[Kernel-packages] [Bug 1988120] Re: Support Intel TDX guest attestation driver
This bug was fixed in the package linux - 5.19.0-18.18 --- linux (5.19.0-18.18) kinetic; urgency=medium * kinetic/linux: 5.19.0-18.18 -proposed tracker (LP: #1990366) * 5.19.0-17.17: kernel NULL pointer dereference, address: 0084 (LP: #1990236) - Revert "UBUNTU: SAUCE: apparmor: Fix regression in stacking due to label flags" - Revert "UBUNTU: [Config] disable SECURITY_APPARMOR_RESTRICT_USERNS" - Revert "UBUNTU: SAUCE: Revert "hwrng: virtio - add an internal buffer"" - Revert "UBUNTU: SAUCE: Revert "hwrng: virtio - don't wait on cleanup"" - Revert "UBUNTU: SAUCE: Revert "hwrng: virtio - don't waste entropy"" - Revert "UBUNTU: SAUCE: Revert "hwrng: virtio - always add a pending request"" - Revert "UBUNTU: SAUCE: Revert "hwrng: virtio - unregister device before reset"" - Revert "UBUNTU: SAUCE: Revert "virtio-rng: make device ready before making request"" - Revert "UBUNTU: [Config] update configs after apply new apparmor patch set" - Revert "UBUNTU: SAUCE: apparmor: add user namespace creation mediation" - Revert "UBUNTU: SAUCE: selinux: Implement userns_create hook" - Revert "UBUNTU: SAUCE: bpf-lsm: Make bpf_lsm_userns_create() sleepable" - Revert "UBUNTU: SAUCE: security, lsm: Introduce security_create_user_ns()" - Revert "UBUNTU: SAUCE: lsm stacking v37: AppArmor: Remove the exclusive flag" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Add /proc attr entry for full LSM context" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Removed scaffolding function lsmcontext_init" - Revert "UBUNTU: SAUCE: lsm stacking v37: netlabel: Use a struct lsmblob in audit data" - Revert "UBUNTU: SAUCE: lsm stacking v37: Audit: Add record for multiple object contexts" - Revert "UBUNTU: SAUCE: lsm stacking v37: audit: multiple subject lsm values for netlabel" - Revert "UBUNTU: SAUCE: lsm stacking v37: Audit: Add record for multiple task security contexts" - Revert "UBUNTU: SAUCE: lsm stacking v37: Audit: Allow multiple records in an audit_buffer" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Add a function to report multiple LSMs" - Revert "UBUNTU: SAUCE: lsm stacking v37: Audit: Create audit_stamp structure" - Revert "UBUNTU: SAUCE: lsm stacking v37: Audit: Keep multiple LSM data in audit_names" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: security_secid_to_secctx module selection" - Revert "UBUNTU: SAUCE: lsm stacking v37: binder: Pass LSM identifier for confirmation" - Revert "UBUNTU: SAUCE: lsm stacking v37: NET: Store LSM netlabel data in a lsmblob" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: security_secid_to_secctx in netlink netfilter" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmcontext in security_dentry_init_security" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmcontext in security_inode_getsecctx" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmcontext in security_secid_to_secctx" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Ensure the correct LSM context releaser" - Revert "UBUNTU: SAUCE: fixup lsm stacking v37: LSM: Specify which LSM to display" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Specify which LSM to display" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmblob in security_cred_getsecid" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmblob in security_inode_getsecid" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmblob in security_current_getsecid" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmblob in security_ipc_getsecid" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmblob in security_secid_to_secctx" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmblob in security_secctx_to_secid" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmblob in security_kernel_act_as" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Use lsmblob in security_audit_rule_match" - Revert "UBUNTU: SAUCE: lsm stacking v37: IMA: avoid label collisions with stacked LSMs" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: provide lsm name and id slot mappings" - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Add the lsmblob data structure." - Revert "UBUNTU: SAUCE: lsm stacking v37: LSM: Infrastructure management of the sock security" - Revert "UBUNTU: SAUCE: lsm stacking v37: integrity: disassociate ima_filter_rule from security_audit_rule" - Revert "UBUNTU: SAUCE: apparmor: LSM stacking: switch from SK_CTX() to aa_sock()" - Revert "UBUNTU: SAUCE: apparmor: Add fine grained mediation of posix mqueues" - Revert "UBUNTU: SAUCE: apparmor: rename aa_sock() to aa_unix_sk()" -
[Kernel-packages] [Bug 1988120] Re: Support Intel TDX guest attestation driver
This bug is awaiting verification that the linux-oem-6.0/6.0.0-1004.4 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1988120 Title: Support Intel TDX guest attestation driver Status in linux package in Ubuntu: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: [Impact] Intel has requested to support the TDX (trust domain extension) guest attestation driver interface. In a TDX guest "attestation" is used to verify the trustworthiness of a TD (trusted domain) before provisioning secrets to the TD (i.e, encrypted keys to mount an encrypted rootfs, etc.). During the TD boot the initial contents and configurations are recorded by the Intel TDX module in the build time measurement register (MRTD). At TD runtime, the Intel TDX module reuses the Intel SGX attestation infrastructure to provide support for attesting to these information. This driver is targeting 6.x upstream, so we need to backport the upstream patches as SAUCE patches to properly support this feature in 5.19. [Fix] Backport upstream TDX attestation driver. [Test case] Tests have been performed by Intel, a test-case is included in the patch set as a kernel selftest (called 'tdx'). TODO: consider to integrate this test in our testing infrastructure once this feature has been merged. [Regression potential] This feature is self-contained, it's only available on amd64 and it doesn't affect any other amd64 code. So we could only experience regressions on amd64 systems that are using the TDX feature. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1988120/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1988120] Re: Support Intel TDX guest attestation driver
** Description changed: [Impact] Intel has requested to support the TDX (trust domain extension) guest attestation driver interface. In a TDX guest "attestation" is used to verify the trustworthiness of a TD (trusted domain) before provisioning secrets to the TD (i.e, encrypted keys to mount an encrypted rootfs, etc.). During the TD boot the initial contents and configurations are recorded by the Intel TDX module in the build time measurement register (MRTD). At TD runtime, the Intel TDX module reuses the Intel SGX attestation infrastructure to provide support for attesting to these information. This driver is targeting 6.x upstream, so we need to backport the upstream patches as SAUCE patches to properly support this feature in 5.19. [Fix] Backport upstream TDX attestation driver. [Test case] - Tests have been performed by IBM, a test-case is included in the patch + Tests have been performed by Intel, a test-case is included in the patch set as a kernel selftest (called 'tdx'). TODO: consider to integrate this test in our testing infrastructure once this feature has been merged. [Regression potential] This feature is self-contained, it's only available on amd64 and it doesn't affect any other amd64 code. So we could only experience regressions on amd64 systems that are using the TDX feature. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1988120 Title: Support Intel TDX guest attestation driver Status in linux package in Ubuntu: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: [Impact] Intel has requested to support the TDX (trust domain extension) guest attestation driver interface. In a TDX guest "attestation" is used to verify the trustworthiness of a TD (trusted domain) before provisioning secrets to the TD (i.e, encrypted keys to mount an encrypted rootfs, etc.). During the TD boot the initial contents and configurations are recorded by the Intel TDX module in the build time measurement register (MRTD). At TD runtime, the Intel TDX module reuses the Intel SGX attestation infrastructure to provide support for attesting to these information. This driver is targeting 6.x upstream, so we need to backport the upstream patches as SAUCE patches to properly support this feature in 5.19. [Fix] Backport upstream TDX attestation driver. [Test case] Tests have been performed by Intel, a test-case is included in the patch set as a kernel selftest (called 'tdx'). TODO: consider to integrate this test in our testing infrastructure once this feature has been merged. [Regression potential] This feature is self-contained, it's only available on amd64 and it doesn't affect any other amd64 code. So we could only experience regressions on amd64 systems that are using the TDX feature. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1988120/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1988120] Re: Support Intel TDX guest attestation driver
** Changed in: linux (Ubuntu Kinetic) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Kinetic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1988120 Title: Support Intel TDX guest attestation driver Status in linux package in Ubuntu: Fix Committed Status in linux source package in Kinetic: Fix Committed Bug description: [Impact] Intel has requested to support the TDX (trust domain extension) guest attestation driver interface. In a TDX guest "attestation" is used to verify the trustworthiness of a TD (trusted domain) before provisioning secrets to the TD (i.e, encrypted keys to mount an encrypted rootfs, etc.). During the TD boot the initial contents and configurations are recorded by the Intel TDX module in the build time measurement register (MRTD). At TD runtime, the Intel TDX module reuses the Intel SGX attestation infrastructure to provide support for attesting to these information. This driver is targeting 6.x upstream, so we need to backport the upstream patches as SAUCE patches to properly support this feature in 5.19. [Fix] Backport upstream TDX attestation driver. [Test case] Tests have been performed by IBM, a test-case is included in the patch set as a kernel selftest (called 'tdx'). TODO: consider to integrate this test in our testing infrastructure once this feature has been merged. [Regression potential] This feature is self-contained, it's only available on amd64 and it doesn't affect any other amd64 code. So we could only experience regressions on amd64 systems that are using the TDX feature. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1988120/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
