[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

** Changed in: ubuntu-z-systems
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Launchpad Bug Tracker]

This bug was fixed in the package s390-tools-signed - 2.12.0-0ubuntu3.8

---
s390-tools-signed (2.12.0-0ubuntu3.8) focal; urgency=medium

  * Rebuild against 2.12.0-0ubuntu3.8 (LP: #2059303)

 -- Frank Heimes   Mon, 15 Apr 2024 20:57:27
+0200

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Launchpad Bug Tracker]

This bug was fixed in the package s390-tools - 2.12.0-0ubuntu3.8

---
s390-tools (2.12.0-0ubuntu3.8) focal; urgency=medium

  * Add d/p/lp2059303-genprotimg-support-Armonk-in-IBM-signing-key.patch
to fix Secure Execution tooling and accept new IBM host-key subject
locality. (LP: #2059303)
  * And add
d/p/debian/patches/lp-2059303-genprotimg-Fix-build-with-OpenSSL-1.1.patch
to fix "discards 'const' qualifier" build issue with OpenSSL 1.1 and
d/p/lp2059303-genprotimg-add-OpenSSL-3.0-support.patch
d/p/lp-2059303-genprotimg-crypto-use-X509_get0_not-After-Before.patch
as pre-requirement.

 -- Frank Heimes   Wed, 03 Apr 2024 16:10:48
+0200

** Changed in: s390-tools-signed (Ubuntu Focal)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Launchpad Bug Tracker]

This bug was fixed in the package s390-tools-signed - 2.20.0-0ubuntu3.3

---
s390-tools-signed (2.20.0-0ubuntu3.3) jammy; urgency=medium

  * Rebuild against 2.20.0-0ubuntu3.3 (LP: #2059303)

 -- Frank Heimes   Mon, 15 Apr 2024 20:33:10
+0200

** Changed in: s390-tools (Ubuntu Focal)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Launchpad Bug Tracker]

This bug was fixed in the package s390-tools - 2.20.0-0ubuntu3.3

---
s390-tools (2.20.0-0ubuntu3.3) jammy; urgency=medium

  * Add the following commits as patches:
- d/p/lp-2059303-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
- d/p/lp-2059303-libpv-Support-Armonk-in-IBM-signing-key-subject.patch
- d/p/lp-2059303-pvattest-Fix-root-ca-parsing.patch
to fix Secure Execution tooling and accept new IBM host-key
subject locality. LP: #2059303

 -- Frank Heimes   Wed, 03 Apr 2024 15:46:42
+0200

** Changed in: s390-tools (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

** Changed in: s390-tools-signed (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Launchpad Bug Tracker]

This bug was fixed in the package s390-tools-signed - 2.29.0-0ubuntu2.2

---
s390-tools-signed (2.29.0-0ubuntu2.2) mantic; urgency=medium

  * Rebuild against 2.29.0-0ubuntu2.2 (LP: #2059303)

 -- Frank Heimes   Mon, 15 Apr 2024 20:13:31
+0200

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Launchpad Bug Tracker]

This bug was fixed in the package s390-tools - 2.29.0-0ubuntu2.2

---
s390-tools (2.29.0-0ubuntu2.2) mantic; urgency=medium

  * Add the following commits as patches:
- d/p/lp-2059303-rust-pv-test-Code-Certificate-refactoring.patch
  (excluded patching binary files rust/pv/tests/assets/cert/der.crl and
   rust/pv/tests/assets/cert/der.crt, which is not supported by quilt
   - these files are needed for testing only)
- d/p/lp-2059303-rust-pv-Support-Armonk-in-IBM-signing-key-subject.patch
- d/p/lp-2059303-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
- d/p/lp-2059303-libpv-Support-Armonk-in-IBM-signing-key-subject.patch
- d/p/lp-2059303-pvattest-Fix-root-ca-parsing.patch
to fix Secure Execution tooling and accept new IBM host-key
subject locality. LP: #2059303

 -- Frank Heimes   Wed, 03 Apr 2024 12:40:19
+0200

** Changed in: s390-tools (Ubuntu Mantic)
   Status: Fix Committed => Fix Released

** Changed in: s390-tools-signed (Ubuntu Mantic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Thank you Steffen once again!
I'm updating the tags accordingly ...

** Tags removed: verification-needed verification-needed-focal 
verification-needed-jammy verification-needed-mantic
** Tags added: verification-done verification-done-focal 
verification-done-jammy verification-done-mantic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

** Changed in: ubuntu-z-systems
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Łukasz Zemczak]

Hello bugproxy, or anyone else affected,

Accepted s390-tools-signed into mantic-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/s390-tools-
signed/2.29.0-0ubuntu2.2 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
mantic to verification-done-mantic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-mantic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: s390-tools-signed (Ubuntu Mantic)
   Status: In Progress => Fix Committed

** Changed in: s390-tools-signed (Ubuntu Jammy)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Łukasz Zemczak]

Hello bugproxy, or anyone else affected,

Accepted s390-tools into mantic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/s390-tools/2.29.0-0ubuntu2.2 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
mantic to verification-done-mantic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-mantic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: s390-tools (Ubuntu Mantic)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-mantic

** Changed in: s390-tools (Ubuntu Jammy)
   Status: In Progress => Fix Committed

** Tags added: verification-needed-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Hi @seth-arnold,
I am not in-depth familiar with security related updates (since they happen 
rarely for me, and if private-security are handled by the security team anyway).

"
My assumption is that these package updates should be published first to 
-updates for autopkgtest testing, and once they have passed testing and phased 
to users, then we should republish these updates to -security so that they are 
available to all users. Does this sound correct?
"
There are no autopkgtests (for historical reasons and since lot's of functions 
in that package req. the hw to be configured in a certain way, which cannot 
guaranteed by the build systems), but the packages get (and already got) 
already manually tested upfront, with focus on the changes (according to test 
plan in SRU justification).

"
This is much easier to execute if the updates have been built in a PPA with 
only -security enabled, and not -updates. (The -security pocket is built with 
only packages from -release and -security, not -updates.) Do packages built in 
such a PPA exist?
"
I've now kicked off build in a -security only PPA here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303-sec
(so yes, they build there, but it'll take a while until published)

"
The SRU workflow asks for packages to be either uploaded with dput to the queue 
or debdiffs provided. I see some debdiffs here, but some additional work was 
performed after most of the debdiffs were uploaded.
"
The changes are some broken URL references in some quilt patch headers, I've 
fixed those.

"
Are the posted debdiffs something that the SRU team should work with? The 
Ubuntu Sponsors team was added around three weeks ago, before much of the work 
was done, it's entirely possible that this has fallen off their radar as a 
result. (And, the general hustle of responding to the xz-utils issue, release 
time goals, etc.)
"
I think the debdiffs should be taken (as usual).
It's difficult to get SRUs processed around release times.

One concern I have is that copying the packages might not work, since there is 
a bootloader component that is signed, and the signing key is based on the 
location where the package is build.
Hence a package build in PPA will be signed with the PPA key and not with the 
official ('production') key
and so copying it over from PPA to archive will probably mess up things.

So I believe the debdiffs need to be the base for an upload (by a
sponsor), then build for the archives (that will ensure signing with the
proper key), then published on -proposed, verified there and then
eventually released.

(I'm attaching the debdiffs again, with fixed urls)

** Attachment added: "debdiffs.tgz"
   
https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5769649/+files/debdiffs.tgz

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Seth Arnold]

I've been asked to try to help these updates along; I'm not on the SRU
team so I can't give concrete directions, only suggestions.

My assumption is that these package updates should be published first to
-updates for autopkgtest testing, and once they have passed testing and
phased to users, then we should republish these updates to -security so
that they are available to all users. Does this sound correct?

This is much easier to execute if the updates have been built in a PPA
with only -security enabled, and not -updates. (The -security pocket is
built with only packages from -release and -security, not -updates.) Do
packages built in such a PPA exist?

The SRU workflow asks for packages to be either uploaded with dput to
the queue or debdiffs provided. I see some debdiffs here, but some
additional work was performed after most of the debdiffs were uploaded.
Are the posted debdiffs something that the SRU team should work with?
The Ubuntu Sponsors team was added around three weeks ago, before much
of the work was done, it's entirely possible that this has fallen off
their radar as a result. (And, the general hustle of responding to the
xz-utils issue, release time goals, etc.)

So, with the reminder that I'm not on the SRU team, I think the next
steps should be:

- prepare a PPA with only -security enabled
- build packages
- ask SRU team to move the packages to -proposed and see how autopkgtests go
- phase the update
- ask the security team to binary copy the packages to -security once it's 
proven in the field

What do you think?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

** Description changed:

  SRU Justification:
  
  [ Impact ]
  
   * Symptom:
  
     * There is an issue with the Secure Execution (SE) tooling,
   especially the new IBM host-key subject locality,
   that leads to the fact that on April 24 (z15) / March 29 (z16)
   users will notice that the tooling for Secure execution will no
   longer detect that the provided IBM signing key for that generation
   is a valid IBM signing key.
  
     * The error message will contain "no IBM signing key found" or similar.
   The respective tool will reject creating an encrypted request/image
   as it could not verify the host-key for its validity.
  
     * This affects the genprotimg, pvattest, and pvsecret tools.
   (Please notice that these tools got introduced over time with different
    s390-tools versions that belong to different Ubuntu releases).
  
   * Problem:
  
     * The new IBM signing keys no longer contain 'Poughkeepsie' as
   'subject locality' and 'Armonk' is used.
  
     * The SE tooling checks, beside other things, for the subject in the
   IBM signing key.
  
     * If the subject is not the expected one, the certificate is not
   recognized as a valid IBM signing key.
   And without a valid IBM signing key, the host-key verification
   cannot succeed and users cannot build trustable SE images and
   attestation or add-secret requests.
  
   * Solution:
  
     * Mitigations are available upstream.
  
     * The fixes allow Armonk as additional locality in the subject
   and allow potential mismatches in the locality of revocation list
   or host-key issuer subject that may still contain Poughkeepsie
   instead of Armonk.
  
  [ Test Plan ]
  
   * The testing is required for all three affected tools:
     genprotimg, pvattest, and pvsecret
  
-  * Obtain a (z15) Host-key document e.g. via the official channel
-see: 
https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document
+  * Obtain a (z15) Host-key document e.g. via the official channel
+    see: 
https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document
  
-  * Get a signing key (z15) + intermediate certificate
-see: 
https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document
+  * Get a signing key (z15) + intermediate certificate
+    see: 
https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document
  
-  * (optional) verify that the signing key is a new one
-check for: Locality Armonk
-$ openssl x509 -text -in international_business_machines_corporation.crt | 
grep Subject
-Subject: C = US, ST = New York, L = Armonk, O = International Business 
Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International 
Business Machines Corporation
-Here "L" **must** be Armonk, and not Poughkeepsie!
+  * (optional) verify that the signing key is a new one
+    check for: Locality Armonk
+    $ openssl x509 -text -in international_business_machines_corporation.crt | 
grep Subject
+    Subject: C = US, ST = New York, L = Armonk, O = International Business 
Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International 
Business Machines Corporation
+    Here "L" **must** be Armonk, and not Poughkeepsie!
  
-  * Run the tools (if available, depends on the s390-tools version):
-The fixed tools will accept the cert chain and exit with exit code 0
-and the output generated.
-The non-fixed will print n error message, abort, and report exit != 0
+  * Run the tools (if available, depends on the s390-tools version):
+    The fixed tools will accept the cert chain and exit with exit code 0
+    and the output generated.
+    The non-fixed will print n error message, abort, and report exit != 0
  
-  * $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k 
~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert 
~/DigiCertCA.crt
-# BEFORE_FIX:
-Failed to verify host-key document: please specify at least one IBM Z 
signing key
-# AFTER_FIX:
-# exit code 0
+  * $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k 
~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert 
~/DigiCertCA.crt
+    # BEFORE_FIX:
+    Failed to verify host-key document: please specify at least one IBM Z 
signing key
+    # AFTER_FIX:
+    # exit code 0
  
-  * $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert 
~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
-# BEFORE_FIX:
-ERROR: Creating the attestation request failed:
-Specify at least one IBM Z signing key
-# AFTER_FIX:
-# exit code 0
+  * $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert 
~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
+    # BEFORE_FIX:
+    ERROR: Creating the attestation request failed:
+    

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Cool, thanks a lot Steffen!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Marc and me, we had a side discussion and finally found the missing commits and 
have a proper build for focal.
The build is available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp205930
and the debdiff(s) attached.

** Attachment added: "debdiff_focal.tgz"
   
https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5766321/+files/debdiff_focal.tgz

** Changed in: s390-tools (Ubuntu Focal)
   Status: Incomplete => In Progress

** Changed in: s390-tools-signed (Ubuntu Focal)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Hi Marc,
I've added f5744b95db9, but I unfortunately still get the build errors:
https://launchpadlibrarian.net/724893134/buildlog_ubuntu-focal-s390x.s390-tools_2.12.0-0ubuntu3.9_BUILDING.txt.gz
(search for "error:")

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

** Description changed:

  SRU Justification:
  
  [ Impact ]
  
-  * Symptom:
+  * Symptom:
  
-* There is an issue with the Secure Execution (SE) tooling,
-  especially the new IBM host-key subject locality,
-  that leads to the fact that on April 24 (z15) / March 29 (z16)
-  users will notice that the tooling for Secure execution will no
-  longer detect that the provided IBM signing key for that generation
-  is a valid IBM signing key.
+    * There is an issue with the Secure Execution (SE) tooling,
+  especially the new IBM host-key subject locality,
+  that leads to the fact that on April 24 (z15) / March 29 (z16)
+  users will notice that the tooling for Secure execution will no
+  longer detect that the provided IBM signing key for that generation
+  is a valid IBM signing key.
  
-* The error message will contain "no IBM signing key found" or similar.
-  The respective tool will reject creating an encrypted request/image
-  as it could not verify the host-key for its validity.
+    * The error message will contain "no IBM signing key found" or similar.
+  The respective tool will reject creating an encrypted request/image
+  as it could not verify the host-key for its validity.
  
-* This affects the genprotimg, pvattest, and pvsecret tools.
-  (Please notice that these tools got introduced over time with different
-   s390-tools versions that belong to different Ubuntu releases).
+    * This affects the genprotimg, pvattest, and pvsecret tools.
+  (Please notice that these tools got introduced over time with different
+   s390-tools versions that belong to different Ubuntu releases).
  
-  * Problem:
+  * Problem:
  
-* The new IBM signing keys no longer contain 'Poughkeepsie' as
-  'subject locality' and 'Armonk' is used.
+    * The new IBM signing keys no longer contain 'Poughkeepsie' as
+  'subject locality' and 'Armonk' is used.
  
-* The SE tooling checks, beside other things, for the subject in the
-  IBM signing key.
+    * The SE tooling checks, beside other things, for the subject in the
+  IBM signing key.
  
-* If the subject is not the expected one, the certificate is not
-  recognized as a valid IBM signing key.
-  And without a valid IBM signing key, the host-key verification
-  cannot succeed and users cannot build trustable SE images and
-  attestation or add-secret requests.
+    * If the subject is not the expected one, the certificate is not
+  recognized as a valid IBM signing key.
+  And without a valid IBM signing key, the host-key verification
+  cannot succeed and users cannot build trustable SE images and
+  attestation or add-secret requests.
  
-  * Solution:
+  * Solution:
  
-* Mitigations are available upstream.
+    * Mitigations are available upstream.
  
-* The fixes allow Armonk as additional locality in the subject
-  and allow potential mismatches in the locality of revocation list
-  or host-key issuer subject that may still contain Poughkeepsie
-  instead of Armonk.
+    * The fixes allow Armonk as additional locality in the subject
+  and allow potential mismatches in the locality of revocation list
+  or host-key issuer subject that may still contain Poughkeepsie
+  instead of Armonk.
  
  [ Test Plan ]
  
-  * 
+  * The testing is required for all three affected tools:
+    genprotimg, pvattest, and pvsecret
  
-  * The testing is required for all three affected tools:
-genprotimg, pvattest, and pvsecret
+  * Obtain a (z15) Host-key document e.g. via the official channel
+see: 
https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document
  
-  * Without the fixed code, but with the new IBM signing keys 
-(that have 'Armonk' as 'subject locality'), users will get a msgs like:
-"no IBM signing key found"
-and the validation will fail.
+  * Get a signing key (z15) + intermediate certificate
+see: 
https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document
  
-  * With the patches included, the validation will succeed.
+  * (optional) verify that the signing key is a new one
+check for: Locality Armonk
+$ openssl x509 -text -in international_business_machines_corporation.crt | 
grep Subject
+Subject: C = US, ST = New York, L = Armonk, O = International Business 
Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International 
Business Machines Corporation
+Here "L" **must** be Armonk, and not Poughkeepsie!
+ 
+  * Run the tools (if available, depends on the s390-tools version):
+The fixed tools will accept the cert chain and exit with exit code 0
+and the output generated.
+The non-fixed will print n error message, abort, and report exit != 0
+ 
+  * $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k 
~/hostkey.crt --cert 

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

For focal the commit d14e7593cc6
(https://github.com/ibm-s390-linux/s390-tools/commit/d14e7593cc6380911ca42b09e11c53477ae13d5c)
does not properly build and the logs show a few errors:
https://launchpadlibrarian.net/723098720/buildlog_ubuntu-focal-s390x.s390-tools_2.12.0-0ubuntu3.8_BUILDING.txt.gz
(search for "error:")
"
utils/crypto.c: In function ‘x509_armonk_locality_fixup’:
utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards 
‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  770 |  ret = X509_NAME_dup(name);
  |  ^~~~
In file included from /usr/include/openssl/pem.h:17,
 from utils/crypto.c:17:
/usr/include/openssl/x509.h:482:12: note: expected ‘X509_NAME *’ {aka ‘struct 
X509_name_st *’} but argument is of type ‘const X509_NAME *’ {aka ‘const struct 
X509_name_st *’}
  482 | X509_NAME *X509_NAME_dup(X509_NAME *xn);
  |^
utils/crypto.c: In function ‘quirk_X509_STORE_ctx_get1_crls’:
utils/crypto.c:888:8: error: implicit declaration of function 
‘Pv_X509_STORE_CTX_get1_crls’; did you mean ‘X509_STORE_CTX_get1_crls’? 
[-Werror=implicit-function-declaration]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
  |^~~
  |X509_STORE_CTX_get1_crls
utils/crypto.c:888:8: error: nested extern declaration of 
‘Pv_X509_STORE_CTX_get1_crls’ [-Werror=nested-externs]
utils/crypto.c:888:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka 
‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a 
cast [-Werror=int-conversion]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
  |  ^
utils/crypto.c:902:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka 
‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a 
cast [-Werror=int-conversion]
  902 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
  |   ^
utils/crypto.c:913:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka 
‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a 
cast [-Werror=int-conversion]
  913 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
  |   ^
utils/crypto.c:925:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka 
‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a 
cast [-Werror=int-conversion]
  925 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
  |  ^
"
and
"
utils/crypto.c: In function ‘x509_armonk_locality_fixup’:
utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards 
‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  770 |  ret = X509_NAME_dup(name);
  |  ^~~~
In file included from /usr/include/openssl/pem.h:17,
 from utils/crypto.c:17:
/usr/include/openssl/x509.h:482:12: note: expected ‘X509_NAME *’ {aka ‘struct 
X509_name_st *’} but argument is of type ‘const X509_NAME *’ {aka ‘const struct 
X509_name_st *’}
  482 | X509_NAME *X509_NAME_dup(X509_NAME *xn);
  |^
utils/crypto.c: In function ‘quirk_X509_STORE_ctx_get1_crls’:
utils/crypto.c:888:8: error: implicit declaration of function 
‘Pv_X509_STORE_CTX_get1_crls’; did you mean ‘X509_STORE_CTX_get1_crls’? 
[-Werror=implicit-function-declaration]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
  |^~~
  |X509_STORE_CTX_get1_crls
utils/crypto.c:888:8: error: nested extern declaration of 
‘Pv_X509_STORE_CTX_get1_crls’ [-Werror=nested-externs]
utils/crypto.c:888:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka 
‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a 
cast [-Werror=int-conversion]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
  |  ^
utils/crypto.c:902:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka 
‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a 
cast [-Werror=int-conversion]
  902 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
  |   ^
utils/crypto.c:913:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka 
‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a 
cast [-Werror=int-conversion]
  913 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
  |   ^
utils/crypto.c:925:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka 
‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a 
cast [-Werror=int-conversion]
  925 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
  |  ^
utils/crypto.c: In function ‘x509_armonk_locality_fixup’:
utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards 
‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  770 |  ret = X509_NAME_dup(name);
  |  ^~~~
In file included 

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

s390-tools and s390-tools-signed debdiffs for 22.04/jammy

** Attachment added: "debdiff_jammy.tgz"
   
https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5765796/+files/debdiff_jammy.tgz

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Hi Steffen,
many thanks for the tests, that's highly appreciated!

I'm glad to see that we are fine with noble, mantic and jammy.
It was btw. good to pick the version from the noble archive, since it's in 
beta).
(And btw. we usually do not alter DISTRELEASE in common.mak.)

I'm uploading first of all the debdiffs for mantic and jammy (to not loose much 
time),
and will investigate focal in a bit...

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

s390-tools and s390-tools-signed debdiffs for 23.10/mantic

** Attachment added: "debdiff_mantic.tgz"
   
https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5765782/+files/debdiff_mantic.tgz

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

** Changed in: ubuntu-z-systems
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[bugproxy]

** Tags removed: targetmilestone-inin---
** Tags added: targetmilestone-inin2004

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Launchpad Bug Tracker]

This bug was fixed in the package s390-tools-signed - 2.31.0-0ubuntu5

---
s390-tools-signed (2.31.0-0ubuntu5) noble; urgency=medium

  * Rebuild against 2.31.0-0ubuntu5 (LP: #2058944, LP: #2059303)

 -- Frank Heimes   Tue, 02 Apr 2024 12:55:52
+0200

** Changed in: s390-tools-signed (Ubuntu Noble)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Launchpad Bug Tracker]

This bug was fixed in the package s390-tools - 2.31.0-0ubuntu5

---
s390-tools (2.31.0-0ubuntu5) noble; urgency=medium

  * Add the following commits as patches:
- d/p/lp-2059303-rust-pv-test-Code-Certificate-refactoring.patch
  (excluded patching binary files rust/pv/tests/assets/cert/der.crl and
   rust/pv/tests/assets/cert/der.crt, which is not supported by quilt
   - these files are needed for testing only)
- d/p/lp-2059303-rust-pv-Support-Armonk-in-IBM-signing-key-subject.patch
- d/p/lp-2059303-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
- d/p/lp-2059303-libpv-Support-Armonk-in-IBM-signing-key-subject.patch
- d/p/lp-2059303-pvattest-Fix-root-ca-parsing.patch
to fix Secure Execution tooling and accept new IBM host-key
subject locality. LP: #2059303
  * Add d/p/lp-2058944-dbginfo.sh-dash-compatible-copy-sequence.patch
to fix dash incompatibility in dbginfo.sh. LP: #2058944

 -- Frank Heimes   Tue, 02 Apr 2024 12:45:30
+0200

** Changed in: s390-tools (Ubuntu Noble)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Hi Steffen,
thanks for checking the updated packages.
Indeed, I had to restart the build of the s390-tools-signed packages for 
mantic/23.10, /jammy/22.04 and focal/20.04.
These build will be complete in an hour or so (so well before Monday).

Since the updates need to be done starting with the newest to oldest, a
test on noble/24.04 would be most important.

Do you have a mantic/23.10 or jammy/22.04 test system over?
In this case you should be able to upgrade to noble/24.04 in just a few minutes.

First of all ensure that your current system (mantic or jammy) is up-to-
date with:

sudo apt update && && sudo apt full-upgrade
(with a potential reboot)

You should then be able to upgrade with:
sudo do-release-upgrade -d

(or in case you are brave enough - but on a test/dev system ;-) :
sudo do-release-upgrade --quiet --devel-release 
--frontend=DistUpgradeViewNonInteractive && sudo reboot )

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Builds finally completed:
noble: https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
mantic, jammy, focal: https://launchpad.net/~fheimes/+archive/ubuntu/test

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

** Description changed:

+ SRU Justification:
+ 
+ [ Impact ]
+ 
+  * Symptom:
+ 
+* There is an issue with the Secure Execution (SE) tooling,
+  especially the new IBM host-key subject locality,
+  that leads to the fact that on April 24 (z15) / March 29 (z16)
+  users will notice that the tooling for Secure execution will no
+  longer detect that the provided IBM signing key for that generation
+  is a valid IBM signing key.
+ 
+* The error message will contain "no IBM signing key found" or similar.
+  The respective tool will reject creating an encrypted request/image
+  as it could not verify the host-key for its validity.
+ 
+* This affects the genprotimg, pvattest, and pvsecret tools.
+  (Please notice that these tools got introduced over time with different
+   s390-tools versions that belong to different Ubuntu releases).
+ 
+  * Problem:
+ 
+* The new IBM signing keys no longer contain 'Poughkeepsie' as
+  'subject locality' and 'Armonk' is used.
+ 
+* The SE tooling checks, beside other things, for the subject in the
+  IBM signing key.
+ 
+* If the subject is not the expected one, the certificate is not
+  recognized as a valid IBM signing key.
+  And without a valid IBM signing key, the host-key verification
+  cannot succeed and users cannot build trustable SE images and
+  attestation or add-secret requests.
+ 
+  * Solution:
+ 
+* Mitigations are available upstream.
+ 
+* The fixes allow Armonk as additional locality in the subject
+  and allow potential mismatches in the locality of revocation list
+  or host-key issuer subject that may still contain Poughkeepsie
+  instead of Armonk.
+ 
+ [ Test Plan ]
+ 
+  * 
+ 
+  * The testing is required for all three affected tools:
+genprotimg, pvattest, and pvsecret
+ 
+  * Without the fixed code, but with the new IBM signing keys 
+(that have 'Armonk' as 'subject locality'), users will get a msgs like:
+"no IBM signing key found"
+and the validation will fail.
+ 
+  * With the patches included, the validation will succeed.
+ 
+ [ Where problems could occur ]
+ 
+  * The tools genprotimg, pvattest, and pvsecret tools are affected.
+Since they got introduced over time with different s390-tools versions
+that belong to different Ubuntu releases, it's important to figure out the
+commits/patches that are required for each release.
+ 
+  * The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
+("rust/pv/test: Code + Certificate refactoring") is needed
+for noble and mantic, but needs several adjustments due to context changes.
+The code could be negatively affected and the build might even break.
+(A test build in PPA mitigates such issues.)
+ 
+  * As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
+If the conditional statements are not properly coded, either Poughkeepsie
+or Armonk might be allowed, which would fails in case the opposite is used.
+(Testing if the IBM signing key is valid will mitigate this.)
+ 
+  * In worst case a broken detection of the host-key issuer subject may lead
+to positive validations, regardless of the subject content.
+(Testing if the IBM signing key is valid will mitigate this.)
+ 
+  * A test build for all affected Ubuntu releases (N, M, J and F) succeeded
+and is available via this PPA:
+https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
+ 
+  * These test packages will be pre-tested by IBM.
+ 
+  * This affected Secure Execution (SE) functionality only on s390x.
+No other tools that are part of the s390-tools packages are affected
+(or got modified in any way).
+ 
+ [ Other Info ]
+  
+  * Secure Execution (SE) was introduced with in Ubuntu Server for s390x
+with 20.04 LTS, hence 20.04 LTS and higher is affected.
+ 
+  * And with that the s390-tools versions that are still in service:
+2.12.0-0ubuntu3.7  | focal-updates
+2.20.0-0ubuntu3.2  | jammy-updates
+2.29.0-0ubuntu2.1  | mantic-updates
+2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed
+ 
+  * The following commits / patches need to be applied to the following
+s390-tools versions:
+* f6c6f0cc712433221fb0588c754e0d09884453dd
+  ("rust/pv/test: Code + Certificate refactoring")
+  to noble, mantic 
+* 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
+  ("rust/pv: Support `Armonk` in IBM signing key subject")
+  to noble, mantic 
+* d14e7593cc6380911ca42b09e11c53477ae13d5c
+  ("genprotimg: support `Armonk` in IBM signing key subject")
+  to noble, mantic, jammy, focal
+* d7c95265cdb6217b0203efa5893c3a27838af63c
+  ("libpv: Support `Armonk` in IBM signing key subject")
+  to noble, mantic, jammy
+* 2b5e7b049123aff094c7de79ba57a5df09471b2e
+  ("pvattest: Fix root-ca parsing")
+  to noble, mantic, jammy
+ __
+ 
  Description: SE-tooling: New IBM 

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Meanwhile I've navigated through the challenges in noble and have a successful 
PPA build here:
launchpad.net/~fheimes/+archive/ubuntu/lp2059303
and the s390-tools and the s390-tools-signed debdiffs attached.

** Attachment added: "debdiffs.tgz"
   
https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5761332/+files/debdiffs.tgz

** Changed in: s390-tools (Ubuntu Noble)
 Assignee: (unassigned) => Frank Heimes (fheimes)

** Changed in: s390-tools-signed (Ubuntu Noble)
 Assignee: (unassigned) => Frank Heimes (fheimes)

** Changed in: s390-tools (Ubuntu Noble)
   Status: New => In Progress

** Changed in: s390-tools-signed (Ubuntu Noble)
   Status: New => In Progress

** Changed in: s390-tools-signed (Ubuntu Noble)
   Importance: Undecided => High

** Changed in: s390-tools (Ubuntu Noble)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

Well, I already had a hard time to get the requested commits applied to
noble (which is on 2.31.0).

I figured out that:
1) commit f6c6f0cc712433221fb0588c754e0d09884453dd ("rust/pv/test: Code + 
Certificate refactoring") is needed on top as pre-requisite, otherwise the 
other patches do not apply.
2) the commit id for ("libpv: Support `Armonk` in IBM signing key subject") is 
d7c95265cdb6217b0203efa5893c3a27838af63c (and not 
5e1cb58a21ae0707d1993de3c8fc078c5cffed88 - this commit id does not exist in 
upstream master)
3) the commit id for ("pvattest: Fix root-ca parsing") is 
2b5e7b049123aff094c7de79ba57a5df09471b2e (and not 
a54daf459e7504c0f42d3eb028100b7ab07894ff - again this commit id does not exist 
in upstream master).

I'm really wondering if it wouldn't be best to have a new minor version
tagged upstream (like a 2.31.1) that includes everything needed, since I
can't patch binary files with quilt (rust/pv/tests/assets/cert/der.crl
and rust/pv/tests/assets/cert/der.crt), hence had to skip these hunks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

** Also affects: s390-tools (Ubuntu Mantic)
   Importance: Undecided
   Status: New

** Also affects: s390-tools-signed (Ubuntu Mantic)
   Importance: Undecided
   Status: New

** Also affects: s390-tools (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: s390-tools-signed (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: s390-tools (Ubuntu Noble)
   Importance: Undecided
   Status: New

** Also affects: s390-tools-signed (Ubuntu Noble)
   Importance: Undecided
   Status: New

** Also affects: s390-tools (Ubuntu Jammy)
   Importance: Undecided
   Status: New

** Also affects: s390-tools-signed (Ubuntu Jammy)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

[Frank Heimes]

** Package changed: linux (Ubuntu) => s390-tools (Ubuntu)

** Also affects: s390-tools-signed (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: ubuntu-z-systems
   Importance: Undecided
   Status: New

** Changed in: ubuntu-z-systems
 Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)

** Changed in: s390-tools (Ubuntu)
 Assignee: Skipper Bug Screeners (skipper-screen-team) => (unassigned)

** Changed in: ubuntu-z-systems
   Importance: Undecided => Critical

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs