** Description changed: + SRU Justification: + ================== + + [Impact] + + * It is difficult for customers to identify if a KVM guest on s390x runs + in secure execution more or not. Hence several requests came up that + asked about providing a better indication. + + * If the mode is not known, one may venture oneself into deceptive + security. + + * Patches that allow a better indication via 'prot_virt_host' using the + sysfs firmware interface were added to upstream kernel 5.13. + + * Secure execution was initially introduced in Ubuntu with focal / + 20.04, hence this request to SRU. + + [Fix] + + * 37564ed834aca26993b77b9b2a0119ec1ba6e00c 37564ed834ac "s390/uv: add + prot virt guest/host indication files" + + * df2e400e07ad53a582ee934ce8384479d5ddf48b df2e400e07ad "s390/uv: fix + prot virt host indication compilation" + + [Test Case] + + * A z15 or LinuxONE III LPAR is needed that runs KVM in secure + execution. + + * Have a look for the 'prot_virt_host' key at the sysfs firmware + interface - '1' indicates that the ultravisor is active and that the + guest is running protected (in secure execution mode). + + [Regression Potential] + + * The patch is s390x specific and modifies file arch/s390/kernel/uv.c + only. + + * An entirely new new function 'uv_is_prot_virt_guest' was added and + initialized and used in uv_info_init - hence the regression risk in + existing code is rather small. + + * However, in case the initialization was done errornously the + indication might be wrong, maybe showing that the system is not + protected in the way it should be (wrong indication). + + * More general code deficiencies in these two functions will be largely + indicated by the test compiles. + + * But the code was already tested based on kernel 5.13 - and for SRU-ing + a cherry-pick of the patches was sufficient, hence the exact same code + as in 5.13 is used. + + * Further tests of the SRU kernels (5.11 and 5.4) can be done based on + the test kernel available from the PPA (see below). + + [Other] + + * Patches are upstream accepted with since 5.13-rc1. + + * Request was to add the patches to focal / 20.04. + + * To avoid potential regressions on upgrades, the patches need to be added to hirsute / 20.10, too. + __________ + Provide an indication in the guest that it's running securely. Cannot replace a real attestation and doesn't really provide additional security (or could even create the false impression of security), but has been frequently requested by customers. Value: Usability, lower the effort to prepare and deploy secure workloads.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1933173 Title: [21.10 FEAT] KVM: Provide a secure guest indication To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1933173/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
