[Bug 1959965] Re: [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - s390-tools part

Fri Oct 18 11:40:46 UTC 2024

A new test build was done in PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1959965-2nd

And the packages were again tested in the same infrastructure like before
and all tests were completed successful this time (normal zdump and zdump in SE).

Hence I'm attaching the new deddiff here and prepare for a new upload...

** Attachment added: "debdiffs_2nd.tgz"
   https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1959965/+attachment/5829451/+files/debdiffs_2nd.tgz

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1959965

Title:
  [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer
  keys - s390-tools part

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Released
Status in s390-tools source package in Jammy:
  Fix Committed
Status in s390-tools-signed source package in Jammy:
  Fix Committed

Bug description:
  SRU Justification:
  ------------------

  [ Impact ]

   * Hypervisor-initiated dumps for Secure Execution (aka confidential computing)
     guests (on s390x) are not helpful because memory and CPU state is encrypted
     by a transient key only available to the Ultravisor.

   * Workload owners can still configure kdump in order to obtain kernel crash
     information, but there are situation where kdump doesn't work.

   * In such situations problem determination is severely impeded.

   * This patch set solves this by implementing dumps created in a way
     that can only be decrypted by the owner of the guest image
     and be used for problem determination.

  [ Test Plan ]

   * The setup of a Secure Execution environment is not trivial
     and requires a certain set of hardware (IBM z15 or higher)
     with FC 115).

   * On top of the modification of qemu that are handled in this
     LP bug, modifications of the Kernel (LP#1959940) and
     the qemu (LP#1959966) are required on top.

   * Modified Ubuntu kernel and qemu test builds are needed or
     both should be in -proposed at a similar time (which might
     be difficult).
     A modified s390-tools is what this LP bug is all about.
     It can be found at this PPA:
     https://launchpad.net/~fheimes/+archive/ubuntu/lp1959965
     (kernel: https://launchpad.net/~fheimes/+archive/ubuntu/lp1959940j
      qemu: https://launchpad.net/~sergiodj/+archive/ubuntu/qemu/+packages)

   * A detailed description (using Ubuntu as example) on how to setup
     secure execution is available here:
     Introducing IBM Secure Execution for Linux, April 2024 update
     https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf

   * And information on 'Working with dumps of KVM guests in
     IBM Secure Execution mode' is again available here:
     https://www.ibm.com/docs/en/linux-on-systems?topic=commands-zgetdump#czgetdump__se_dump_examples

   * Due to the special requirements, the test and validation will be done
     by IBM (like already be done for Kernel (LP#1959940) and qemu (LP#1959966).

   * On top is is needed to still test the normal dump procedure
     (in a non-secure-execution) environment as well,
     to test for potential regressions on top, incl. attestation.

  [ Where problems could occur ]

   * The vast majority of patches are in the area of zdump,
     which is IBM Z aka s390x specific.

   * So the modifications here are not only needed for Secure Execution guest
     dump encryption with customer keys, but could potentially also affect
     normal dumps (without secure execution),
     hence this should be regression tested as well.

   * The code/modifications here are all upstream since 24.04 and
     to some extend also tested on this Ubuntu level.
     But the structure in the s390-tools meanwhile changed slightly,
     hence the two adjustments needed in commits:
     d/p/lp-1959965-zdump-dfi-add-support-to-read-Protected-Virtualizati.patch
     and d/p/lp-1959965-zdump-Makefile-add-basic-libpv-support.patch

   * There is a certain danger that additionally needed adjustments were missed,
     but a test compile and the test plan would mitigate that risk.

   * The changes in the libraries/macros libpv and zt_common are
     largely be addressed by the test build.

   * Since the pvattest tools got patches as well, attestation 
     could be impacted as well, hence having this in the test plan, too.

  [ Other Info ]

   * Since 22.04 is a popular LTS release, it is already in use by many
     secure execution customers.
     But in case of severe crashes or issues in the secure execution
     (KVM) guests dumps cannot be used as of today.

   * This enables customers, IBM and Canonical to get support in case of
     crashes/dumps on hardware that runs secure execution environments.

  __________

  KVM: Secure Execution guest dump encryption with customer keys -
  s390-tools part

  Description:
  Hypervisor-initiated dumps for Secure Execution guests are not helpful because memory and CPU state is encrypted by a transient key only available to the Ultravisor.  Workload owners can still configure kdump in order to obtain kernel crash infomation, but there are situation where kdump doesn't work. In such situations problem determination is severely impeded. This feature will implement dumps created in a way that can only be decrypted by the owner of the guest image and be used for problem determination.

  Request Type: Package - Update Version
  Upstream Acceptance: In Progress
  Code Contribution: IBM code

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1959965/+subscriptions