Ubuntu
s390-tools package

[UBUNTU 20.04] genprotimg fails to process z15 host key documents after April 2022 (s390-tools)

Bug #1968260 reported by bugproxy
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Fix Released
Undecided
Graham Inggs
Focal
Fix Released
Undecided
Graham Inggs
Impish
Fix Released
Undecided
Graham Inggs
Jammy
Fix Released
Undecided
Graham Inggs
s390-tools-signed (Ubuntu)
Fix Released
Undecided
Graham Inggs
Focal
Fix Released
Undecided
Graham Inggs
Impish
Fix Released
Undecided
Graham Inggs
Jammy
Fix Released
Undecided
Graham Inggs

Bug Description

SRU Justification:
==================

[Impact]

 * DigiCert is the CA issuing the signing certificate for Secure Execution
   host key documents. This certificate is used for the verification of the
   host key document validity.

 * Recently, DigiCert has changed the root CA certificate used for issuance
   of the signing certificates.

 * As genprotimg is checking the CA serial, the verification of the chain of
   trust will fail.

 * As a workaround, it is possible to disable certificate verification,
   but this is of course not recommended, because it makes it easier to
   provide a fake host key document.

 * Since the previously issued host key documents are expiring in April 2022,
   it is necessary to fix genprotimg to accept the newly issued host key
   documents.

 * The situation is now addressed by removing the DigiCert root CA pinning.

 * The root CA used for the chain of trust can change in the future,
   therefore it makes sense to remove this check.

 * If someone wants to enforce the usage of a specific root CA, it can be
   selected by the genprotimg command line option `--root-ca $CA`.

 * Make it transparent to the user which root CA is actually being used by
   printing the subject name of the root CA to stdout in verbose mode.

[Fix]

 * 78b0533 78b053326c504c0535b5ec1c244ad7bb5a1df29d ("genprotimg: remove DigiCert root CA pinning")

[Test Plan]

 * The usage of secure execution is nicely documented at the
   'Introducing IBM Secure Execution for Linux' docs.
   https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
   Relevant for this fix is paragraph 'Verifying the host key document'
   https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document

 * Especially notice the 'About this task' section that references the
   check_hostkeydoc script to perform the verification steps.

 + Due to the fact that Secure Execution requires z15 as a minimal
   hardware level, the testing is done by IBM.

 * (Test can be done in combination with LP#1968259.)

[Where problems could occur]

 * The removal of the DigiCert root CA pinning can - if not carefully done)
   lead to wrong - in worst case false positive checks by genprotimg.

 * The main code changes decouple the checks from DigiCert root (ca_skid)
   and to allow more general X509 certificates.
   If not done thoroughly (pv_crypto_def.h, pv_args.c, pv_image.c,
   crypto..h and crypto.c), issues will be caused while checking
   certificates. Maybe not only new ones, but also old ones.

 * Overall this is an s390x topic only, and even there only relevant for
   Secure Execution (KVM) TEE environments.

[Other Info]

 * Even if the LP bug title references focal only, this fix is also needed
   for all newer Ubuntu releases - here: impish and jammy.
__________

== Comment: #0 - Viktor Mihajlovski <email address hidden> - 2022-04-07 08:55:11 ==
DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.

Contact Information = Viktor Mihajlovski <email address hidden>

== Comment: #2 - Viktor Mihajlovski <email address hidden> - 2022-04-07 08:57:47 ==
Fixed by:

https://github.com/ibm-s390-linux/s390-tools

commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
Author: Marc Hartmayer <email address hidden>
Date: Thu Mar 31 14:00:31 2022 +0000

    genprotimg: remove DigiCert root CA pinning

See original description
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-197550 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
importance: Undecided → High
Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools debdiff for LP#1968259 and LP#1968260 / jammy

Changed in s390-tools-signed (Ubuntu Jammy):
status: New → In Progress
Changed in s390-tools (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "s390-tools debdiff for LP#1968259 and LP#1968260 / jammy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools-signed debdiff for LP#1968259 and LP#1968260

Frank Heimes (fheimes)
tags: added: jammy
removed: patch
Frank Heimes (fheimes)
description: updated
Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools debdiff for LP#1968259 and LP#1968260 / impish

Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish

Changed in s390-tools-signed (Ubuntu Impish):
status: New → In Progress
Changed in s390-tools (Ubuntu Impish):
status: New → In Progress
Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools debdiff for LP#1968260 / focal

Revision history for this message
Frank Heimes (fheimes) wrote :

s390-tools-signed debdiff for LP#1968260 / focal

Changed in s390-tools (Ubuntu Focal):
status: New → In Progress
Changed in s390-tools-signed (Ubuntu Focal):
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
Graham Inggs (ginggs)
Changed in s390-tools (Ubuntu Jammy):
assignee: Skipper Bug Screeners (skipper-screen-team) → Graham Inggs (ginggs)
Changed in s390-tools-signed (Ubuntu Jammy):
assignee: nobody → Graham Inggs (ginggs)
Graham Inggs (ginggs)
Changed in s390-tools (Ubuntu Jammy):
status: In Progress → Fix Committed
Changed in s390-tools-signed (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Frank Heimes (fheimes) wrote (last edit ):

uploaded new debdiff of the s390-tools-signed package for jammy that incl. the needed d/c update

Revision history for this message
Frank Heimes (fheimes) wrote (last edit ):

uploaded new debdiff of the s390-tools-signed package for impish that incl. the needed d/c update

Revision history for this message
Frank Heimes (fheimes) wrote :

uploaded new debdiff of the s390-tools-signed package for focal that incl. the needed d/c update

Revision history for this message
bugproxy (bugproxy) wrote : s390-tools-signed debdiff for LP#1968259 and LP#1968260

Default Comment by Bridge

Revision history for this message
bugproxy (bugproxy) wrote : s390-tools-signed debdiff for LP#1968259 and LP#1968259 / impish

Default Comment by Bridge

Revision history for this message
bugproxy (bugproxy) wrote : s390-tools-signed debdiff for LP#1968260 / focal

Default Comment by Bridge

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.20.0-0ubuntu3

---------------
s390-tools (2.20.0-0ubuntu3) jammy; urgency=medium

  * No-change rebuild to match s390-tools-signed version

 -- Graham Inggs <email address hidden> Wed, 13 Apr 2022 10:32:45 +0000

Changed in s390-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in s390-tools-signed (Ubuntu Jammy):
status: Fix Committed → Fix Released
Graham Inggs (ginggs)
Changed in s390-tools (Ubuntu Focal):
assignee: nobody → Graham Inggs (ginggs)
Changed in s390-tools (Ubuntu Impish):
assignee: nobody → Graham Inggs (ginggs)
Changed in s390-tools-signed (Ubuntu Focal):
assignee: nobody → Graham Inggs (ginggs)
Changed in s390-tools-signed (Ubuntu Impish):
assignee: nobody → Graham Inggs (ginggs)
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted s390-tools into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.17.0-0ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Impish):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-impish
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.12.0-0ubuntu3.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in s390-tools-signed (Ubuntu Impish):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Changed in s390-tools-signed (Ubuntu Focal):
status: In Progress → Fix Committed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-05-11 12:16 EDT-------
Verified on Ubuntu Focal:

$ genprotimg --version
genprotimg version 2.12.0-build-20220506
Copyright IBM Corp. 2020

$ dpkg -s s390-tools
Package: s390-tools
...
Architecture: s390x
Version: 2.12.0-0ubuntu3.5
...

Revision history for this message
Frank Heimes (fheimes) wrote :

Thx a lot Marc - adjusting updating the tags ...

tags: added: verification-done-focal verification-done-impish
removed: verification-needed-focal verification-needed-impish
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.17.0-0ubuntu2.1

---------------
s390-tools (2.17.0-0ubuntu2.1) impish; urgency=medium

  * d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
    Fix for genprotimg failing to process z15 host key documents
    after April 2022.
    (LP: #1968260)
  * d/p/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
    Fixing check_hostkeydoc since it's checking the certificate issuer
    too strictly.
    (LP: #1968259)

 -- Frank Heimes <email address hidden> Mon, 11 Apr 2022 13:38:11 +0200

Changed in s390-tools (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.12.0-0ubuntu3.5

---------------
s390-tools (2.12.0-0ubuntu3.5) focal; urgency=medium

  * d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
    Fix for genprotimg failing to process z15 host key documents
    after April 2022.
    (LP: #1968260)
  * refreshed in total 14 patches in d/p to fix offset issues

 -- Frank Heimes <email address hidden> Tue, 12 Apr 2022 08:26:57 +0200

Changed in s390-tools (Ubuntu Focal):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Changed in s390-tools-signed (Ubuntu):
status: Fix Committed → Fix Released
Changed in s390-tools-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Changed in s390-tools-signed (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-05-11 12:18 EDT-------
Verified on Ubuntu Jammy.

$ genprotimg --version
genprotimg version 2.20.0-build-20220413
Copyright IBM Corp. 2020

$ dpkg -s s390-tools
Package: s390-tools
...
Architecture: s390x
Version: 2.20.0-0ubuntu3
...

------- Comment From <email address hidden> 2022-05-18 21:28 EDT-------
Fix verified and released to -updates, hence closing the bug.
Status change: ==> CLOSED.

tags: added: targetmilestone-inin2004
removed: targetmilestone-inin---
To post a comment you must log in.