[UBUNTU 20.04] genprotimg fails to process z15 host key documents after April 2022 (s390-tools)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
s390-tools (Ubuntu) |
Fix Released
|
Undecided
|
Graham Inggs | ||
Focal |
Fix Released
|
Undecided
|
Graham Inggs | ||
Impish |
Fix Released
|
Undecided
|
Graham Inggs | ||
Jammy |
Fix Released
|
Undecided
|
Graham Inggs | ||
s390-tools-signed (Ubuntu) |
Fix Released
|
Undecided
|
Graham Inggs | ||
Focal |
Fix Released
|
Undecided
|
Graham Inggs | ||
Impish |
Fix Released
|
Undecided
|
Graham Inggs | ||
Jammy |
Fix Released
|
Undecided
|
Graham Inggs |
Bug Description
SRU Justification:
==================
[Impact]
* DigiCert is the CA issuing the signing certificate for Secure Execution
host key documents. This certificate is used for the verification of the
host key document validity.
* Recently, DigiCert has changed the root CA certificate used for issuance
of the signing certificates.
* As genprotimg is checking the CA serial, the verification of the chain of
trust will fail.
* As a workaround, it is possible to disable certificate verification,
but this is of course not recommended, because it makes it easier to
provide a fake host key document.
* Since the previously issued host key documents are expiring in April 2022,
it is necessary to fix genprotimg to accept the newly issued host key
documents.
* The situation is now addressed by removing the DigiCert root CA pinning.
* The root CA used for the chain of trust can change in the future,
therefore it makes sense to remove this check.
* If someone wants to enforce the usage of a specific root CA, it can be
selected by the genprotimg command line option `--root-ca $CA`.
* Make it transparent to the user which root CA is actually being used by
printing the subject name of the root CA to stdout in verbose mode.
[Fix]
* 78b0533 78b053326c504c0
[Test Plan]
* The usage of secure execution is nicely documented at the
'Introducing IBM Secure Execution for Linux' docs.
https:/
Relevant for this fix is paragraph 'Verifying the host key document'
https:/
* Especially notice the 'About this task' section that references the
check_hostkeydoc script to perform the verification steps.
+ Due to the fact that Secure Execution requires z15 as a minimal
hardware level, the testing is done by IBM.
* (Test can be done in combination with LP#1968259.)
[Where problems could occur]
* The removal of the DigiCert root CA pinning can - if not carefully done)
lead to wrong - in worst case false positive checks by genprotimg.
* The main code changes decouple the checks from DigiCert root (ca_skid)
and to allow more general X509 certificates.
If not done thoroughly (pv_crypto_def.h, pv_args.c, pv_image.c,
crypto..h and crypto.c), issues will be caused while checking
certificates. Maybe not only new ones, but also old ones.
* Overall this is an s390x topic only, and even there only relevant for
Secure Execution (KVM) TEE environments.
[Other Info]
* Even if the LP bug title references focal only, this fix is also needed
for all newer Ubuntu releases - here: impish and jammy.
__________
== Comment: #0 - Viktor Mihajlovski <email address hidden> - 2022-04-07 08:55:11 ==
DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates.
As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document.
Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents.
Contact Information = Viktor Mihajlovski <email address hidden>
== Comment: #2 - Viktor Mihajlovski <email address hidden> - 2022-04-07 08:57:47 ==
Fixed by:
https:/
commit 78b053326c504c0
Author: Marc Hartmayer <email address hidden>
Date: Thu Mar 31 14:00:31 2022 +0000
genprotimg: remove DigiCert root CA pinning
tags: | added: architecture-s39064 bugnameltc-197550 severity-high targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → s390-tools (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
importance: | Undecided → High |
tags: |
added: jammy removed: patch |
description: | updated |
Changed in s390-tools (Ubuntu Jammy): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Graham Inggs (ginggs) |
Changed in s390-tools-signed (Ubuntu Jammy): | |
assignee: | nobody → Graham Inggs (ginggs) |
Changed in s390-tools (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | Fix Committed → Fix Released |
Changed in s390-tools (Ubuntu Focal): | |
assignee: | nobody → Graham Inggs (ginggs) |
Changed in s390-tools (Ubuntu Impish): | |
assignee: | nobody → Graham Inggs (ginggs) |
Changed in s390-tools-signed (Ubuntu Focal): | |
assignee: | nobody → Graham Inggs (ginggs) |
Changed in s390-tools-signed (Ubuntu Impish): | |
assignee: | nobody → Graham Inggs (ginggs) |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Changed in s390-tools-signed (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in s390-tools-signed (Ubuntu Focal): | |
status: | Fix Committed → Fix Released |
Changed in s390-tools-signed (Ubuntu Impish): | |
status: | Fix Committed → Fix Released |
s390-tools debdiff for LP#1968259 and LP#1968260 / jammy