2024-03-27 18:30:02 |
bugproxy |
bug |
|
|
added bug |
2024-03-27 18:30:03 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin--- |
|
2024-03-27 18:30:04 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2024-03-27 18:30:08 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2024-04-02 08:33:23 |
Frank Heimes |
affects |
linux (Ubuntu) |
s390-tools (Ubuntu) |
|
2024-04-02 08:33:44 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu) |
|
2024-04-02 08:33:56 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2024-04-02 08:34:11 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2024-04-02 08:34:32 |
Frank Heimes |
s390-tools (Ubuntu): assignee |
Skipper Bug Screeners (skipper-screen-team) |
|
|
2024-04-02 08:34:41 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
Critical |
|
2024-04-02 08:35:27 |
Frank Heimes |
information type |
Public |
Public Security |
|
2024-04-02 09:24:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Mantic |
|
2024-04-02 09:24:20 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Mantic) |
|
2024-04-02 09:24:20 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu Mantic) |
|
2024-04-02 09:24:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Focal |
|
2024-04-02 09:24:20 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Focal) |
|
2024-04-02 09:24:20 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu Focal) |
|
2024-04-02 09:24:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Noble |
|
2024-04-02 09:24:20 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Noble) |
|
2024-04-02 09:24:20 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu Noble) |
|
2024-04-02 09:24:20 |
Frank Heimes |
nominated for series |
|
Ubuntu Jammy |
|
2024-04-02 09:24:20 |
Frank Heimes |
bug task added |
|
s390-tools (Ubuntu Jammy) |
|
2024-04-02 09:24:20 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu Jammy) |
|
2024-04-02 17:19:48 |
Frank Heimes |
attachment added |
|
debdiffs.tgz https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5761332/+files/debdiffs.tgz |
|
2024-04-02 17:20:11 |
Frank Heimes |
s390-tools (Ubuntu Noble): assignee |
|
Frank Heimes (fheimes) |
|
2024-04-02 17:20:29 |
Frank Heimes |
s390-tools-signed (Ubuntu Noble): assignee |
|
Frank Heimes (fheimes) |
|
2024-04-02 17:20:43 |
Frank Heimes |
s390-tools (Ubuntu Noble): status |
New |
In Progress |
|
2024-04-02 17:20:57 |
Frank Heimes |
s390-tools-signed (Ubuntu Noble): status |
New |
In Progress |
|
2024-04-02 17:21:27 |
Frank Heimes |
s390-tools-signed (Ubuntu Noble): importance |
Undecided |
High |
|
2024-04-02 17:21:39 |
Frank Heimes |
s390-tools (Ubuntu Noble): importance |
Undecided |
High |
|
2024-04-02 17:22:09 |
Frank Heimes |
bug |
|
|
added subscriber Ubuntu Sponsors |
2024-04-03 15:17:22 |
Frank Heimes |
description |
Description: SE-tooling: New IBM host-key subject locality
Symptom:
On April 24 (z15) / March 29 (z16) user will notice that the
tooling for Secure execution will no longer detect that the provided
IBM signing key for that generation is a valid IBM signing key. The
error message will contain "no IBM signing key found" or similar. The
respective tool will reject creating an encrypted request/image as it
could not verify the host-key for its validity. This affects
genprotimg, pvattest, and pvsecret.
Problem:
The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
locality' and 'Armonk' is used. The SE tooling checks, beside other
things, for the subject in the IBM signing key. If the subject is not
the expected one, the certificate is not recognized as a valid IBM
signing key. With no valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
Solution:
Mitigations are available upstream. The fixes allow Armonk as
additional locality in the subject and allow potential mismatches in
the locality of revocation list or host-key issuer subject that may
still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2
This is required for all Ubuntu releases in service that support secure execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed. |
SRU Justification:
[ Impact ]
* Symptom:
* There is an issue with the Secure Execution (SE) tooling,
especially the new IBM host-key subject locality,
that leads to the fact that on April 24 (z15) / March 29 (z16)
users will notice that the tooling for Secure execution will no
longer detect that the provided IBM signing key for that generation
is a valid IBM signing key.
* The error message will contain "no IBM signing key found" or similar.
The respective tool will reject creating an encrypted request/image
as it could not verify the host-key for its validity.
* This affects the genprotimg, pvattest, and pvsecret tools.
(Please notice that these tools got introduced over time with different
s390-tools versions that belong to different Ubuntu releases).
* Problem:
* The new IBM signing keys no longer contain 'Poughkeepsie' as
'subject locality' and 'Armonk' is used.
* The SE tooling checks, beside other things, for the subject in the
IBM signing key.
* If the subject is not the expected one, the certificate is not
recognized as a valid IBM signing key.
And without a valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
* Solution:
* Mitigations are available upstream.
* The fixes allow Armonk as additional locality in the subject
and allow potential mismatches in the locality of revocation list
or host-key issuer subject that may still contain Poughkeepsie
instead of Armonk.
[ Test Plan ]
* <detailed instructions how to reproduce the bug>
* The testing is required for all three affected tools:
genprotimg, pvattest, and pvsecret
* Without the fixed code, but with the new IBM signing keys
(that have 'Armonk' as 'subject locality'), users will get a msgs like:
"no IBM signing key found"
and the validation will fail.
* With the patches included, the validation will succeed.
[ Where problems could occur ]
* The tools genprotimg, pvattest, and pvsecret tools are affected.
Since they got introduced over time with different s390-tools versions
that belong to different Ubuntu releases, it's important to figure out the
commits/patches that are required for each release.
* The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring") is needed
for noble and mantic, but needs several adjustments due to context changes.
The code could be negatively affected and the build might even break.
(A test build in PPA mitigates such issues.)
* As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
If the conditional statements are not properly coded, either Poughkeepsie
or Armonk might be allowed, which would fails in case the opposite is used.
(Testing if the IBM signing key is valid will mitigate this.)
* In worst case a broken detection of the host-key issuer subject may lead
to positive validations, regardless of the subject content.
(Testing if the IBM signing key is valid will mitigate this.)
* A test build for all affected Ubuntu releases (N, M, J and F) succeeded
and is available via this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
* These test packages will be pre-tested by IBM.
* This affected Secure Execution (SE) functionality only on s390x.
No other tools that are part of the s390-tools packages are affected
(or got modified in any way).
[ Other Info ]
* Secure Execution (SE) was introduced with in Ubuntu Server for s390x
with 20.04 LTS, hence 20.04 LTS and higher is affected.
* And with that the s390-tools versions that are still in service:
2.12.0-0ubuntu3.7 | focal-updates
2.20.0-0ubuntu3.2 | jammy-updates
2.29.0-0ubuntu2.1 | mantic-updates
2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed
* The following commits / patches need to be applied to the following
s390-tools versions:
* f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring")
to noble, mantic
* 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
("rust/pv: Support `Armonk` in IBM signing key subject")
to noble, mantic
* d14e7593cc6380911ca42b09e11c53477ae13d5c
("genprotimg: support `Armonk` in IBM signing key subject")
to noble, mantic, jammy, focal
* d7c95265cdb6217b0203efa5893c3a27838af63c
("libpv: Support `Armonk` in IBM signing key subject")
to noble, mantic, jammy
* 2b5e7b049123aff094c7de79ba57a5df09471b2e
("pvattest: Fix root-ca parsing")
to noble, mantic, jammy
__________
Description: SE-tooling: New IBM host-key subject locality
Symptom:
On April 24 (z15) / March 29 (z16) user will notice that the
tooling for Secure execution will no longer detect that the provided
IBM signing key for that generation is a valid IBM signing key. The
error message will contain "no IBM signing key found" or similar. The
respective tool will reject creating an encrypted request/image as it
could not verify the host-key for its validity. This affects
genprotimg, pvattest, and pvsecret.
Problem:
The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
locality' and 'Armonk' is used. The SE tooling checks, beside other
things, for the subject in the IBM signing key. If the subject is not
the expected one, the certificate is not recognized as a valid IBM
signing key. With no valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
Solution:
Mitigations are available upstream. The fixes allow Armonk as
additional locality in the subject and allow potential mismatches in
the locality of revocation list or host-key issuer subject that may
still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2
This is required for all Ubuntu releases in service that support secure execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed. |
|
2024-04-09 22:19:38 |
Launchpad Janitor |
s390-tools (Ubuntu Noble): status |
In Progress |
Fix Released |
|
2024-04-09 23:04:41 |
Launchpad Janitor |
s390-tools-signed (Ubuntu Noble): status |
In Progress |
Fix Released |
|
2024-04-10 12:39:33 |
bugproxy |
tags |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin--- |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 |
|
2024-04-10 14:53:37 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2024-04-15 18:22:08 |
Frank Heimes |
attachment added |
|
debdiff_mantic.tgz https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5765782/+files/debdiff_mantic.tgz |
|
2024-04-15 18:43:04 |
Frank Heimes |
attachment added |
|
debdiff_jammy.tgz https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5765796/+files/debdiff_jammy.tgz |
|
2024-04-16 07:17:48 |
Frank Heimes |
description |
SRU Justification:
[ Impact ]
* Symptom:
* There is an issue with the Secure Execution (SE) tooling,
especially the new IBM host-key subject locality,
that leads to the fact that on April 24 (z15) / March 29 (z16)
users will notice that the tooling for Secure execution will no
longer detect that the provided IBM signing key for that generation
is a valid IBM signing key.
* The error message will contain "no IBM signing key found" or similar.
The respective tool will reject creating an encrypted request/image
as it could not verify the host-key for its validity.
* This affects the genprotimg, pvattest, and pvsecret tools.
(Please notice that these tools got introduced over time with different
s390-tools versions that belong to different Ubuntu releases).
* Problem:
* The new IBM signing keys no longer contain 'Poughkeepsie' as
'subject locality' and 'Armonk' is used.
* The SE tooling checks, beside other things, for the subject in the
IBM signing key.
* If the subject is not the expected one, the certificate is not
recognized as a valid IBM signing key.
And without a valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
* Solution:
* Mitigations are available upstream.
* The fixes allow Armonk as additional locality in the subject
and allow potential mismatches in the locality of revocation list
or host-key issuer subject that may still contain Poughkeepsie
instead of Armonk.
[ Test Plan ]
* <detailed instructions how to reproduce the bug>
* The testing is required for all three affected tools:
genprotimg, pvattest, and pvsecret
* Without the fixed code, but with the new IBM signing keys
(that have 'Armonk' as 'subject locality'), users will get a msgs like:
"no IBM signing key found"
and the validation will fail.
* With the patches included, the validation will succeed.
[ Where problems could occur ]
* The tools genprotimg, pvattest, and pvsecret tools are affected.
Since they got introduced over time with different s390-tools versions
that belong to different Ubuntu releases, it's important to figure out the
commits/patches that are required for each release.
* The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring") is needed
for noble and mantic, but needs several adjustments due to context changes.
The code could be negatively affected and the build might even break.
(A test build in PPA mitigates such issues.)
* As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
If the conditional statements are not properly coded, either Poughkeepsie
or Armonk might be allowed, which would fails in case the opposite is used.
(Testing if the IBM signing key is valid will mitigate this.)
* In worst case a broken detection of the host-key issuer subject may lead
to positive validations, regardless of the subject content.
(Testing if the IBM signing key is valid will mitigate this.)
* A test build for all affected Ubuntu releases (N, M, J and F) succeeded
and is available via this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
* These test packages will be pre-tested by IBM.
* This affected Secure Execution (SE) functionality only on s390x.
No other tools that are part of the s390-tools packages are affected
(or got modified in any way).
[ Other Info ]
* Secure Execution (SE) was introduced with in Ubuntu Server for s390x
with 20.04 LTS, hence 20.04 LTS and higher is affected.
* And with that the s390-tools versions that are still in service:
2.12.0-0ubuntu3.7 | focal-updates
2.20.0-0ubuntu3.2 | jammy-updates
2.29.0-0ubuntu2.1 | mantic-updates
2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed
* The following commits / patches need to be applied to the following
s390-tools versions:
* f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring")
to noble, mantic
* 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
("rust/pv: Support `Armonk` in IBM signing key subject")
to noble, mantic
* d14e7593cc6380911ca42b09e11c53477ae13d5c
("genprotimg: support `Armonk` in IBM signing key subject")
to noble, mantic, jammy, focal
* d7c95265cdb6217b0203efa5893c3a27838af63c
("libpv: Support `Armonk` in IBM signing key subject")
to noble, mantic, jammy
* 2b5e7b049123aff094c7de79ba57a5df09471b2e
("pvattest: Fix root-ca parsing")
to noble, mantic, jammy
__________
Description: SE-tooling: New IBM host-key subject locality
Symptom:
On April 24 (z15) / March 29 (z16) user will notice that the
tooling for Secure execution will no longer detect that the provided
IBM signing key for that generation is a valid IBM signing key. The
error message will contain "no IBM signing key found" or similar. The
respective tool will reject creating an encrypted request/image as it
could not verify the host-key for its validity. This affects
genprotimg, pvattest, and pvsecret.
Problem:
The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
locality' and 'Armonk' is used. The SE tooling checks, beside other
things, for the subject in the IBM signing key. If the subject is not
the expected one, the certificate is not recognized as a valid IBM
signing key. With no valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
Solution:
Mitigations are available upstream. The fixes allow Armonk as
additional locality in the subject and allow potential mismatches in
the locality of revocation list or host-key issuer subject that may
still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2
This is required for all Ubuntu releases in service that support secure execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed. |
SRU Justification:
[ Impact ]
* Symptom:
* There is an issue with the Secure Execution (SE) tooling,
especially the new IBM host-key subject locality,
that leads to the fact that on April 24 (z15) / March 29 (z16)
users will notice that the tooling for Secure execution will no
longer detect that the provided IBM signing key for that generation
is a valid IBM signing key.
* The error message will contain "no IBM signing key found" or similar.
The respective tool will reject creating an encrypted request/image
as it could not verify the host-key for its validity.
* This affects the genprotimg, pvattest, and pvsecret tools.
(Please notice that these tools got introduced over time with different
s390-tools versions that belong to different Ubuntu releases).
* Problem:
* The new IBM signing keys no longer contain 'Poughkeepsie' as
'subject locality' and 'Armonk' is used.
* The SE tooling checks, beside other things, for the subject in the
IBM signing key.
* If the subject is not the expected one, the certificate is not
recognized as a valid IBM signing key.
And without a valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
* Solution:
* Mitigations are available upstream.
* The fixes allow Armonk as additional locality in the subject
and allow potential mismatches in the locality of revocation list
or host-key issuer subject that may still contain Poughkeepsie
instead of Armonk.
[ Test Plan ]
* The testing is required for all three affected tools:
genprotimg, pvattest, and pvsecret
* Obtain a (z15) Host-key document e.g. via the official channel
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document
* Get a signing key (z15) + intermediate certificate
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document
* (optional) verify that the signing key is a new one
check for: Locality Armonk
$ openssl x509 -text -in international_business_machines_corporation.crt | grep Subject
Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation
Here "L" **must** be Armonk, and not Poughkeepsie!
* Run the tools (if available, depends on the s390-tools version):
The fixed tools will accept the cert chain and exit with exit code 0
and the output generated.
The non-fixed will print n error message, abort, and report exit != 0
* $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
# BEFORE_FIX:
Failed to verify host-key document: please specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0
* $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
# BEFORE_FIX:
ERROR: Creating the attestation request failed:
Specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0
* $ pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertCA.crt meta
# BEFORE_FIX:
error: Host-key verification failed: Specify one IBM Z signing key
# AFTER FIX:
Successfully generated the request
* Note: You can use any z15 host-key you like.
It does not has to match to the machine you are running on.
For the secure-guest.hdr in pvsecret you can use any se-header you like.
You can use a test-asset from s390-tools repository:
https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr
[ Where problems could occur ]
* The tools genprotimg, pvattest, and pvsecret tools are affected.
Since they got introduced over time with different s390-tools versions
that belong to different Ubuntu releases, it's important to figure out the
commits/patches that are required for each release.
* The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring") is needed
for noble and mantic, but needs several adjustments due to context changes.
The code could be negatively affected and the build might even break.
(A test build in PPA mitigates such issues.)
* As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
If the conditional statements are not properly coded, either Poughkeepsie
or Armonk might be allowed, which would fails in case the opposite is used.
(Testing if the IBM signing key is valid will mitigate this.)
* In worst case a broken detection of the host-key issuer subject may lead
to positive validations, regardless of the subject content.
(Testing if the IBM signing key is valid will mitigate this.)
* A test build for all affected Ubuntu releases (N, M, J and F) succeeded
and is available via this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
* These test packages will be pre-tested by IBM.
* This affected Secure Execution (SE) functionality only on s390x.
No other tools that are part of the s390-tools packages are affected
(or got modified in any way).
[ Other Info ]
* Secure Execution (SE) was introduced with in Ubuntu Server for s390x
with 20.04 LTS, hence 20.04 LTS and higher is affected.
* And with that the s390-tools versions that are still in service:
2.12.0-0ubuntu3.7 | focal-updates
2.20.0-0ubuntu3.2 | jammy-updates
2.29.0-0ubuntu2.1 | mantic-updates
2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed
* The following commits / patches need to be applied to the following
s390-tools versions:
* f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring")
to noble, mantic
* 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
("rust/pv: Support `Armonk` in IBM signing key subject")
to noble, mantic
* d14e7593cc6380911ca42b09e11c53477ae13d5c
("genprotimg: support `Armonk` in IBM signing key subject")
to noble, mantic, jammy, focal
* d7c95265cdb6217b0203efa5893c3a27838af63c
("libpv: Support `Armonk` in IBM signing key subject")
to noble, mantic, jammy
* 2b5e7b049123aff094c7de79ba57a5df09471b2e
("pvattest: Fix root-ca parsing")
to noble, mantic, jammy
__________
Description: SE-tooling: New IBM host-key subject locality
Symptom:
On April 24 (z15) / March 29 (z16) user will notice that the
tooling for Secure execution will no longer detect that the provided
IBM signing key for that generation is a valid IBM signing key. The
error message will contain "no IBM signing key found" or similar. The
respective tool will reject creating an encrypted request/image as it
could not verify the host-key for its validity. This affects
genprotimg, pvattest, and pvsecret.
Problem:
The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
locality' and 'Armonk' is used. The SE tooling checks, beside other
things, for the subject in the IBM signing key. If the subject is not
the expected one, the certificate is not recognized as a valid IBM
signing key. With no valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
Solution:
Mitigations are available upstream. The fixes allow Armonk as
additional locality in the subject and allow potential mismatches in
the locality of revocation list or host-key issuer subject that may
still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2
This is required for all Ubuntu releases in service that support secure execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed. |
|
2024-04-16 07:17:59 |
Frank Heimes |
s390-tools-signed (Ubuntu Mantic): status |
New |
In Progress |
|
2024-04-16 07:18:11 |
Frank Heimes |
s390-tools-signed (Ubuntu Jammy): status |
New |
In Progress |
|
2024-04-16 07:18:37 |
Frank Heimes |
s390-tools (Ubuntu Mantic): status |
New |
In Progress |
|
2024-04-16 07:18:50 |
Frank Heimes |
s390-tools (Ubuntu Jammy): status |
New |
In Progress |
|
2024-04-16 07:19:06 |
Frank Heimes |
s390-tools (Ubuntu Focal): status |
New |
Incomplete |
|
2024-04-16 17:42:53 |
Frank Heimes |
attachment added |
|
debdiff_focal.tgz https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5766321/+files/debdiff_focal.tgz |
|
2024-04-16 17:43:11 |
Frank Heimes |
s390-tools (Ubuntu Focal): status |
Incomplete |
In Progress |
|
2024-04-16 17:43:24 |
Frank Heimes |
s390-tools-signed (Ubuntu Focal): status |
New |
In Progress |
|
2024-04-17 14:23:40 |
Frank Heimes |
description |
SRU Justification:
[ Impact ]
* Symptom:
* There is an issue with the Secure Execution (SE) tooling,
especially the new IBM host-key subject locality,
that leads to the fact that on April 24 (z15) / March 29 (z16)
users will notice that the tooling for Secure execution will no
longer detect that the provided IBM signing key for that generation
is a valid IBM signing key.
* The error message will contain "no IBM signing key found" or similar.
The respective tool will reject creating an encrypted request/image
as it could not verify the host-key for its validity.
* This affects the genprotimg, pvattest, and pvsecret tools.
(Please notice that these tools got introduced over time with different
s390-tools versions that belong to different Ubuntu releases).
* Problem:
* The new IBM signing keys no longer contain 'Poughkeepsie' as
'subject locality' and 'Armonk' is used.
* The SE tooling checks, beside other things, for the subject in the
IBM signing key.
* If the subject is not the expected one, the certificate is not
recognized as a valid IBM signing key.
And without a valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
* Solution:
* Mitigations are available upstream.
* The fixes allow Armonk as additional locality in the subject
and allow potential mismatches in the locality of revocation list
or host-key issuer subject that may still contain Poughkeepsie
instead of Armonk.
[ Test Plan ]
* The testing is required for all three affected tools:
genprotimg, pvattest, and pvsecret
* Obtain a (z15) Host-key document e.g. via the official channel
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document
* Get a signing key (z15) + intermediate certificate
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document
* (optional) verify that the signing key is a new one
check for: Locality Armonk
$ openssl x509 -text -in international_business_machines_corporation.crt | grep Subject
Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation
Here "L" **must** be Armonk, and not Poughkeepsie!
* Run the tools (if available, depends on the s390-tools version):
The fixed tools will accept the cert chain and exit with exit code 0
and the output generated.
The non-fixed will print n error message, abort, and report exit != 0
* $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
# BEFORE_FIX:
Failed to verify host-key document: please specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0
* $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
# BEFORE_FIX:
ERROR: Creating the attestation request failed:
Specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0
* $ pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertCA.crt meta
# BEFORE_FIX:
error: Host-key verification failed: Specify one IBM Z signing key
# AFTER FIX:
Successfully generated the request
* Note: You can use any z15 host-key you like.
It does not has to match to the machine you are running on.
For the secure-guest.hdr in pvsecret you can use any se-header you like.
You can use a test-asset from s390-tools repository:
https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr
[ Where problems could occur ]
* The tools genprotimg, pvattest, and pvsecret tools are affected.
Since they got introduced over time with different s390-tools versions
that belong to different Ubuntu releases, it's important to figure out the
commits/patches that are required for each release.
* The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring") is needed
for noble and mantic, but needs several adjustments due to context changes.
The code could be negatively affected and the build might even break.
(A test build in PPA mitigates such issues.)
* As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
If the conditional statements are not properly coded, either Poughkeepsie
or Armonk might be allowed, which would fails in case the opposite is used.
(Testing if the IBM signing key is valid will mitigate this.)
* In worst case a broken detection of the host-key issuer subject may lead
to positive validations, regardless of the subject content.
(Testing if the IBM signing key is valid will mitigate this.)
* A test build for all affected Ubuntu releases (N, M, J and F) succeeded
and is available via this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
* These test packages will be pre-tested by IBM.
* This affected Secure Execution (SE) functionality only on s390x.
No other tools that are part of the s390-tools packages are affected
(or got modified in any way).
[ Other Info ]
* Secure Execution (SE) was introduced with in Ubuntu Server for s390x
with 20.04 LTS, hence 20.04 LTS and higher is affected.
* And with that the s390-tools versions that are still in service:
2.12.0-0ubuntu3.7 | focal-updates
2.20.0-0ubuntu3.2 | jammy-updates
2.29.0-0ubuntu2.1 | mantic-updates
2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed
* The following commits / patches need to be applied to the following
s390-tools versions:
* f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring")
to noble, mantic
* 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
("rust/pv: Support `Armonk` in IBM signing key subject")
to noble, mantic
* d14e7593cc6380911ca42b09e11c53477ae13d5c
("genprotimg: support `Armonk` in IBM signing key subject")
to noble, mantic, jammy, focal
* d7c95265cdb6217b0203efa5893c3a27838af63c
("libpv: Support `Armonk` in IBM signing key subject")
to noble, mantic, jammy
* 2b5e7b049123aff094c7de79ba57a5df09471b2e
("pvattest: Fix root-ca parsing")
to noble, mantic, jammy
__________
Description: SE-tooling: New IBM host-key subject locality
Symptom:
On April 24 (z15) / March 29 (z16) user will notice that the
tooling for Secure execution will no longer detect that the provided
IBM signing key for that generation is a valid IBM signing key. The
error message will contain "no IBM signing key found" or similar. The
respective tool will reject creating an encrypted request/image as it
could not verify the host-key for its validity. This affects
genprotimg, pvattest, and pvsecret.
Problem:
The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
locality' and 'Armonk' is used. The SE tooling checks, beside other
things, for the subject in the IBM signing key. If the subject is not
the expected one, the certificate is not recognized as a valid IBM
signing key. With no valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
Solution:
Mitigations are available upstream. The fixes allow Armonk as
additional locality in the subject and allow potential mismatches in
the locality of revocation list or host-key issuer subject that may
still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2
This is required for all Ubuntu releases in service that support secure execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed. |
SRU Justification:
[ Impact ]
* Symptom:
* There is an issue with the Secure Execution (SE) tooling,
especially the new IBM host-key subject locality,
that leads to the fact that on April 24 (z15) / March 29 (z16)
users will notice that the tooling for Secure execution will no
longer detect that the provided IBM signing key for that generation
is a valid IBM signing key.
* The error message will contain "no IBM signing key found" or similar.
The respective tool will reject creating an encrypted request/image
as it could not verify the host-key for its validity.
* This affects the genprotimg, pvattest, and pvsecret tools.
(Please notice that these tools got introduced over time with different
s390-tools versions that belong to different Ubuntu releases).
* Problem:
* The new IBM signing keys no longer contain 'Poughkeepsie' as
'subject locality' and 'Armonk' is used.
* The SE tooling checks, beside other things, for the subject in the
IBM signing key.
* If the subject is not the expected one, the certificate is not
recognized as a valid IBM signing key.
And without a valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
* Solution:
* Mitigations are available upstream.
* The fixes allow Armonk as additional locality in the subject
and allow potential mismatches in the locality of revocation list
or host-key issuer subject that may still contain Poughkeepsie
instead of Armonk.
[ Test Plan ]
* The testing is required for all three affected tools:
genprotimg, pvattest, and pvsecret
* Obtain a (z15) Host-key document e.g. via the official channel
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document
* Get a signing key (z15) + intermediate certificate
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document
* (optional) verify that the signing key is a new one
check for: Locality Armonk
$ openssl x509 -text -in international_business_machines_corporation.crt | grep Subject
Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation
Here "L" **must** be Armonk, and not Poughkeepsie!
* Run the tools (if available, depends on the s390-tools version):
The fixed tools will accept the cert chain and exit with exit code 0
and the output generated.
The non-fixed will print n error message, abort, and report exit != 0
* $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
# BEFORE_FIX:
Failed to verify host-key document: please specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0
* $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
# BEFORE_FIX:
ERROR: Creating the attestation request failed:
Specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0
* $ pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertCA.crt meta
# BEFORE_FIX:
error: Host-key verification failed: Specify one IBM Z signing key
# AFTER FIX:
Successfully generated the request
* Note: You can use any z15 host-key you like.
It does not has to match to the machine you are running on.
For the secure-guest.hdr in pvsecret you can use any se-header you like.
You can use a test-asset from s390-tools repository:
https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr
[ Where problems could occur ]
* The tools genprotimg, pvattest, and pvsecret tools are affected.
Since they got introduced over time with different s390-tools versions
that belong to different Ubuntu releases, it's important to figure out the
commits/patches that are required for each release.
* The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring") is needed
for noble and mantic, but needs several adjustments due to context changes.
The code could be negatively affected and the build might even break.
(A test build in PPA mitigates such issues.)
* As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
If the conditional statements are not properly coded, either Poughkeepsie
or Armonk might be allowed, which would fails in case the opposite is used.
(Testing if the IBM signing key is valid will mitigate this.)
* In worst case a broken detection of the host-key issuer subject may lead
to positive validations, regardless of the subject content.
(Testing if the IBM signing key is valid will mitigate this.)
* A test build for all affected Ubuntu releases (N, M, J and F) succeeded
and is available via this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
* These test packages will be pre-tested by IBM.
* This affected Secure Execution (SE) functionality only on s390x.
No other tools that are part of the s390-tools packages are affected
(or got modified in any way).
[ Other Info ]
* Secure Execution (SE) was introduced with in Ubuntu Server for s390x
with 20.04 LTS, hence 20.04 LTS and higher is affected.
* And with that the s390-tools versions that are still in service:
2.12.0-0ubuntu3.7 | focal-updates
2.20.0-0ubuntu3.2 | jammy-updates
2.29.0-0ubuntu2.1 | mantic-updates
2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed
* The following commits / patches need to be applied to the following
s390-tools versions:
* f6c6f0cc712433221fb0588c754e0d09884453dd
("rust/pv/test: Code + Certificate refactoring")
to noble, mantic
* 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
("rust/pv: Support `Armonk` in IBM signing key subject")
to noble, mantic
* d14e7593cc6380911ca42b09e11c53477ae13d5c
("genprotimg: support `Armonk` in IBM signing key subject")
to noble, mantic, jammy, focal
* d7c95265cdb6217b0203efa5893c3a27838af63c
("libpv: Support `Armonk` in IBM signing key subject")
to noble, mantic, jammy
* 2b5e7b049123aff094c7de79ba57a5df09471b2e
("pvattest: Fix root-ca parsing")
to noble, mantic, jammy
* 8723dbce048add87ce10fe8c72eea75c4f828ef8
("genprotimg: add OpenSSL 3.0 support")
c5d566a4dab559f4d42c62181fcf314a4042bc6d
("genprotimg/crypto: use X509_get0_not(After|Before)")
f5744b95db93fa9d5cfd6fb206767ad2dcc3c804
("genprotimg: Fix build with OpenSSL 1.1")
all to focal only
__________
Description: SE-tooling: New IBM host-key subject locality
Symptom:
On April 24 (z15) / March 29 (z16) user will notice that the
tooling for Secure execution will no longer detect that the provided
IBM signing key for that generation is a valid IBM signing key. The
error message will contain "no IBM signing key found" or similar. The
respective tool will reject creating an encrypted request/image as it
could not verify the host-key for its validity. This affects
genprotimg, pvattest, and pvsecret.
Problem:
The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
locality' and 'Armonk' is used. The SE tooling checks, beside other
things, for the subject in the IBM signing key. If the subject is not
the expected one, the certificate is not recognized as a valid IBM
signing key. With no valid IBM signing key, the host-key verification
cannot succeed and users cannot build trustable SE images and
attestation or add-secret requests.
Solution:
Mitigations are available upstream. The fixes allow Armonk as
additional locality in the subject and allow potential mismatches in
the locality of revocation list or host-key issuer subject that may
still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2
This is required for all Ubuntu releases in service that support secure execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed. |
|
2024-04-17 14:23:56 |
Frank Heimes |
s390-tools-signed (Ubuntu Mantic): importance |
Undecided |
Critical |
|
2024-04-17 14:24:41 |
Frank Heimes |
s390-tools-signed (Ubuntu Jammy): importance |
Undecided |
Critical |
|
2024-04-17 14:24:55 |
Frank Heimes |
s390-tools-signed (Ubuntu Focal): importance |
Undecided |
Critical |
|
2024-04-17 14:25:07 |
Frank Heimes |
s390-tools (Ubuntu Mantic): importance |
Undecided |
Critical |
|
2024-04-17 14:25:17 |
Frank Heimes |
s390-tools (Ubuntu Jammy): importance |
Undecided |
Critical |
|
2024-04-17 14:25:28 |
Frank Heimes |
s390-tools (Ubuntu Focal): importance |
Undecided |
Critical |
|
2024-04-23 09:31:19 |
Frank Heimes |
attachment added |
|
debdiffs.tgz https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5769649/+files/debdiffs.tgz |
|
2024-05-14 14:31:20 |
Łukasz Zemczak |
s390-tools (Ubuntu Mantic): status |
In Progress |
Fix Committed |
|
2024-05-14 14:31:22 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2024-05-14 14:31:24 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2024-05-14 14:31:26 |
Łukasz Zemczak |
tags |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 verification-needed verification-needed-mantic |
|
2024-05-14 14:32:37 |
Łukasz Zemczak |
s390-tools (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2024-05-14 14:32:41 |
Łukasz Zemczak |
tags |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 verification-needed verification-needed-mantic |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 verification-needed verification-needed-jammy verification-needed-mantic |
|
2024-05-14 14:34:23 |
Łukasz Zemczak |
s390-tools (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2024-05-14 14:34:28 |
Łukasz Zemczak |
tags |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 verification-needed verification-needed-jammy verification-needed-mantic |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 verification-needed verification-needed-focal verification-needed-jammy verification-needed-mantic |
|
2024-05-14 14:40:16 |
Łukasz Zemczak |
s390-tools-signed (Ubuntu Mantic): status |
In Progress |
Fix Committed |
|
2024-05-14 14:41:32 |
Łukasz Zemczak |
s390-tools-signed (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2024-05-14 14:42:48 |
Łukasz Zemczak |
s390-tools-signed (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2024-05-17 09:38:23 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2024-05-17 15:59:50 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 verification-needed verification-needed-focal verification-needed-jammy verification-needed-mantic |
architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin2004 verification-done verification-done-focal verification-done-jammy verification-done-mantic |
|
2024-05-20 10:03:49 |
Launchpad Janitor |
s390-tools (Ubuntu Mantic): status |
Fix Committed |
Fix Released |
|
2024-05-20 10:03:53 |
Launchpad Janitor |
s390-tools-signed (Ubuntu Mantic): status |
Fix Committed |
Fix Released |
|
2024-05-20 10:03:57 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2024-05-20 10:04:06 |
Launchpad Janitor |
s390-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2024-05-20 10:04:08 |
Launchpad Janitor |
s390-tools-signed (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2024-05-20 10:04:21 |
Launchpad Janitor |
s390-tools (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2024-05-20 10:04:24 |
Launchpad Janitor |
s390-tools-signed (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2024-05-20 13:33:44 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|