You have been subscribed to a public bug: Description: SE-tooling: New IBM host-key subject locality Symptom: On April 24 (z15) / March 29 (z16) user will notice that the tooling for Secure execution will no longer detect that the provided IBM signing key for that generation is a valid IBM signing key. The error message will contain "no IBM signing key found" or similar. The respective tool will reject creating an encrypted request/image as it could not verify the host-key for its validity. This affects genprotimg, pvattest, and pvsecret. Problem: The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject locality' and 'Armonk' is used. The SE tooling checks, beside other things, for the subject in the IBM signing key. If the subject is not the expected one, the certificate is not recognized as a valid IBM signing key. With no valid IBM signing key, the host-key verification cannot succeed and users cannot build trustable SE images and attestation or add-secret requests. Solution: Mitigations are available upstream. The fixes allow Armonk as additional locality in the subject and allow potential mismatches in the locality of revocation list or host-key issuer subject that may still contain Poughkeepsie instead of Armonk. Reproduction: Use a new IBM signing key in the unpatched tooling.
The fix is required due to the circumstances described here: https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2 This is required for all Ubuntu releases in service that support secure execution. Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed. ** Affects: linux (Ubuntu) Importance: Undecided Assignee: Skipper Bug Screeners (skipper-screen-team) Status: New ** Tags: architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin--- -- [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) https://bugs.launchpad.net/bugs/2059303 You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp