** Description changed: + SRU Justification: + ================== + + [Impact] + + * Fix of 'genprotimg' allowing the tool to verify the validity + of IBM Secure Execution host key documents. + + * Without that, customers must verify the host key document by themselves, + which is error prone and may impact security. + + [Test Plan] + + * A z15 or LinuxONE III LPAR with FC 115 is needed, + running Ubuntu Server 20.04 (respectively 21.04). + + * Obtain a host key document from 'IBM Resource Link'. + (A public host key is X.509 certificate, signed with an IBM key.) + + * Create an IBM Secure Execution image, using the obtained host key like: + genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile \ + --no-verify -k HKD-8651-00020089A8.crt -o /boot/secure-linux + (optional, host key can also be verified w/o having created an image) + + * Use the 'genprotimg' command to automatically verify the + host key document automatically + (instead of using the manual and error prone verification procedure + using plain openssl command-line). + + * More detailed information is available here: + http://public.dhe.ibm.com/software/dw/linux390/docu/l110se01.pdf + + * Due to the lack of hardware, the verification needs to be done by + IBM. + + [Where problems could occur] + + * If the 'genprotimg' way of verifying the host key document + is erroneous, tool based verification can be broken, + which may force people having to use '--no-verify' + and fall back to manual (openssl based) verification again. + + * In worst case a 'false positive' verification + of a host key document may occur, + that might provide a false sense of security. + Hence proper testing is crucial! + + * Quite some code was added that is only used for this verification + (like 'curl'), which may break things indirectly. + Using '--no-verify' may allow to overcome such issues again. + + * Overall this is all unique to s390x, + and again special to 'secure execution' and would affect + only z15 or LinuxONE III systems with FC 115 enabled. + + [Fixes] + + * For Hirsute, only the following upstream patch is needed: + d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg: check return value of BIO_reset") + + * For Focal, the following patches are needed (the first one as backport): + + * 074de1e14ed785c18f55ecf9762ac3f5de3465b4 074de1e ("genprotimg: add host-key document verification support") + To get this commit in, the attached backport is needed: + https://launchpadlibrarian.net/559224229/0001-genprotimg-add-host-key-document-verification-suppor.patch + + * 7827a791c98dbf14f7e5dfd1c9ea14365cac6272 7827a79 ("genprotimg: add + missing return") + + * d90344a2d5ca3a0caacf7d0c12f981be86862d8c d90344a ("genprotimg: check + return value of BIO_reset") + + [Other Info] + + * Test builds were created for both, hirsute and focal, + each s390-tools and s390-tools-signed, + and have been published at PPA: + https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908 + + __________ + Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS - Description: + Description: Fix of genprotimg allowing the tool to verify the validity of IBM Secure Execution host key documents. Without that, customers must verify the host key document by themselves,which is error prone and may impact security.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942908 Title: Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1942908/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
