------- Comment From steffen.ei...@ibm.com 2024-04-12 10:22 EDT------- Hi Frank,
An update from my side: !SHORT: GOOD: noble(with a nit), mantic, jammy BAD/not verifyable: focal !LONG: Verified for: * 24.04 (noble): with today's (2024-apr-12) s390tools version from noble repository (after a release-upgrade from jammy): - genprotimg - pvattest - pvsecret work. did **not** use your PPA But there is a mismatch from the package version to the version that the tools report: > apt-cache showpkg s390-tools Package: s390-tools Versions: 2.31.0-0ubuntu5 (/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_noble_main_binary-s390x_Packages) > pvattest --version pvattest version 2.31.0-build-20240409 You very likely forgot to change the DISTRELEASE variable in common.mak * 23.10 (mantic): All work with your PPA - genprotimg - pvattest - pvsecret * 22.04 (jammy): All work with your PPA - genprotimg - pvattest * 20:04 (focal): the updated s390-tools package from your PPA has no genprotimg in it: > dpkg --contents s390-tools_2.12.0-0ubuntu3.8_s390x.deb | grep genprot -rw-r--r-- root/root 1775 2024-04-03 14:10 ./usr/share/man/man8/genprotimg.8.gz drwxr-xr-x root/root 0 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/ -rw-r--r-- root/root 9656 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/stage3a.bin -rw-r--r-- root/root 5498 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/stage3b_reloc.bin (before the update(s390-tools2.12.0-ubuntu3.7)) > apt-file list s390-tools | grep genprotimg s390-tools: /usr/bin/genprotimg [....] Verify process: 1) Obtain a (z15) Host-key document e.g. via the official channel see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document 2) Get a signing key (z15) + intermediate certificate see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document 3) (optional) verify that the signing key is a new one (checl for: Locality Armonk) > openssl x509 -text -in international_business_machines_corporation.crt | grep > Subject Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation L **must** be Armonk, and not Poughkeepsie 4) run the tools if available: The fixed tools will accept the cert chain and exit with exit code 0 and the output generated. The non-fixed will print n error message, abort, and report exit != 0 > genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt #BEFORE_FIX: Failed to verify host-key document: please specify at least one IBM Z signing key # AFTER_FIX: # exit code 0 > pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt #BEFORE_FIX: ERROR: Creating the attestation request failed: Specify at least one IBM Z signing key # AFTER_FIX: # exit code 0 > pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertCA.crt meta # BEFORE_FIX: error: Host-key verification failed: Specify one IBM Z signing key # AFTER FIX: Successfully generated the request Note: You can use any z15 host-key you like. Don't has to match to the machine you are running on. For the secure-guest.hdr in pvsecret you can use any se-header you like. You can use a test-asset from s390-tools repository: https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr Steffen -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059303 Title: [UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2059303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs