[Bug 2059303] Comment bridged from LTC Bugzilla
--- Comment From steffen.ei...@ibm.com 2024-05-17 09:34 EDT--- Verified that the issue is resolved for all the following Ubuntu version with the respective proposed repository. mantic/23.10 : s390-tools (2.29.0-0ubuntu2.2) jammy/22.04 : s390-tools (2.20.0-0ubuntu3.3) focal/20.04 : s390-tools (2.12.0-0ubuntu3.8) Steffen -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Comment bridged from LTC Bugzilla
--- Comment From steffen.ei...@ibm.com 2024-04-17 04:28 EDT--- Thanks Frank and Marc. Verified for focal with the focal-package in PPA at http://ppa.launchpad.net/fheimes/lp2059303/ubuntu (2.12.0-0ubuntu3.8) -> verified for all releases in service. focal, jammy, mantic, and noble. Steffen -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Comment bridged from LTC Bugzilla
--- Comment From mhart...@de.ibm.com 2024-04-16 05:22 EDT--- Can you please pick this commit: https://github.com/ibm-s390-linux/s390-tools/commit/f5744b95db93fa9d5cfd6fb206767ad2dcc3c804 ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Comment bridged from LTC Bugzilla
--- Comment From steffen.ei...@ibm.com 2024-04-12 10:22 EDT--- Hi Frank, An update from my side: !SHORT: GOOD: noble(with a nit), mantic, jammy BAD/not verifyable: focal !LONG: Verified for: * 24.04 (noble): with today's (2024-apr-12) s390tools version from noble repository (after a release-upgrade from jammy): - genprotimg - pvattest - pvsecret work. did **not** use your PPA But there is a mismatch from the package version to the version that the tools report: > apt-cache showpkg s390-tools Package: s390-tools Versions: 2.31.0-0ubuntu5 (/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_noble_main_binary-s390x_Packages) > pvattest --version pvattest version 2.31.0-build-20240409 You very likely forgot to change the DISTRELEASE variable in common.mak * 23.10 (mantic): All work with your PPA - genprotimg - pvattest - pvsecret * 22.04 (jammy): All work with your PPA - genprotimg - pvattest * 20:04 (focal): the updated s390-tools package from your PPA has no genprotimg in it: > dpkg --contents s390-tools_2.12.0-0ubuntu3.8_s390x.deb | grep genprot -rw-r--r-- root/root 1775 2024-04-03 14:10 ./usr/share/man/man8/genprotimg.8.gz drwxr-xr-x root/root 0 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/ -rw-r--r-- root/root 9656 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/stage3a.bin -rw-r--r-- root/root 5498 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/stage3b_reloc.bin (before the update(s390-tools2.12.0-ubuntu3.7)) > apt-file list s390-tools | grep genprotimg s390-tools: /usr/bin/genprotimg [] Verify process: 1) Obtain a (z15) Host-key document e.g. via the official channel see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document 2) Get a signing key (z15) + intermediate certificate see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document 3) (optional) verify that the signing key is a new one (checl for: Locality Armonk) > openssl x509 -text -in international_business_machines_corporation.crt | grep > Subject Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation L **must** be Armonk, and not Poughkeepsie 4) run the tools if available: The fixed tools will accept the cert chain and exit with exit code 0 and the output generated. The non-fixed will print n error message, abort, and report exit != 0 > genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt #BEFORE_FIX: Failed to verify host-key document: please specify at least one IBM Z signing key # AFTER_FIX: # exit code 0 > pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt #BEFORE_FIX: ERROR: Creating the attestation request failed: Specify at least one IBM Z signing key # AFTER_FIX: # exit code 0 > pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertCA.crt meta # BEFORE_FIX: error: Host-key verification failed: Specify one IBM Z signing key # AFTER FIX: Successfully generated the request Note: You can use any z15 host-key you like. Don't has to match to the machine you are running on. For the secure-guest.hdr in pvsecret you can use any se-header you like. You can use a test-asset from s390-tools repository: https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr Steffen -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Comment bridged from LTC Bugzilla
--- Comment From steffen.ei...@ibm.com 2024-04-05 04:40 EDT--- (In reply to comment #15) > Builds finally completed: > noble: https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303 > mantic, jammy, focal: https://launchpad.net/~fheimes/+archive/ubuntu/test Hi Frank Thank you for the supply of packages. I currently have no noble (24.04) system by hand. I will test noble as soon as I have access. For mantic, jammy, focal, it seems that a new s390-tools-signed package is missing in the PPA (it is there in the noble PPA). Tested only on focal. Example for focal: after adding the ppa + update. > apt upgrade s390-tools [...] The following packages have unmet dependencies: s390-tools : Depends: s390-tools-signed (= 2.12.0-0ubuntu3.8) but 2.12.0-0ubuntu3.7 is to be installed Thank you in advance for a fix/solution. And also, sorry for the Rust-backport inconvenience. BTW, I released a new s390-tools version on Wednesday (https://github.com/ibm-s390-linux/s390-tools/releases/tag/v2.32.0) with the armonk problem resolved. Steffen -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Comment bridged from LTC Bugzilla
--- Comment From steffen.ei...@ibm.com 2024-04-02 09:17 EDT--- (In reply to comment #11) > Well, I already had a hard time to get the requested commits applied to > noble (which is on 2.31.0). > > I figured out that: > 1) commit f6c6f0cc712433221fb0588c754e0d09884453dd ("rust/pv/test: Code + > Certificate refactoring") is needed on top as pre-requisite, otherwise the > other patches do not apply. > 2) the commit id for ("libpv: Support `Armonk` in IBM signing key subject") > is d7c95265cdb6217b0203efa5893c3a27838af63c (and not > 5e1cb58a21ae0707d1993de3c8fc078c5cffed88 - this commit id does not exist in > upstream master) > 3) the commit id for ("pvattest: Fix root-ca parsing") is > 2b5e7b049123aff094c7de79ba57a5df09471b2e (and not > a54daf459e7504c0f42d3eb028100b7ab07894ff - again this commit id does not > exist in upstream master). > > I'm really wondering if it wouldn't be best to have a new minor version > tagged upstream (like a 2.31.1) that includes everything needed, since I > can't patch binary files with quilt (rust/pv/tests/assets/cert/der.crl and > rust/pv/tests/assets/cert/der.crt), hence had to skip these hunks. Your proposal makes sense. Let me see what we can do. Steffen -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059303] Comment bridged from LTC Bugzilla
--- Comment From boris.m...@de.ibm.com 2024-03-27 16:09 EDT--- Full list of patches: a54daf459e7504c0f42d3eb028100b7ab07894ff ("pvattest: Fix root-ca parsing") 5e1cb58a21ae0707d1993de3c8fc078c5cffed88 ("libpv: Support `Armonk` in IBM signing key subject") d14e7593cc6380911ca42b09e11c53477ae13d5c ("genprotimg: support `Armonk` in IBM signing key subject") 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc ("rust/pv: Support `Armonk` in IBM signing key subject") -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs