** Description changed: + SRU Justification: + ================== + + [Impact] + + * 'zkey validate' shows wrong information about master key registers + + * this might lead to unsuccessful usage of pkeys, although the master + key and the derived keys are correct + + [Fix] + + * ebb7c695d3bc7a4986b92edc8d9ef43491be183e ebb7c69 "pkey: Indicate old + mkvp only if old and current mkvp are different" + + [Test Case] + + * set a CCA master key + + * generate a pkey + + * 'change' (or better set) the current CCA master key to the exact same + master key again which is currently in use + + * execute a 'zkey validate' + + [Regression Potential] + + * The regression potential can be considered as very low since this is + purely s390x specific + + * changes are limited to a single file (drivers/s390/crypto/pkey_api.c) + + * patch changes only one line (actually expands an if stmt) + + * and all this happens only in a very specific situation (in case a new + master key was set, using the same key as before) + + [Other Info] + + * Problem was found during tests at IBM and is a so called 'preventive + fix' + + __________ + Description: pkey: Indicate old mkvp only if old and curr. mkvp are different Symptom: zkey validate shows wrong information about master key registers Problem: When the CCA master key is set twice with the same master key, - then the old and the current master key are the same and thus - the verification patterns are the same, too. The check to report - if a secure key is currently wrapped by the old master key - erroneously reports old mkvp in this case. + then the old and the current master key are the same and thus + the verification patterns are the same, too. The check to report + if a secure key is currently wrapped by the old master key + erroneously reports old mkvp in this case. Solution: Fix this by checking current and old mkvp and report OLD only if - current and old mkvp are different. + current and old mkvp are different. Reproduction: Change the CCA master key but set the exact same master key that is already used. Then do a 'zkey validate' command on a secure key Component: kernel 5.1 rc1 Upstream-ID: ebb7c695d3bc7a4986b92edc8d9ef43491be183e This fix will be provided with kernel >=5.1 , will be integrate in 19.10 by default. But should also be applied to 18.04 and 19.04
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832625 Title: [UBUNTU] pkey: Indicate old mkvp only if old and curr. mkvp are different To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1832625/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
