------- Comment From <email address hidden> 2024-04-12 10:22 EDT-------
Hi Frank,
An update from my side:
!SHORT:
GOOD:
noble(with a nit), mantic, jammy
BAD/not verifyable:
focal
!LONG:
Verified for:
* 24.04 (noble):
with today's (2024-apr-12) s390tools version from noble repository (after a release-upgrade from jammy):
- genprotimg
- pvattest
- pvsecret
work.
did **not** use your PPA
But there is a mismatch from the package version to the version that the tools report:
3) (optional) verify that the signing key is a new one (checl for: Locality Armonk)
> openssl x509 -text -in international_business_machines_corporation.crt | grep Subject
Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation
L **must** be Armonk, and not Poughkeepsie
4) run the tools if available:
The fixed tools will accept the cert chain and exit with exit code 0 and the output generated.
The non-fixed will print n error message, abort, and report exit != 0
------- Comment From <email address hidden> 2024-04-12 10:22 EDT-------
Hi Frank,
An update from my side:
!SHORT:
GOOD:
noble(with a nit), mantic, jammy
BAD/not verifyable:
focal
!LONG:
Verified for:
* 24.04 (noble):
with today's (2024-apr-12) s390tools version from noble repository (after a release-upgrade from jammy):
- genprotimg
- pvattest
- pvsecret
work.
did **not** use your PPA
But there is a mismatch from the package version to the version that the tools report:
> apt-cache showpkg s390-tools apt/lists/ ports.ubuntu. com_ubuntu- ports_dists_ noble_main_ binary- s390x_Packages)
Package: s390-tools
Versions:
2.31.0-0ubuntu5 (/var/lib/
> pvattest --version build-20240409
pvattest version 2.31.0-
You very likely forgot to change the DISTRELEASE variable in common.mak
* 23.10 (mantic):
All work with your PPA
- genprotimg
- pvattest
- pvsecret
* 22.04 (jammy):
All work with your PPA
- genprotimg
- pvattest
* 20:04 (focal):
the updated s390-tools package from your PPA has no genprotimg in it:
> dpkg --contents s390-tools_ 2.12.0- 0ubuntu3. 8_s390x. deb | grep genprot man/man8/ genprotimg. 8.gz s390-tools/ genprotimg/ s390-tools/ genprotimg/ stage3a. bin s390-tools/ genprotimg/ stage3b_ reloc.bin
-rw-r--r-- root/root 1775 2024-04-03 14:10 ./usr/share/
drwxr-xr-x root/root 0 2024-04-03 14:10 ./usr/share/
-rw-r--r-- root/root 9656 2024-04-03 14:10 ./usr/share/
-rw-r--r-- root/root 5498 2024-04-03 14:10 ./usr/share/
(before the update( s390-tools2. 12.0-ubuntu3. 7))
> apt-file list s390-tools | grep genprotimg
s390-tools: /usr/bin/genprotimg
[....]
Verify process: /www.ibm. com/docs/ en/linux- on-systems? topic=execution -obtain- host-key- document
1) Obtain a (z15) Host-key document e.g. via the official channel
see: https:/
2) Get a signing key (z15) + intermediate certificate /www.ibm. com/docs/ en/linux- on-systems? topic=execution -verify- host-key- document
see: https:/
3) (optional) verify that the signing key is a new one (checl for: Locality Armonk) business_ machines_ corporation. crt | grep Subject
> openssl x509 -text -in international_
Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation
L **must** be Armonk, and not Poughkeepsie
4) run the tools if available:
The fixed tools will accept the cert chain and exit with exit code 0 and the output generated.
The non-fixed will print n error message, abort, and report exit != 0
> genprotimg: genprotimg -o tmp -i /boot/vmlinuz- $(uname -r) -k ~/hostkey.crt --cert ~/international _business_ machines_ corporation. crt --cert ~/DigiCertCA.crt
#BEFORE_FIX:
Failed to verify host-key document: please specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0
> pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international _business_ machines_ corporation. crt --cert ~/DigiCertCA.crt
#BEFORE_FIX:
ERROR: Creating the attestation request failed:
Specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0
> pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international _business_ machines_ corporation. crt --cert ~/armonk/ DigiCertCA. crt meta
# BEFORE_FIX:
error: Host-key verification failed: Specify one IBM Z signing key
# AFTER FIX:
Successfully generated the request
Note: You can use any z15 host-key you like. Don't has to match to the machine you are running on. For the secure-guest.hdr in pvsecret you can use any se-header you like. You can use a test-asset from s390-tools repository: https:/ /github. com/ibm- s390-linux/ s390-tools/ raw/master/ rust/pv/ tests/assets/ exp/secure_ guest.hdr
Steffen