** Description changed:
+ SRU Justification:
+ ==================
+
+ [Impact]
+
+ * DigiCert is the CA issuing the signing certificate for Secure Execution
+ host key documents. This certificate is used for the verification of the
+ host key document validity.
+
+ * Recently, DigiCert has changed the root CA certificate used for issuance
+ of the signing certificates.
+
+ * As genprotimg is checking the CA serial, the verification of the chain of
+ trust will fail.
+
+ * As a workaround, it is possible to disable certificate verification,
+ but this is of course not recommended, because it makes it easier to
+ provide a fake host key document.
+
+ * Since the previously issued host key documents are expiring in April 2022,
+ it is necessary to fix genprotimg to accept the newly issued host key
+ documents.
+
+ * The situation is now addressed by removing the DigiCert root CA
+ pinning.
+
+ * The root CA used for the chain of trust can change in the future,
+ therefore it makes sense to remove this check.
+
+ * If someone wants to enforce the usage of a specific root CA, it can be
+ selected by the genprotimg command line option `--root-ca $CA`.
+
+ * Make it transparent to the user which root CA is actually being used by
+ printing the subject name of the root CA to stdout in verbose mode.
+
+ [Fix]
+
+ * 78b0533 78b053326c504c0535b5ec1c244ad7bb5a1df29d ("genprotimg: remove
+ DigiCert root CA pinning")
+
+ [Test Plan]
+
+ * The usage of secure execution is nicely documented at the
+ 'Introducing IBM Secure Execution for Linux' docs.
+
https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
+ Relevant for this fix is paragraph 'Verifying the host key document'
+
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
+
+ * Especially notice the 'About this task' section that references the
+ check_hostkeydoc script to perform the verification steps.
+
+ + Due to the fact that Secure Execution requires z15 as a minimal
+ hardware level, the testing is done by IBM.
+
+ * (Test can be done in combination with LP#1968259.)
+
+ [Where problems could occur]
+
+ * The removal of the DigiCert root CA pinning can - if not carefully done)
+ lead to wrong - in worst case false positive checks by genprotimg.
+
+ * The main code changes decouple the checks from DigiCert root (ca_skid)
+ and to allow more general X509 certificates.
+ If not done thoroughly (pv_crypto_def.h, pv_args.c, pv_image.c,
+ crypto..h and crypto.c), issues will be caused while checking
+ certificates. Maybe not only new ones, but also old ones.
+
+ * Overall this is an s390x topic only, and even there only relevant for
+ Secure Execution (KVM) TEE environments.
+
+ [Other Info]
+
+ * Even if the LP bug title references focal only, this fix is also needed
+ for all newer Ubuntu releases - here: impish and jammy.
+ __________
+
== Comment: #0 - Viktor Mihajlovski <mihaj...@de.ibm.com> - 2022-04-07
08:55:11 ==
DigiCert is the CA issuing the signing certificate for Secure Execution host
key documents. This certificate is used for the verification of the host key
document validity. Recently, DigiCert has changed the root CA certificate used
for issuance of the signing certificates.
As genprotimg is checking the CA serial, the verification of the chain of
trust will fail. As a workaround, it is possible to disable certificate
verification, but this is not recommended because it makes it easier to provide
a fake host key document.
Since the previously issued host key documents are expiring in April 2022, it
is necessary to fix genprotimg to accept the newly issued host key documents.
-
+
Contact Information = Viktor Mihajlovski <mihaj...@de.ibm.com>
== Comment: #2 - Viktor Mihajlovski <mihaj...@de.ibm.com> - 2022-04-07
08:57:47 ==
Fixed by:
https://github.com/ibm-s390-linux/s390-tools
commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d
Author: Marc Hartmayer <mhart...@linux.ibm.com>
Date: Thu Mar 31 14:00:31 2022 +0000
- genprotimg: remove DigiCert root CA pinning
+ genprotimg: remove DigiCert root CA pinning
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968260
Title:
[UBUNTU 20.04] genprotimg fails to process z15 host key documents
after April 2022 (s390-tools)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968260/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
