Ok, so the commits are definitely _not_ in 81, but got introduced with 82 (which is not available as binary kernel, since it got superseded by 83):
~/ubuntu-focal-master-next$ git describe --abbrev=0 Ubuntu-5.4.0-83.93 ~/ubuntu-focal-master-next$ git log --oneline --grep "s390/uv: add prot virt guest/host indication files" 319423704db0 s390/uv: fix prot virt host indication compilation aee56e7b76eb s390/uv: add prot virt guest/host indication files ~/ubuntu-focal-master-next$ git tag --contains 319423704db0 | grep ^Ubuntu Ubuntu-5.4.0-82.92 Ubuntu-5.4.0-83.93 ~/ubuntu-focal-master-next$ git tag --contains aee56e7b76eb | grep ^Ubuntu Ubuntu-5.4.0-82.92 Ubuntu-5.4.0-83.93 Since the code obviously works if being integrated into the hirsute 5.11 kernel, I assume that some patches are missing that need to be picked for the 5.4 kernel on top of these two. Would you mind reaching out to Vikor and checking what might be missing for the 5.4 kernel? (see comment #2) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1933173 Title: [21.10 FEAT] KVM: Provide a secure guest indication Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: SRU Justification: ================== [Impact] * It is difficult for customers to identify if a KVM guest on s390x runs in secure execution more or not. Hence several requests came up that asked about providing a better indication. * If the mode is not known, one may venture oneself into deceptive security. * Patches that allow a better indication via 'prot_virt_host' using the sysfs firmware interface were added to upstream kernel 5.13. * Secure execution was initially introduced in Ubuntu with focal / 20.04, hence this request to SRU. [Fix] * 37564ed834aca26993b77b9b2a0119ec1ba6e00c 37564ed834ac "s390/uv: add prot virt guest/host indication files" * df2e400e07ad53a582ee934ce8384479d5ddf48b df2e400e07ad "s390/uv: fix prot virt host indication compilation" [Test Case] * A z15 or LinuxONE III LPAR is needed that runs KVM in secure execution. * Have a look for the 'prot_virt_host' key at the sysfs firmware interface - '1' indicates that the ultravisor is active and that the guest is running protected (in secure execution mode). [Regression Potential] * The patch is s390x specific and modifies file arch/s390/kernel/uv.c only. * An entirely new new function 'uv_is_prot_virt_guest' was added and initialized and used in uv_info_init - hence the regression risk in existing code is rather small. * However, in case the initialization was done errornously the indication might be wrong, maybe showing that the system is not protected in the way it should be (wrong indication). * More general code deficiencies in these two functions will be largely indicated by the test compiles. * But the code was already tested based on kernel 5.13 - and for SRU- ing a cherry-pick of the patches was sufficient, hence the exact same code as in 5.13 is used. * Further tests of the SRU kernels (5.11 and 5.4) can be done based on the test kernel available from the PPA (see below). [Other] * Patches are upstream accepted with since 5.13-rc1. * Request was to add the patches to focal / 20.04. * To avoid potential regressions on upgrades, the patches need to be added to hirsute / 20.10, too. __________ Provide an indication in the guest that it's running securely. Cannot replace a real attestation and doesn't really provide additional security (or could even create the false impression of security), but has been frequently requested by customers. Value: Usability, lower the effort to prepare and deploy secure workloads. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1933173/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
