Re-uploading the debdiffs due to some typos (c&p issues). ** Description changed:
+ SRU Justification: + ================== + + [Impact] + + * With upgraded EP11 host libraries, + which are needed for the IBM Z hardware crypto stack + (especially the Crypto Express EP11 coprocessor), + support for Dilithium algorithm (CKM_IBM_DILITHIUM) + does not show up as supported by the EP11 token. + + * This can be considered as a regression is not fixed. + + [Test Plan] + + * An IBM zSystems machine (either LPAR or z/VM) is needed + with a CryptoExpress adapter running on EP11 coprocessor mode + (and supporting Dilithium, e.g. '8S') + and at least one available crypto domain online. + + * Ubuntu focal, impish, jammy or kinetic needs to run. + and the ep11 and opencryptoki packages installed. + + * Then check with pkcsconf -m -c <slot> + for the supported 'mechanism'. + + * Look for 'CKM_IBM_DILITHIUM'. + + * More details can be found here: + https://www.ibm.com/docs/en/linux-on-systems?topic=token-supported-mechanisms-ep11 + + * Test will be done by IBM. + + [Fix] + + * b40982e1 b40982e19e27b22ef724c7431a1a475f1858e199 + "EP11: Dilithium: Specify OID of key strength at key generation" + + * 6759faed 6759faed4c7a2e154ca2f2c56a5b51aec68227fc + "EP11: Fix host library version query" + + * Respectively their backports attached here. + + [Where problems could occur] + + * Erroneous patches may have an impact on algorithms other than + Dilithium. But this is very unlikely since 'ep11_specific.c' is + the only file that is touched (by both patches). + + * Broken fixes for opencryptoki may harm cases with older EP11 package, + that were not impacted so far, for example due to bugs in the + handling of the lib/host version query. + + * Problems with the handling of tokens could occur. + + [Other Info] + + * b40982e1 is the pre-requisite for 6759faed + + * Both patches are upstream in opencryptoki 3.18. + + * Since opencryptoki jammy and kinetic includes several commits on + top of 3.17, b40982e1 is already included. + + * Hence only opencryptoki impish and focal require both patches. + + __________ + openCryptoki version 3.13.0 or higher need a fix to continue to support the Dilithium mechanisms when using an upgraded EP11 host library. https://github.com/opencryptoki/opencryptoki/commit/b40982e19e27b22ef724c7431a1a475f1858e199 "EP11: Dilithium: Specify OID of key strength at key generation" https://github.com/opencryptoki/opencryptoki/commit/6759faed4c7a2e154ca2f2c56a5b51aec68227fc "EP11: Fix host library version query" Without these fixes, CKM_IBM_DILITHIUM mechanism do not show up as supported by the EP11 token when an upgraded EP11 host library is used, which would be a regression. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973296 Title: [UBUNTU 20.04] OpenCryptoki >= 3.13 with upgraded EP11 host library - Dilithium support not available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1973296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
