[Bug 1959987] Please test proposed package
Ćukasz Zemczak
1959987 at bugs.launchpad.net
Fri Dec 2 00:49:36 UTC 2022
Hello bugproxy, or anyone else affected,
Accepted s390-tools-signed into jammy-proposed. The package will build
now and be available at https://launchpad.net/ubuntu/+source/s390-tools-
signed/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed
repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1959987
Title:
[22.04 FEAT] KVM: Secure Execution Attestation Userspace Tool
(s390-tools)
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in s390-tools package in Ubuntu:
Fix Released
Status in s390-tools-signed package in Ubuntu:
Fix Released
Status in s390-tools source package in Jammy:
Fix Committed
Status in s390-tools-signed source package in Jammy:
Fix Committed
Status in s390-tools source package in Kinetic:
Fix Released
Status in s390-tools-signed source package in Kinetic:
Fix Released
Bug description:
SRU Justification:
------------------
[Impact]
* In order to facilitate attestation of Secure Execution guests,
a userspace tool is required that will receive the attestation
request, translate it to the appropriate ultravisor calls and
return the result to the caller.
* Secure Execution is a firmware based Trusted Execution
Environment (TEE) and is with that a hardware feature (FC 115).
* And this attestation tool enriches Secure Execution, hence
this can be considered as a hardware enablement SRU.
[Test Plan]
* Setup a Secure Execution environment in a z15 (or newer) LPAR
with Ubuntu Server 22.04(.x) for s390x.
* More details on howto setup Secure Executation can be found here:
https://www.ibm.com/docs/en/linuxonibm/pdf/l120se02.pdf
* Install the updated packages in version 2.20.0-0ubuntu3.2
(s390-tools and s390-tools-signed).
* Create, perform, and verify attestation measurements for the
Secure Execution guest systems by using the 'pvatest' tool:
/usr/bin/pvattest
* In a trusted environment, to get a measurement of an untrusted
IBM Secure Execution guest call 'pvattest perform'.
and call 'pvattest verify' to verify that the measurement
is the expected one.
* Verification needs to be done by IBM.
[Where problems could occur]
* The patches/commits for the attestation tools, that complements
secure execution, largely add new files and new lines.
Only in Makefile and common.mak files are deleted,
but even there only to enlarge them.
* So there is a low risk for regression of existing functionality,
beyond build time (and a test build was done).
* However the tool itself, that consists of a statically linked
library and the tool itself might cause issues:
- for example if it fails, segfaults or causes any other issue
- or if the attestation function itself is wrong
* The status and output must be absolutely correct to not
lull someone into a false sense of security.
[Other Info]
* The attestation tool was brought upstream with s390-tools 2.22,
and since kinetic ships version 2.23 it's already incl. there.
__________
KVM: Secure Execution Attestation Userspace Tool (s390-tools)
Description:
In order to facilitate attestation of Secure Execution guests, a userspace tool is required that will receive the attestation request, translate it to the appropriate ultravisor calls and return the result to the caller.
Request Type: Package - Update Version
Upstream Acceptance: In Progress
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1959987/+subscriptions
More information about the foundations-bugs
mailing list