is the CA issuing the signing certificate for Secure Execution
host key documents. This certificate is used for the verification of the
host key document validity.
* Recently, DigiCert has changed the root CA certificate used for issuance
of the signing certificates.
* As genprotimg is checking the CA serial, the verification of the chain of
trust will fail.
* As a workaround, it is possible to disable certificate verification,
but this is of course not recommended, because it makes it easier to
provide a fake host key document.
* Since the previously issued host key documents are expiring in April 2022,
it is necessary to fix genprotimg to accept the newly issued host key
documents.
* The situation is now addressed by removing the DigiCert root CA pinning.
* The root CA used for the chain of trust can change in the future,
therefore it makes sense to remove this check.
* If someone wants to enforce the usage of a specific root CA, it can be
selected by the genprotimg command line option `--root-ca $CA`.
* Make it transparent to the user which root CA is actually being used by
printing the subject name of the root CA to stdout in verbose mode.
[Fix]
* 78b0533 78b053326c504c0535b5ec1c244ad7bb5a1df29d ("genprotimg: remove DigiCert root CA pinning")
[Test Plan]
* The usage of secure execution is nicely documented at the
'Introducing IBM Secure Execution for Linux' docs.
https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
Relevant for this fix is paragraph 'Verifying the host key document'
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
* Especially notice the 'About this task' section that references the
check_hostkeydoc script to perform the verification steps.
+ Due to the fact that Secure Execution requires z15 as a minimal
hardware level, the testing is done by IBM.
* (Test can be done in combination with LP#1968259.)
[Where problems could occur]
* The removal of the DigiCert root CA pinning can - if not carefully done)
lead to wrong - in worst case false positive checks by genprotimg.
* The main code changes decouple the checks from DigiCert root (ca_skid)
and to allow more general X509 certificates.
If not done thoroughly (pv_crypto_def.h, pv_args.c, pv_image.c,
crypto..h and crypto.c), issues will be caused while checking
certificates. Maybe not only new ones, but also old ones.
* Overall this is an s390x topic only, and even there only relevant for
Secure Execution (KVM) TEE environments.
[Other Info]
* Even if the LP bug title references focal only, this fix is also needed
for all newer Ubuntu releases - here: impish and jammy.
__________
== Comment: #0 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 08:55:11 ==
DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.
Contact Information = Viktor Mihajlovski <mihajlov@de.ibm.com>
== Comment: #2 - Viktor Mihajlovski <MIHAJLOV@de.ibm.com> - 2022-04-07 08:57:47 ==
Fixed by:
https://github.com/ibm-s390-linux/s390-tools
commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
Author: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Thu Mar 31 14:00:31 2022 +0000
genprotimg: remove DigiCert root CA pinning |
|
2022-04-11 12:16:27 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419200 |
|
2022-04-11 12:25:21 |
Frank Heimes |
attachment added |
|
s390-tools debdiff for LP#1968259 and LP#1968260 / impish https://bugs.launchpad.net/ubuntu/+source/s390-tools-signed/+bug/1968260/+attachment/5579319/+files/debdiff_lp1968259+lp1968260_s390-tools_sru_impish.patch |
|
2022-04-11 16:01:04 |
Frank Heimes |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419218 |
|
2022-04-11 16:08:37 |
Frank Heimes |
attachment added |
|
s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish https://bugs.launchpad.net/ubuntu/+source/s390-tools-signed/+bug/1968260/+attachment/5579394/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_sru_impish.patch |
|
2022-04-11 16:08:47 |
Frank Heimes |
s390-tools-signed (Ubuntu Impish): status |
New |
In Progress |
|
2022-04-11 16:08:51 |
Frank Heimes |
s390-tools (Ubuntu Impish): status |
New |
In Progress |
|
2022-04-12 07:01:01 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419270 |
|
2022-04-12 07:10:47 |
Frank Heimes |
attachment added |
|
s390-tools debdiff for LP#1968260 / focal https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968260/+attachment/5579755/+files/debdiff_lp1968260_s390-tools_sru_focal.patch |
|
2022-04-12 09:07:23 |
Frank Heimes |
merge proposal linked |
|
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419283 |
|
2022-04-12 09:12:17 |
Frank Heimes |
attachment added |
|
s390-tools-signed debdiff for LP#1968260 / focal https://bugs.launchpad.net/ubuntu/+source/s390-tools-signed/+bug/1968260/+attachment/5579798/+files/debdiff_lp1968260_s390-tools-signed_sru_focal.patch |
|
2022-04-12 09:14:32 |
Frank Heimes |
s390-tools (Ubuntu Focal): status |
New |
In Progress |
|
2022-04-12 09:14:35 |
Frank Heimes |
s390-tools-signed (Ubuntu Focal): status |
New |
In Progress |
|
2022-04-12 09:14:39 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2022-04-12 09:56:42 |
Graham Inggs |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2022-04-12 09:56:46 |
Graham Inggs |
s390-tools (Ubuntu Jammy): assignee |
Skipper Bug Screeners (skipper-screen-team) |
Graham Inggs (ginggs) |
|
2022-04-12 09:56:50 |
Graham Inggs |
s390-tools-signed (Ubuntu Jammy): assignee |
|
Graham Inggs (ginggs) |
|
2022-04-12 10:17:48 |
Graham Inggs |
s390-tools (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-04-12 10:17:56 |
Graham Inggs |
s390-tools-signed (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2022-04-13 09:54:50 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419218 |
|
|
2022-04-13 09:55:33 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419200 |
|
|
2022-04-13 09:55:53 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419135 |
|
|
2022-04-13 09:56:17 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419052 |
|
|
2022-04-13 10:02:49 |
Frank Heimes |
attachment removed |
s390-tools-signed debdiff for LP#1968259 and LP#1968260 https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968260/+attachment/5578285/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_patch_jammy.patch |
|
|
2022-04-13 10:03:05 |
Frank Heimes |
attachment removed |
s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968260/+attachment/5579394/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_sru_impish.patch |
|
|
2022-04-13 10:03:19 |
Frank Heimes |
attachment removed |
s390-tools-signed debdiff for LP#1968260 / focal https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968260/+attachment/5579798/+files/debdiff_lp1968260_s390-tools-signed_sru_focal.patch |
|
|
2022-04-13 10:03:32 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419283 |
|
|
2022-04-13 10:03:54 |
Frank Heimes |
merge proposal unlinked |
https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools/+git/s390-tools/+merge/419270 |
|
|
2022-04-13 10:05:06 |
Frank Heimes |
attachment added |
|
debdiff_s390-tools-signed_2.20-0ubuntu1_to_2.20-0ubuntu2 https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968260/+attachment/5580380/+files/debdiff_s390-tools-signed_2.20-0ubuntu1_to_2.20-0ubuntu2.diff |
|
2022-04-13 10:05:47 |
Frank Heimes |
attachment added |
|
debdiff_s390-tools-signed_2.17.0-0ubuntu2_to_2.17.0-0ubuntu2.1 https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968260/+attachment/5580381/+files/debdiff_s390-tools-signed_2.17.0-0ubuntu2_to_2.17.0-0ubuntu2.1.diff |
|
2022-04-13 10:07:35 |
Frank Heimes |
attachment added |
|
debdiff_s390-tools-signed_2.12.0-0ubuntu3.4_to_2.12.0-0ubuntu3.5 https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1968260/+attachment/5580382/+files/debdiff_s390-tools-signed_2.12.0-0ubuntu3.4_to_2.12.0-0ubuntu3.5.diff |
|
2022-04-13 10:10:17 |
bugproxy |
attachment added |
|
s390-tools-signed debdiff for LP#1968259 and LP#1968260 https://bugs.launchpad.net/bugs/1968260/+attachment/5580386/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_patch_jammy.patch |
|
2022-04-13 10:10:19 |
bugproxy |
attachment added |
|
s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish https://bugs.launchpad.net/bugs/1968260/+attachment/5580387/+files/debdiff_lp1968259+lp1968260_s390-tools-signed_sru_impish.patch |
|
2022-04-13 10:10:21 |
bugproxy |
attachment added |
|
s390-tools-signed debdiff for LP#1968260 / focal https://bugs.launchpad.net/bugs/1968260/+attachment/5580388/+files/debdiff_lp1968260_s390-tools-signed_sru_focal.patch |
|
2022-04-13 15:36:09 |
Launchpad Janitor |
s390-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-05-03 06:04:34 |
Frank Heimes |
s390-tools-signed (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2022-05-03 16:42:03 |
Graham Inggs |
s390-tools (Ubuntu Focal): assignee |
|
Graham Inggs (ginggs) |
|
2022-05-03 16:42:05 |
Graham Inggs |
s390-tools (Ubuntu Impish): assignee |
|
Graham Inggs (ginggs) |
|
2022-05-03 16:42:07 |
Graham Inggs |
s390-tools-signed (Ubuntu Focal): assignee |
|
Graham Inggs (ginggs) |
|
2022-05-03 16:42:09 |
Graham Inggs |
s390-tools-signed (Ubuntu Impish): assignee |
|
Graham Inggs (ginggs) |
|
2022-05-06 19:27:17 |
Steve Langasek |
s390-tools (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
2022-05-06 19:27:20 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-05-06 19:27:23 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2022-05-06 19:27:26 |
Steve Langasek |
tags |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin--- verification-needed verification-needed-impish |
|
2022-05-06 19:41:45 |
Steve Langasek |
s390-tools (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2022-05-06 19:41:49 |
Steve Langasek |
s390-tools-signed (Ubuntu Impish): status |
In Progress |
Fix Committed |
|
2022-05-06 19:41:52 |
Steve Langasek |
tags |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin--- verification-needed verification-needed-impish |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin--- verification-needed verification-needed-focal verification-needed-impish |
|
2022-05-06 19:43:34 |
Steve Langasek |
s390-tools-signed (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2022-05-09 17:54:16 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2022-05-11 16:48:47 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin--- verification-needed verification-needed-focal verification-needed-impish |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin--- verification-done-focal verification-done-impish verification-needed |
|
2022-05-17 08:56:06 |
Launchpad Janitor |
s390-tools (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2022-05-17 08:56:20 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2022-05-17 09:02:46 |
Launchpad Janitor |
s390-tools (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2022-05-17 09:35:36 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|
2022-05-17 09:37:24 |
Frank Heimes |
s390-tools-signed (Ubuntu): status |
Fix Committed |
Fix Released |
|
2022-05-17 09:37:27 |
Frank Heimes |
s390-tools-signed (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2022-05-17 09:37:29 |
Frank Heimes |
s390-tools-signed (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2022-05-19 01:30:02 |
bugproxy |
tags |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin--- verification-done-focal verification-done-impish verification-needed |
architecture-s39064 bugnameltc-197550 jammy severity-high targetmilestone-inin2004 verification-done-focal verification-done-impish verification-needed |
|