Ubuntu
s390-tools package

  1. Bug #2059303
  2. Comment #10

Comment 10 for bug 2059303

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2024-04-12 10:22 EDT-------
Hi Frank,

An update from my side:

!SHORT:

GOOD:
noble(with a nit), mantic, jammy
BAD/not verifyable:
focal

!LONG:

Verified for:

* 24.04 (noble):

with today's (2024-apr-12) s390tools version from noble repository (after a release-upgrade from jammy):
- genprotimg
- pvattest
- pvsecret
work.
did **not** use your PPA

But there is a mismatch from the package version to the version that the tools report:

> apt-cache showpkg s390-tools
Package: s390-tools
Versions:
2.31.0-0ubuntu5 (/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_noble_main_binary-s390x_Packages)

> pvattest --version
pvattest version 2.31.0-build-20240409

You very likely forgot to change the DISTRELEASE variable in common.mak

* 23.10 (mantic):
All work with your PPA
- genprotimg
- pvattest
- pvsecret

* 22.04 (jammy):
All work with your PPA
- genprotimg
- pvattest

* 20:04 (focal):

the updated s390-tools package from your PPA has no genprotimg in it:

> dpkg --contents s390-tools_2.12.0-0ubuntu3.8_s390x.deb | grep genprot
-rw-r--r-- root/root 1775 2024-04-03 14:10 ./usr/share/man/man8/genprotimg.8.gz
drwxr-xr-x root/root 0 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/
-rw-r--r-- root/root 9656 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/stage3a.bin
-rw-r--r-- root/root 5498 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/stage3b_reloc.bin

(before the update(s390-tools2.12.0-ubuntu3.7))
> apt-file list s390-tools | grep genprotimg
 s390-tools: /usr/bin/genprotimg
[....]

Verify process:
1) Obtain a (z15) Host-key document e.g. via the official channel
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document

2) Get a signing key (z15) + intermediate certificate
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document

3) (optional) verify that the signing key is a new one (checl for: Locality Armonk)
> openssl x509 -text -in international_business_machines_corporation.crt | grep Subject
 Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation

L **must** be Armonk, and not Poughkeepsie

4) run the tools if available:
The fixed tools will accept the cert chain and exit with exit code 0 and the output generated.
The non-fixed will print n error message, abort, and report exit != 0

> genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt

#BEFORE_FIX:
Failed to verify host-key document: please specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0

> pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt

#BEFORE_FIX:
ERROR: Creating the attestation request failed:
Specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0

> pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertCA.crt meta

# BEFORE_FIX:
error: Host-key verification failed: Specify one IBM Z signing key
# AFTER FIX:
Successfully generated the request

Note: You can use any z15 host-key you like. Don't has to match to the machine you are running on. For the secure-guest.hdr in pvsecret you can use any se-header you like. You can use a test-asset from s390-tools repository: https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr

Steffen