** Changed in: ubuntu-z-systems
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1959973
Title:
[22.04 FEAT] KVM: Attestation support for Secure Execution (crypto)
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Jammy:
Fix Committed
Bug description:
SRU Justification:
==================
[Impact]
* This is a hardware enablement SRU in support of
IBM z15 and LinuxONE III (FC 115) secure execution feature.
* It adds a misc character device to expose some Ultravisor
functions to userspace.
* The device is only available if the (optional) Ultravisor
Facility (158) is present in the system.
* Two Ultravisor calls are supported:
- Query Ultravisor Information (QUI) and
- Receive Attestation Measurement (Attest[ation])
* This is in support of for example. external frameworks,
specific deployment models or especially
potentially regulatory requirements.
[Fix]
* 4689752c79fa 4689752c79fa30e91b49b39a9fba93c4d1f3e20c
"drivers/s390/char: Add Ultravisor io device"
* eb3de2d8f78d eb3de2d8f78d893303891d879f941c47f2f2d13d
"s390/uv_uapi: depend on CONFIG_S390"
* patch to set kernel config option 'CONFIG_S390_UV_UAPI=y'
[Test Plan]
* An IBM z15 or LinuxONE III LPAR with FC 115 enabled is required.
* Installation of Ubuntu Server 22.04 LTS on top.
* Install a kernel that incl. the above patches/commits
(that has the kernel config option 'CONFIG_S390_UV_UAPI' enabled).
* Activate the kernel (reboot) and look for the existence of
the uvdevice '/dev/uv'.
* Use a userspace test program that makes use of the new
misc device by exploiting 'ATTEST'.
* Due to hardware requirements this test needs to be conducted by
IBM.
[Where problems could occur]
* The definitions in uv_cmds_inst and uv_feat_ind could be wrong
and the codes wrong or mixed up, which would lead to a broken
functionality/interface.
* The uvdevice header definitions could be erroneous,
defining an wrong interface.
* The newly added kernel options could be implemented in a wrong way,
so that it doesn't enable the 'uvdevice', but unlikely.
* The implementation of the device itself in 'uvdevice.c' could be broken
by wrong or broken pointer arithmetics, wrong method arguments,
wrong sizeof/length calculations, which - in worst case - could entirely
crash a system.
* The ioctl control block implementation could be wrong in a way,
that it doesn't properly handle the case where the facility is not
available in the system.
* Entry point, copy and check routines could be wrong,
allowing non-desired calls.
* This is an s390x-only functionality,
that is only available on IBM z15 / LinuxONE III systems and newer,
and only is the optional feature 'FC 115' in place,
which is limited to 'secure-execution' workloads.
[Other Info]
* The above commit is marked to be merged into 5.19-rc2,
and since the planned target kernel for kinetic is
5.19, the SRU is not needed for kinetic.
__________
KVM: Attestation support for Secure Execution (crypto)
Description:
Provide attestations support, e.g. for external frameworks, specific
deployment models or potentially regulatory requirements.
Request Type: Kernel - Enhancement from IBM
Upstream Acceptance: In Progress
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1959973/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
