[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Changed in: ubuntu-z-systems Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
This bug was fixed in the package s390-tools-signed - 2.12.0-0ubuntu3.8 --- s390-tools-signed (2.12.0-0ubuntu3.8) focal; urgency=medium * Rebuild against 2.12.0-0ubuntu3.8 (LP: #2059303) -- Frank Heimes Mon, 15 Apr 2024 20:57:27 +0200 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
This bug was fixed in the package s390-tools - 2.12.0-0ubuntu3.8 --- s390-tools (2.12.0-0ubuntu3.8) focal; urgency=medium * Add d/p/lp2059303-genprotimg-support-Armonk-in-IBM-signing-key.patch to fix Secure Execution tooling and accept new IBM host-key subject locality. (LP: #2059303) * And add d/p/debian/patches/lp-2059303-genprotimg-Fix-build-with-OpenSSL-1.1.patch to fix "discards 'const' qualifier" build issue with OpenSSL 1.1 and d/p/lp2059303-genprotimg-add-OpenSSL-3.0-support.patch d/p/lp-2059303-genprotimg-crypto-use-X509_get0_not-After-Before.patch as pre-requirement. -- Frank Heimes Wed, 03 Apr 2024 16:10:48 +0200 ** Changed in: s390-tools-signed (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
This bug was fixed in the package s390-tools-signed - 2.20.0-0ubuntu3.3 --- s390-tools-signed (2.20.0-0ubuntu3.3) jammy; urgency=medium * Rebuild against 2.20.0-0ubuntu3.3 (LP: #2059303) -- Frank Heimes Mon, 15 Apr 2024 20:33:10 +0200 ** Changed in: s390-tools (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
This bug was fixed in the package s390-tools - 2.20.0-0ubuntu3.3 --- s390-tools (2.20.0-0ubuntu3.3) jammy; urgency=medium * Add the following commits as patches: - d/p/lp-2059303-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch - d/p/lp-2059303-libpv-Support-Armonk-in-IBM-signing-key-subject.patch - d/p/lp-2059303-pvattest-Fix-root-ca-parsing.patch to fix Secure Execution tooling and accept new IBM host-key subject locality. LP: #2059303 -- Frank Heimes Wed, 03 Apr 2024 15:46:42 +0200 ** Changed in: s390-tools (Ubuntu Jammy) Status: Fix Committed => Fix Released ** Changed in: s390-tools-signed (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
This bug was fixed in the package s390-tools-signed - 2.29.0-0ubuntu2.2 --- s390-tools-signed (2.29.0-0ubuntu2.2) mantic; urgency=medium * Rebuild against 2.29.0-0ubuntu2.2 (LP: #2059303) -- Frank Heimes Mon, 15 Apr 2024 20:13:31 +0200 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
This bug was fixed in the package s390-tools - 2.29.0-0ubuntu2.2 --- s390-tools (2.29.0-0ubuntu2.2) mantic; urgency=medium * Add the following commits as patches: - d/p/lp-2059303-rust-pv-test-Code-Certificate-refactoring.patch (excluded patching binary files rust/pv/tests/assets/cert/der.crl and rust/pv/tests/assets/cert/der.crt, which is not supported by quilt - these files are needed for testing only) - d/p/lp-2059303-rust-pv-Support-Armonk-in-IBM-signing-key-subject.patch - d/p/lp-2059303-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch - d/p/lp-2059303-libpv-Support-Armonk-in-IBM-signing-key-subject.patch - d/p/lp-2059303-pvattest-Fix-root-ca-parsing.patch to fix Secure Execution tooling and accept new IBM host-key subject locality. LP: #2059303 -- Frank Heimes Wed, 03 Apr 2024 12:40:19 +0200 ** Changed in: s390-tools (Ubuntu Mantic) Status: Fix Committed => Fix Released ** Changed in: s390-tools-signed (Ubuntu Mantic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Thank you Steffen once again! I'm updating the tags accordingly ... ** Tags removed: verification-needed verification-needed-focal verification-needed-jammy verification-needed-mantic ** Tags added: verification-done verification-done-focal verification-done-jammy verification-done-mantic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Changed in: ubuntu-z-systems Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Hello bugproxy, or anyone else affected, Accepted s390-tools-signed into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools- signed/2.29.0-0ubuntu2.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-mantic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: s390-tools-signed (Ubuntu Mantic) Status: In Progress => Fix Committed ** Changed in: s390-tools-signed (Ubuntu Jammy) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Hello bugproxy, or anyone else affected, Accepted s390-tools into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.29.0-0ubuntu2.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-mantic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: s390-tools (Ubuntu Mantic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-mantic ** Changed in: s390-tools (Ubuntu Jammy) Status: In Progress => Fix Committed ** Tags added: verification-needed-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Hi @seth-arnold, I am not in-depth familiar with security related updates (since they happen rarely for me, and if private-security are handled by the security team anyway). " My assumption is that these package updates should be published first to -updates for autopkgtest testing, and once they have passed testing and phased to users, then we should republish these updates to -security so that they are available to all users. Does this sound correct? " There are no autopkgtests (for historical reasons and since lot's of functions in that package req. the hw to be configured in a certain way, which cannot guaranteed by the build systems), but the packages get (and already got) already manually tested upfront, with focus on the changes (according to test plan in SRU justification). " This is much easier to execute if the updates have been built in a PPA with only -security enabled, and not -updates. (The -security pocket is built with only packages from -release and -security, not -updates.) Do packages built in such a PPA exist? " I've now kicked off build in a -security only PPA here: https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303-sec (so yes, they build there, but it'll take a while until published) " The SRU workflow asks for packages to be either uploaded with dput to the queue or debdiffs provided. I see some debdiffs here, but some additional work was performed after most of the debdiffs were uploaded. " The changes are some broken URL references in some quilt patch headers, I've fixed those. " Are the posted debdiffs something that the SRU team should work with? The Ubuntu Sponsors team was added around three weeks ago, before much of the work was done, it's entirely possible that this has fallen off their radar as a result. (And, the general hustle of responding to the xz-utils issue, release time goals, etc.) " I think the debdiffs should be taken (as usual). It's difficult to get SRUs processed around release times. One concern I have is that copying the packages might not work, since there is a bootloader component that is signed, and the signing key is based on the location where the package is build. Hence a package build in PPA will be signed with the PPA key and not with the official ('production') key and so copying it over from PPA to archive will probably mess up things. So I believe the debdiffs need to be the base for an upload (by a sponsor), then build for the archives (that will ensure signing with the proper key), then published on -proposed, verified there and then eventually released. (I'm attaching the debdiffs again, with fixed urls) ** Attachment added: "debdiffs.tgz" https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5769649/+files/debdiffs.tgz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
I've been asked to try to help these updates along; I'm not on the SRU team so I can't give concrete directions, only suggestions. My assumption is that these package updates should be published first to -updates for autopkgtest testing, and once they have passed testing and phased to users, then we should republish these updates to -security so that they are available to all users. Does this sound correct? This is much easier to execute if the updates have been built in a PPA with only -security enabled, and not -updates. (The -security pocket is built with only packages from -release and -security, not -updates.) Do packages built in such a PPA exist? The SRU workflow asks for packages to be either uploaded with dput to the queue or debdiffs provided. I see some debdiffs here, but some additional work was performed after most of the debdiffs were uploaded. Are the posted debdiffs something that the SRU team should work with? The Ubuntu Sponsors team was added around three weeks ago, before much of the work was done, it's entirely possible that this has fallen off their radar as a result. (And, the general hustle of responding to the xz-utils issue, release time goals, etc.) So, with the reminder that I'm not on the SRU team, I think the next steps should be: - prepare a PPA with only -security enabled - build packages - ask SRU team to move the packages to -proposed and see how autopkgtests go - phase the update - ask the security team to binary copy the packages to -security once it's proven in the field What do you think? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Description changed: SRU Justification: [ Impact ] * Symptom: * There is an issue with the Secure Execution (SE) tooling, especially the new IBM host-key subject locality, that leads to the fact that on April 24 (z15) / March 29 (z16) users will notice that the tooling for Secure execution will no longer detect that the provided IBM signing key for that generation is a valid IBM signing key. * The error message will contain "no IBM signing key found" or similar. The respective tool will reject creating an encrypted request/image as it could not verify the host-key for its validity. * This affects the genprotimg, pvattest, and pvsecret tools. (Please notice that these tools got introduced over time with different s390-tools versions that belong to different Ubuntu releases). * Problem: * The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject locality' and 'Armonk' is used. * The SE tooling checks, beside other things, for the subject in the IBM signing key. * If the subject is not the expected one, the certificate is not recognized as a valid IBM signing key. And without a valid IBM signing key, the host-key verification cannot succeed and users cannot build trustable SE images and attestation or add-secret requests. * Solution: * Mitigations are available upstream. * The fixes allow Armonk as additional locality in the subject and allow potential mismatches in the locality of revocation list or host-key issuer subject that may still contain Poughkeepsie instead of Armonk. [ Test Plan ] * The testing is required for all three affected tools: genprotimg, pvattest, and pvsecret - * Obtain a (z15) Host-key document e.g. via the official channel -see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document + * Obtain a (z15) Host-key document e.g. via the official channel + see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document - * Get a signing key (z15) + intermediate certificate -see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document + * Get a signing key (z15) + intermediate certificate + see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document - * (optional) verify that the signing key is a new one -check for: Locality Armonk -$ openssl x509 -text -in international_business_machines_corporation.crt | grep Subject -Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation -Here "L" **must** be Armonk, and not Poughkeepsie! + * (optional) verify that the signing key is a new one + check for: Locality Armonk + $ openssl x509 -text -in international_business_machines_corporation.crt | grep Subject + Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation + Here "L" **must** be Armonk, and not Poughkeepsie! - * Run the tools (if available, depends on the s390-tools version): -The fixed tools will accept the cert chain and exit with exit code 0 -and the output generated. -The non-fixed will print n error message, abort, and report exit != 0 + * Run the tools (if available, depends on the s390-tools version): + The fixed tools will accept the cert chain and exit with exit code 0 + and the output generated. + The non-fixed will print n error message, abort, and report exit != 0 - * $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt -# BEFORE_FIX: -Failed to verify host-key document: please specify at least one IBM Z signing key -# AFTER_FIX: -# exit code 0 + * $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt + # BEFORE_FIX: + Failed to verify host-key document: please specify at least one IBM Z signing key + # AFTER_FIX: + # exit code 0 - * $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt -# BEFORE_FIX: -ERROR: Creating the attestation request failed: -Specify at least one IBM Z signing key -# AFTER_FIX: -# exit code 0 + * $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt + # BEFORE_FIX: + ERROR: Creating the attestation request failed: +
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Cool, thanks a lot Steffen! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Marc and me, we had a side discussion and finally found the missing commits and have a proper build for focal. The build is available here: https://launchpad.net/~fheimes/+archive/ubuntu/lp205930 and the debdiff(s) attached. ** Attachment added: "debdiff_focal.tgz" https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5766321/+files/debdiff_focal.tgz ** Changed in: s390-tools (Ubuntu Focal) Status: Incomplete => In Progress ** Changed in: s390-tools-signed (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Hi Marc, I've added f5744b95db9, but I unfortunately still get the build errors: https://launchpadlibrarian.net/724893134/buildlog_ubuntu-focal-s390x.s390-tools_2.12.0-0ubuntu3.9_BUILDING.txt.gz (search for "error:") -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Description changed: SRU Justification: [ Impact ] - * Symptom: + * Symptom: -* There is an issue with the Secure Execution (SE) tooling, - especially the new IBM host-key subject locality, - that leads to the fact that on April 24 (z15) / March 29 (z16) - users will notice that the tooling for Secure execution will no - longer detect that the provided IBM signing key for that generation - is a valid IBM signing key. + * There is an issue with the Secure Execution (SE) tooling, + especially the new IBM host-key subject locality, + that leads to the fact that on April 24 (z15) / March 29 (z16) + users will notice that the tooling for Secure execution will no + longer detect that the provided IBM signing key for that generation + is a valid IBM signing key. -* The error message will contain "no IBM signing key found" or similar. - The respective tool will reject creating an encrypted request/image - as it could not verify the host-key for its validity. + * The error message will contain "no IBM signing key found" or similar. + The respective tool will reject creating an encrypted request/image + as it could not verify the host-key for its validity. -* This affects the genprotimg, pvattest, and pvsecret tools. - (Please notice that these tools got introduced over time with different - s390-tools versions that belong to different Ubuntu releases). + * This affects the genprotimg, pvattest, and pvsecret tools. + (Please notice that these tools got introduced over time with different + s390-tools versions that belong to different Ubuntu releases). - * Problem: + * Problem: -* The new IBM signing keys no longer contain 'Poughkeepsie' as - 'subject locality' and 'Armonk' is used. + * The new IBM signing keys no longer contain 'Poughkeepsie' as + 'subject locality' and 'Armonk' is used. -* The SE tooling checks, beside other things, for the subject in the - IBM signing key. + * The SE tooling checks, beside other things, for the subject in the + IBM signing key. -* If the subject is not the expected one, the certificate is not - recognized as a valid IBM signing key. - And without a valid IBM signing key, the host-key verification - cannot succeed and users cannot build trustable SE images and - attestation or add-secret requests. + * If the subject is not the expected one, the certificate is not + recognized as a valid IBM signing key. + And without a valid IBM signing key, the host-key verification + cannot succeed and users cannot build trustable SE images and + attestation or add-secret requests. - * Solution: + * Solution: -* Mitigations are available upstream. + * Mitigations are available upstream. -* The fixes allow Armonk as additional locality in the subject - and allow potential mismatches in the locality of revocation list - or host-key issuer subject that may still contain Poughkeepsie - instead of Armonk. + * The fixes allow Armonk as additional locality in the subject + and allow potential mismatches in the locality of revocation list + or host-key issuer subject that may still contain Poughkeepsie + instead of Armonk. [ Test Plan ] - * + * The testing is required for all three affected tools: + genprotimg, pvattest, and pvsecret - * The testing is required for all three affected tools: -genprotimg, pvattest, and pvsecret + * Obtain a (z15) Host-key document e.g. via the official channel +see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document - * Without the fixed code, but with the new IBM signing keys -(that have 'Armonk' as 'subject locality'), users will get a msgs like: -"no IBM signing key found" -and the validation will fail. + * Get a signing key (z15) + intermediate certificate +see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document - * With the patches included, the validation will succeed. + * (optional) verify that the signing key is a new one +check for: Locality Armonk +$ openssl x509 -text -in international_business_machines_corporation.crt | grep Subject +Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation +Here "L" **must** be Armonk, and not Poughkeepsie! + + * Run the tools (if available, depends on the s390-tools version): +The fixed tools will accept the cert chain and exit with exit code 0 +and the output generated. +The non-fixed will print n error message, abort, and report exit != 0 + + * $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
For focal the commit d14e7593cc6 (https://github.com/ibm-s390-linux/s390-tools/commit/d14e7593cc6380911ca42b09e11c53477ae13d5c) does not properly build and the logs show a few errors: https://launchpadlibrarian.net/723098720/buildlog_ubuntu-focal-s390x.s390-tools_2.12.0-0ubuntu3.8_BUILDING.txt.gz (search for "error:") " utils/crypto.c: In function ‘x509_armonk_locality_fixup’: utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 770 | ret = X509_NAME_dup(name); | ^~~~ In file included from /usr/include/openssl/pem.h:17, from utils/crypto.c:17: /usr/include/openssl/x509.h:482:12: note: expected ‘X509_NAME *’ {aka ‘struct X509_name_st *’} but argument is of type ‘const X509_NAME *’ {aka ‘const struct X509_name_st *’} 482 | X509_NAME *X509_NAME_dup(X509_NAME *xn); |^ utils/crypto.c: In function ‘quirk_X509_STORE_ctx_get1_crls’: utils/crypto.c:888:8: error: implicit declaration of function ‘Pv_X509_STORE_CTX_get1_crls’; did you mean ‘X509_STORE_CTX_get1_crls’? [-Werror=implicit-function-declaration] 888 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject); |^~~ |X509_STORE_CTX_get1_crls utils/crypto.c:888:8: error: nested extern declaration of ‘Pv_X509_STORE_CTX_get1_crls’ [-Werror=nested-externs] utils/crypto.c:888:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion] 888 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject); | ^ utils/crypto.c:902:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion] 902 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); | ^ utils/crypto.c:913:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion] 913 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); | ^ utils/crypto.c:925:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion] 925 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); | ^ " and " utils/crypto.c: In function ‘x509_armonk_locality_fixup’: utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 770 | ret = X509_NAME_dup(name); | ^~~~ In file included from /usr/include/openssl/pem.h:17, from utils/crypto.c:17: /usr/include/openssl/x509.h:482:12: note: expected ‘X509_NAME *’ {aka ‘struct X509_name_st *’} but argument is of type ‘const X509_NAME *’ {aka ‘const struct X509_name_st *’} 482 | X509_NAME *X509_NAME_dup(X509_NAME *xn); |^ utils/crypto.c: In function ‘quirk_X509_STORE_ctx_get1_crls’: utils/crypto.c:888:8: error: implicit declaration of function ‘Pv_X509_STORE_CTX_get1_crls’; did you mean ‘X509_STORE_CTX_get1_crls’? [-Werror=implicit-function-declaration] 888 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject); |^~~ |X509_STORE_CTX_get1_crls utils/crypto.c:888:8: error: nested extern declaration of ‘Pv_X509_STORE_CTX_get1_crls’ [-Werror=nested-externs] utils/crypto.c:888:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion] 888 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject); | ^ utils/crypto.c:902:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion] 902 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); | ^ utils/crypto.c:913:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion] 913 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); | ^ utils/crypto.c:925:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion] 925 | ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); | ^ utils/crypto.c: In function ‘x509_armonk_locality_fixup’: utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 770 | ret = X509_NAME_dup(name); | ^~~~ In file included
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
s390-tools and s390-tools-signed debdiffs for 22.04/jammy ** Attachment added: "debdiff_jammy.tgz" https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5765796/+files/debdiff_jammy.tgz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Hi Steffen, many thanks for the tests, that's highly appreciated! I'm glad to see that we are fine with noble, mantic and jammy. It was btw. good to pick the version from the noble archive, since it's in beta). (And btw. we usually do not alter DISTRELEASE in common.mak.) I'm uploading first of all the debdiffs for mantic and jammy (to not loose much time), and will investigate focal in a bit... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
s390-tools and s390-tools-signed debdiffs for 23.10/mantic ** Attachment added: "debdiff_mantic.tgz" https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5765782/+files/debdiff_mantic.tgz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Changed in: ubuntu-z-systems Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Tags removed: targetmilestone-inin--- ** Tags added: targetmilestone-inin2004 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
This bug was fixed in the package s390-tools-signed - 2.31.0-0ubuntu5 --- s390-tools-signed (2.31.0-0ubuntu5) noble; urgency=medium * Rebuild against 2.31.0-0ubuntu5 (LP: #2058944, LP: #2059303) -- Frank Heimes Tue, 02 Apr 2024 12:55:52 +0200 ** Changed in: s390-tools-signed (Ubuntu Noble) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
This bug was fixed in the package s390-tools - 2.31.0-0ubuntu5 --- s390-tools (2.31.0-0ubuntu5) noble; urgency=medium * Add the following commits as patches: - d/p/lp-2059303-rust-pv-test-Code-Certificate-refactoring.patch (excluded patching binary files rust/pv/tests/assets/cert/der.crl and rust/pv/tests/assets/cert/der.crt, which is not supported by quilt - these files are needed for testing only) - d/p/lp-2059303-rust-pv-Support-Armonk-in-IBM-signing-key-subject.patch - d/p/lp-2059303-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch - d/p/lp-2059303-libpv-Support-Armonk-in-IBM-signing-key-subject.patch - d/p/lp-2059303-pvattest-Fix-root-ca-parsing.patch to fix Secure Execution tooling and accept new IBM host-key subject locality. LP: #2059303 * Add d/p/lp-2058944-dbginfo.sh-dash-compatible-copy-sequence.patch to fix dash incompatibility in dbginfo.sh. LP: #2058944 -- Frank Heimes Tue, 02 Apr 2024 12:45:30 +0200 ** Changed in: s390-tools (Ubuntu Noble) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Hi Steffen, thanks for checking the updated packages. Indeed, I had to restart the build of the s390-tools-signed packages for mantic/23.10, /jammy/22.04 and focal/20.04. These build will be complete in an hour or so (so well before Monday). Since the updates need to be done starting with the newest to oldest, a test on noble/24.04 would be most important. Do you have a mantic/23.10 or jammy/22.04 test system over? In this case you should be able to upgrade to noble/24.04 in just a few minutes. First of all ensure that your current system (mantic or jammy) is up-to- date with: sudo apt update && && sudo apt full-upgrade (with a potential reboot) You should then be able to upgrade with: sudo do-release-upgrade -d (or in case you are brave enough - but on a test/dev system ;-) : sudo do-release-upgrade --quiet --devel-release --frontend=DistUpgradeViewNonInteractive && sudo reboot ) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Builds finally completed: noble: https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303 mantic, jammy, focal: https://launchpad.net/~fheimes/+archive/ubuntu/test -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Description changed: + SRU Justification: + + [ Impact ] + + * Symptom: + +* There is an issue with the Secure Execution (SE) tooling, + especially the new IBM host-key subject locality, + that leads to the fact that on April 24 (z15) / March 29 (z16) + users will notice that the tooling for Secure execution will no + longer detect that the provided IBM signing key for that generation + is a valid IBM signing key. + +* The error message will contain "no IBM signing key found" or similar. + The respective tool will reject creating an encrypted request/image + as it could not verify the host-key for its validity. + +* This affects the genprotimg, pvattest, and pvsecret tools. + (Please notice that these tools got introduced over time with different + s390-tools versions that belong to different Ubuntu releases). + + * Problem: + +* The new IBM signing keys no longer contain 'Poughkeepsie' as + 'subject locality' and 'Armonk' is used. + +* The SE tooling checks, beside other things, for the subject in the + IBM signing key. + +* If the subject is not the expected one, the certificate is not + recognized as a valid IBM signing key. + And without a valid IBM signing key, the host-key verification + cannot succeed and users cannot build trustable SE images and + attestation or add-secret requests. + + * Solution: + +* Mitigations are available upstream. + +* The fixes allow Armonk as additional locality in the subject + and allow potential mismatches in the locality of revocation list + or host-key issuer subject that may still contain Poughkeepsie + instead of Armonk. + + [ Test Plan ] + + * + + * The testing is required for all three affected tools: +genprotimg, pvattest, and pvsecret + + * Without the fixed code, but with the new IBM signing keys +(that have 'Armonk' as 'subject locality'), users will get a msgs like: +"no IBM signing key found" +and the validation will fail. + + * With the patches included, the validation will succeed. + + [ Where problems could occur ] + + * The tools genprotimg, pvattest, and pvsecret tools are affected. +Since they got introduced over time with different s390-tools versions +that belong to different Ubuntu releases, it's important to figure out the +commits/patches that are required for each release. + + * The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd +("rust/pv/test: Code + Certificate refactoring") is needed +for noble and mantic, but needs several adjustments due to context changes. +The code could be negatively affected and the build might even break. +(A test build in PPA mitigates such issues.) + + * As host host-key issuer subject now Poughkeepsie and Armonk is allowed. +If the conditional statements are not properly coded, either Poughkeepsie +or Armonk might be allowed, which would fails in case the opposite is used. +(Testing if the IBM signing key is valid will mitigate this.) + + * In worst case a broken detection of the host-key issuer subject may lead +to positive validations, regardless of the subject content. +(Testing if the IBM signing key is valid will mitigate this.) + + * A test build for all affected Ubuntu releases (N, M, J and F) succeeded +and is available via this PPA: +https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303 + + * These test packages will be pre-tested by IBM. + + * This affected Secure Execution (SE) functionality only on s390x. +No other tools that are part of the s390-tools packages are affected +(or got modified in any way). + + [ Other Info ] + + * Secure Execution (SE) was introduced with in Ubuntu Server for s390x +with 20.04 LTS, hence 20.04 LTS and higher is affected. + + * And with that the s390-tools versions that are still in service: +2.12.0-0ubuntu3.7 | focal-updates +2.20.0-0ubuntu3.2 | jammy-updates +2.29.0-0ubuntu2.1 | mantic-updates +2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed + + * The following commits / patches need to be applied to the following +s390-tools versions: +* f6c6f0cc712433221fb0588c754e0d09884453dd + ("rust/pv/test: Code + Certificate refactoring") + to noble, mantic +* 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc + ("rust/pv: Support `Armonk` in IBM signing key subject") + to noble, mantic +* d14e7593cc6380911ca42b09e11c53477ae13d5c + ("genprotimg: support `Armonk` in IBM signing key subject") + to noble, mantic, jammy, focal +* d7c95265cdb6217b0203efa5893c3a27838af63c + ("libpv: Support `Armonk` in IBM signing key subject") + to noble, mantic, jammy +* 2b5e7b049123aff094c7de79ba57a5df09471b2e + ("pvattest: Fix root-ca parsing") + to noble, mantic, jammy + __ + Description: SE-tooling: New IBM
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Meanwhile I've navigated through the challenges in noble and have a successful PPA build here: launchpad.net/~fheimes/+archive/ubuntu/lp2059303 and the s390-tools and the s390-tools-signed debdiffs attached. ** Attachment added: "debdiffs.tgz" https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2059303/+attachment/5761332/+files/debdiffs.tgz ** Changed in: s390-tools (Ubuntu Noble) Assignee: (unassigned) => Frank Heimes (fheimes) ** Changed in: s390-tools-signed (Ubuntu Noble) Assignee: (unassigned) => Frank Heimes (fheimes) ** Changed in: s390-tools (Ubuntu Noble) Status: New => In Progress ** Changed in: s390-tools-signed (Ubuntu Noble) Status: New => In Progress ** Changed in: s390-tools-signed (Ubuntu Noble) Importance: Undecided => High ** Changed in: s390-tools (Ubuntu Noble) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
Well, I already had a hard time to get the requested commits applied to noble (which is on 2.31.0). I figured out that: 1) commit f6c6f0cc712433221fb0588c754e0d09884453dd ("rust/pv/test: Code + Certificate refactoring") is needed on top as pre-requisite, otherwise the other patches do not apply. 2) the commit id for ("libpv: Support `Armonk` in IBM signing key subject") is d7c95265cdb6217b0203efa5893c3a27838af63c (and not 5e1cb58a21ae0707d1993de3c8fc078c5cffed88 - this commit id does not exist in upstream master) 3) the commit id for ("pvattest: Fix root-ca parsing") is 2b5e7b049123aff094c7de79ba57a5df09471b2e (and not a54daf459e7504c0f42d3eb028100b7ab07894ff - again this commit id does not exist in upstream master). I'm really wondering if it wouldn't be best to have a new minor version tagged upstream (like a 2.31.1) that includes everything needed, since I can't patch binary files with quilt (rust/pv/tests/assets/cert/der.crl and rust/pv/tests/assets/cert/der.crt), hence had to skip these hunks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Also affects: s390-tools (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: s390-tools-signed (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: s390-tools (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: s390-tools-signed (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: s390-tools (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: s390-tools-signed (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: s390-tools (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: s390-tools-signed (Ubuntu Jammy) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Re: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)
** Package changed: linux (Ubuntu) => s390-tools (Ubuntu) ** Also affects: s390-tools-signed (Ubuntu) Importance: Undecided Status: New ** Also affects: ubuntu-z-systems Importance: Undecided Status: New ** Changed in: ubuntu-z-systems Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team) ** Changed in: s390-tools (Ubuntu) Assignee: Skipper Bug Screeners (skipper-screen-team) => (unassigned) ** Changed in: ubuntu-z-systems Importance: Undecided => Critical ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs