subject:"\[Bug 2059303\] Comment bridged from LTC Bugzilla"

[Bug 2059303] Comment bridged from LTC Bugzilla

2024-05-17 Thread bugproxy

--- Comment From steffen.ei...@ibm.com 2024-05-17 09:34 EDT---
Verified that the issue is resolved for all the following Ubuntu version with 
the respective proposed repository.

mantic/23.10 : s390-tools (2.29.0-0ubuntu2.2)
jammy/22.04 : s390-tools (2.20.0-0ubuntu3.3)
focal/20.04 : s390-tools (2.12.0-0ubuntu3.8)

Steffen

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Comment bridged from LTC Bugzilla

2024-04-17 Thread bugproxy

--- Comment From steffen.ei...@ibm.com 2024-04-17 04:28 EDT---
Thanks Frank and Marc.

Verified for focal with the focal-package in PPA at
http://ppa.launchpad.net/fheimes/lp2059303/ubuntu (2.12.0-0ubuntu3.8)

-> verified for all releases in service.
focal, jammy, mantic, and noble.

Steffen

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Comment bridged from LTC Bugzilla

2024-04-16 Thread bugproxy

--- Comment From mhart...@de.ibm.com 2024-04-16 05:22 EDT---
Can you please pick this commit:

https://github.com/ibm-s390-linux/s390-tools/commit/f5744b95db93fa9d5cfd6fb206767ad2dcc3c804

?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Comment bridged from LTC Bugzilla

2024-04-12 Thread bugproxy

--- Comment From steffen.ei...@ibm.com 2024-04-12 10:22 EDT---
Hi Frank,

An update from my  side:

!SHORT:

GOOD:
noble(with a nit), mantic, jammy
BAD/not verifyable:
focal

!LONG:

Verified for:

* 24.04 (noble):

with today's (2024-apr-12) s390tools version from noble repository (after a 
release-upgrade from jammy):
- genprotimg
- pvattest
- pvsecret
work.
did **not** use your PPA

But there is a mismatch from the package version to the version that the
tools report:

> apt-cache showpkg s390-tools
Package: s390-tools
Versions:
2.31.0-0ubuntu5  
(/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_noble_main_binary-s390x_Packages)

> pvattest --version
pvattest version 2.31.0-build-20240409

You very likely forgot to change the DISTRELEASE variable in common.mak

* 23.10 (mantic):
All work with your PPA
- genprotimg
- pvattest
- pvsecret

* 22.04 (jammy):
All work with your PPA
- genprotimg
- pvattest

* 20:04 (focal):

the updated s390-tools package from your PPA has no genprotimg in it:

> dpkg --contents s390-tools_2.12.0-0ubuntu3.8_s390x.deb | grep genprot
-rw-r--r-- root/root  1775 2024-04-03 14:10 
./usr/share/man/man8/genprotimg.8.gz
drwxr-xr-x root/root 0 2024-04-03 14:10 
./usr/share/s390-tools/genprotimg/
-rw-r--r-- root/root  9656 2024-04-03 14:10 
./usr/share/s390-tools/genprotimg/stage3a.bin
-rw-r--r-- root/root  5498 2024-04-03 14:10 
./usr/share/s390-tools/genprotimg/stage3b_reloc.bin

(before the update(s390-tools2.12.0-ubuntu3.7))
> apt-file list s390-tools | grep genprotimg
s390-tools: /usr/bin/genprotimg
[]

Verify process:
1) Obtain a (z15) Host-key document e.g. via the official channel
see: 
https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document

2) Get a signing key (z15) + intermediate certificate
see: 
https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document

3) (optional) verify that the signing key is a new one (checl for: Locality 
Armonk)
> openssl x509 -text -in international_business_machines_corporation.crt | grep 
> Subject
Subject: C = US, ST = New York, L = Armonk, O = International Business Machines 
Corporation, OU = IBM Z Host Key Signing Service, CN = International Business 
Machines Corporation

L **must** be Armonk, and not Poughkeepsie

4) run the tools if available:
The fixed tools will accept the cert chain and exit with exit code 0 and the 
output generated.
The non-fixed will print n error message, abort, and report exit != 0

> genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k
~/hostkey.crt --cert ~/international_business_machines_corporation.crt
--cert ~/DigiCertCA.crt

#BEFORE_FIX:
Failed to verify host-key document: please specify at least one IBM Z signing 
key
# AFTER_FIX:
# exit code 0

> pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert
~/international_business_machines_corporation.crt --cert
~/DigiCertCA.crt

#BEFORE_FIX:
ERROR: Creating the attestation request failed:
Specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0

> pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt
--cert ~/international_business_machines_corporation.crt --cert
~/armonk/DigiCertCA.crt  meta

# BEFORE_FIX:
error: Host-key verification failed: Specify one IBM Z signing key
# AFTER FIX:
Successfully generated the request

Note: You can use any z15 host-key you like. Don't has to match to the
machine you are running on. For the secure-guest.hdr in pvsecret you can
use any se-header you like. You can use a test-asset from s390-tools
repository:
https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr

Steffen

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Comment bridged from LTC Bugzilla

2024-04-05 Thread bugproxy

--- Comment From steffen.ei...@ibm.com 2024-04-05 04:40 EDT---
(In reply to comment #15)
> Builds finally completed:
> noble: https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
> mantic, jammy, focal: https://launchpad.net/~fheimes/+archive/ubuntu/test

Hi Frank

Thank you for the supply of packages.

I currently have no noble (24.04) system by hand. I will test noble as
soon as I have access.

For  mantic, jammy, focal, it seems that a new s390-tools-signed package
is missing in the PPA (it is there in the noble PPA). Tested only on
focal.

Example for focal:

after adding the ppa + update.
> apt upgrade s390-tools
[...]
The following packages have unmet dependencies:
s390-tools : Depends: s390-tools-signed (= 2.12.0-0ubuntu3.8) but 
2.12.0-0ubuntu3.7 is to be installed

Thank you in advance for a fix/solution.


And also, sorry for the Rust-backport inconvenience.
BTW, I released a new s390-tools version on Wednesday 
(https://github.com/ibm-s390-linux/s390-tools/releases/tag/v2.32.0) with the 
armonk problem resolved.

Steffen

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Comment bridged from LTC Bugzilla

2024-04-02 Thread bugproxy

--- Comment From steffen.ei...@ibm.com 2024-04-02 09:17 EDT---
(In reply to comment #11)
> Well, I already had a hard time to get the requested commits applied to
> noble (which is on 2.31.0).
>
> I figured out that:
> 1) commit f6c6f0cc712433221fb0588c754e0d09884453dd ("rust/pv/test: Code +
> Certificate refactoring") is needed on top as pre-requisite, otherwise the
> other patches do not apply.
> 2) the commit id for ("libpv: Support `Armonk` in IBM signing key subject")
> is d7c95265cdb6217b0203efa5893c3a27838af63c (and not
> 5e1cb58a21ae0707d1993de3c8fc078c5cffed88 - this commit id does not exist in
> upstream master)
> 3) the commit id for ("pvattest: Fix root-ca parsing") is
> 2b5e7b049123aff094c7de79ba57a5df09471b2e (and not
> a54daf459e7504c0f42d3eb028100b7ab07894ff - again this commit id does not
> exist in upstream master).
>
> I'm really wondering if it wouldn't be best to have a new minor version
> tagged upstream (like a 2.31.1) that includes everything needed, since I
> can't patch binary files with quilt (rust/pv/tests/assets/cert/der.crl and
> rust/pv/tests/assets/cert/der.crt), hence had to skip these hunks.

Your proposal makes sense. Let me see what we can do.

Steffen

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Comment bridged from LTC Bugzilla

2024-03-27 Thread bugproxy

--- Comment From boris.m...@de.ibm.com 2024-03-27 16:09 EDT---
Full list of patches:

a54daf459e7504c0f42d3eb028100b7ab07894ff ("pvattest: Fix root-ca parsing")
5e1cb58a21ae0707d1993de3c8fc078c5cffed88 ("libpv: Support `Armonk` in IBM 
signing key subject")
d14e7593cc6380911ca42b09e11c53477ae13d5c ("genprotimg: support `Armonk` in IBM 
signing key subject")
1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc ("rust/pv: Support `Armonk` in IBM 
signing key subject")

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059303

Title:
  [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality
  (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2059303/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2059303] Comment bridged from LTC Bugzilla

[Bug 2059303] Comment bridged from LTC Bugzilla

[Bug 2059303] Comment bridged from LTC Bugzilla

[Bug 2059303] Comment bridged from LTC Bugzilla

[Bug 2059303] Comment bridged from LTC Bugzilla

[Bug 2059303] Comment bridged from LTC Bugzilla

[Bug 2059303] Comment bridged from LTC Bugzilla

7 matches

Site Navigation

Mail list logo

Footer information