** Description changed: + SRU Justification: + + [ Impact ] + + * Symptom: + + * There is an issue with the Secure Execution (SE) tooling, + especially the new IBM host-key subject locality, + that leads to the fact that on April 24 (z15) / March 29 (z16) + users will notice that the tooling for Secure execution will no + longer detect that the provided IBM signing key for that generation + is a valid IBM signing key. + + * The error message will contain "no IBM signing key found" or similar. + The respective tool will reject creating an encrypted request/image + as it could not verify the host-key for its validity. + + * This affects the genprotimg, pvattest, and pvsecret tools. + (Please notice that these tools got introduced over time with different + s390-tools versions that belong to different Ubuntu releases). + + * Problem: + + * The new IBM signing keys no longer contain 'Poughkeepsie' as + 'subject locality' and 'Armonk' is used. + + * The SE tooling checks, beside other things, for the subject in the + IBM signing key. + + * If the subject is not the expected one, the certificate is not + recognized as a valid IBM signing key. + And without a valid IBM signing key, the host-key verification + cannot succeed and users cannot build trustable SE images and + attestation or add-secret requests. + + * Solution: + + * Mitigations are available upstream. + + * The fixes allow Armonk as additional locality in the subject + and allow potential mismatches in the locality of revocation list + or host-key issuer subject that may still contain Poughkeepsie + instead of Armonk. + + [ Test Plan ] + + * <detailed instructions how to reproduce the bug> + + * The testing is required for all three affected tools: + genprotimg, pvattest, and pvsecret + + * Without the fixed code, but with the new IBM signing keys + (that have 'Armonk' as 'subject locality'), users will get a msgs like: + "no IBM signing key found" + and the validation will fail. + + * With the patches included, the validation will succeed. + + [ Where problems could occur ] + + * The tools genprotimg, pvattest, and pvsecret tools are affected. + Since they got introduced over time with different s390-tools versions + that belong to different Ubuntu releases, it's important to figure out the + commits/patches that are required for each release. + + * The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd + ("rust/pv/test: Code + Certificate refactoring") is needed + for noble and mantic, but needs several adjustments due to context changes. + The code could be negatively affected and the build might even break. + (A test build in PPA mitigates such issues.) + + * As host host-key issuer subject now Poughkeepsie and Armonk is allowed. + If the conditional statements are not properly coded, either Poughkeepsie + or Armonk might be allowed, which would fails in case the opposite is used. + (Testing if the IBM signing key is valid will mitigate this.) + + * In worst case a broken detection of the host-key issuer subject may lead + to positive validations, regardless of the subject content. + (Testing if the IBM signing key is valid will mitigate this.) + + * A test build for all affected Ubuntu releases (N, M, J and F) succeeded + and is available via this PPA: + https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303 + + * These test packages will be pre-tested by IBM. + + * This affected Secure Execution (SE) functionality only on s390x. + No other tools that are part of the s390-tools packages are affected + (or got modified in any way). + + [ Other Info ] + + * Secure Execution (SE) was introduced with in Ubuntu Server for s390x + with 20.04 LTS, hence 20.04 LTS and higher is affected. + + * And with that the s390-tools versions that are still in service: + 2.12.0-0ubuntu3.7 | focal-updates + 2.20.0-0ubuntu3.2 | jammy-updates + 2.29.0-0ubuntu2.1 | mantic-updates + 2.30.0-0ubuntu1 | noble-updates / 2.31.0-0ubuntu4 | noble-proposed + + * The following commits / patches need to be applied to the following + s390-tools versions: + * f6c6f0cc712433221fb0588c754e0d09884453dd + ("rust/pv/test: Code + Certificate refactoring") + to noble, mantic + * 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc + ("rust/pv: Support `Armonk` in IBM signing key subject") + to noble, mantic + * d14e7593cc6380911ca42b09e11c53477ae13d5c + ("genprotimg: support `Armonk` in IBM signing key subject") + to noble, mantic, jammy, focal + * d7c95265cdb6217b0203efa5893c3a27838af63c + ("libpv: Support `Armonk` in IBM signing key subject") + to noble, mantic, jammy + * 2b5e7b049123aff094c7de79ba57a5df09471b2e + ("pvattest: Fix root-ca parsing") + to noble, mantic, jammy + __________ + Description: SE-tooling: New IBM host-key subject locality - Symptom: - On April 24 (z15) / March 29 (z16) user will notice that the - tooling for Secure execution will no longer detect that the provided - IBM signing key for that generation is a valid IBM signing key. The - error message will contain "no IBM signing key found" or similar. The - respective tool will reject creating an encrypted request/image as it - could not verify the host-key for its validity. This affects - genprotimg, pvattest, and pvsecret. - Problem: - The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject - locality' and 'Armonk' is used. The SE tooling checks, beside other - things, for the subject in the IBM signing key. If the subject is not - the expected one, the certificate is not recognized as a valid IBM - signing key. With no valid IBM signing key, the host-key verification - cannot succeed and users cannot build trustable SE images and - attestation or add-secret requests. - Solution: - Mitigations are available upstream. The fixes allow Armonk as - additional locality in the subject and allow potential mismatches in - the locality of revocation list or host-key issuer subject that may - still contain Poughkeepsie instead of Armonk. + Symptom: + On April 24 (z15) / March 29 (z16) user will notice that the + tooling for Secure execution will no longer detect that the provided + IBM signing key for that generation is a valid IBM signing key. The + error message will contain "no IBM signing key found" or similar. The + respective tool will reject creating an encrypted request/image as it + could not verify the host-key for its validity. This affects + genprotimg, pvattest, and pvsecret. + Problem: + The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject + locality' and 'Armonk' is used. The SE tooling checks, beside other + things, for the subject in the IBM signing key. If the subject is not + the expected one, the certificate is not recognized as a valid IBM + signing key. With no valid IBM signing key, the host-key verification + cannot succeed and users cannot build trustable SE images and + attestation or add-secret requests. + Solution: + Mitigations are available upstream. The fixes allow Armonk as + additional locality in the subject and allow potential mismatches in + the locality of revocation list or host-key issuer subject that may + still contain Poughkeepsie instead of Armonk. Reproduction: Use a new IBM signing key in the unpatched tooling. The fix is required due to the circumstances described here: https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2 - This is required for all Ubuntu releases in service that support secure execution. + This is required for all Ubuntu releases in service that support secure execution. Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs