** Description changed: SRU Justification: [ Impact ] - * Hypervisor-initiated dumps for Secure Execution (aka confidential computing) - guests are not helpful because memory and CPU state is encrypted by a - transient key only available to the Ultravisor. + * Hypervisor-initiated dumps for Secure Execution (aka confidential computing) + guests are not helpful because memory and CPU state is encrypted by a + transient key only available to the Ultravisor. - * Workload owners can still configure kdump in order to obtain kernel crash - information, but there are situation where kdump doesn't work. + * Workload owners can still configure kdump in order to obtain kernel crash + information, but there are situation where kdump doesn't work. - * In such situations problem determination is severely impeded. + * In such situations problem determination is severely impeded. - * This patch set solves this by implementing dumps created in a way - that can only be decrypted by the owner of the guest image - and be used for problem determination. + * This patch set solves this by implementing dumps created in a way + that can only be decrypted by the owner of the guest image + and be used for problem determination. [ Test Plan ] - * The setup of a Secure Execution environment is not trivial - and requires a certain set of hardware (IBM Z15 or higher) - with FC 115). + * The setup of a Secure Execution environment is not trivial + and requires a certain set of hardware (IBM Z15 or higher) + with FC 115). - * On top of the modification of qemu that are handled in this - LP bug, modifications of the Kernel (LP#1959940) and - the s390-tools (LP#1959965) are required on top. + * On top of the modification of qemu that are handled in this + LP bug, modifications of the Kernel (LP#1959940) and + the s390-tools (LP#1959965) are required on top. - * So at least a modified kernel and qemu test builds are needed - or both should be in -proposed at the same time (which might - be difficult). - A modified s390-tools is not urgently needed, since for the - verification of the kernel and qemu part a newer version - can be used (but a modified s390-tools is also available in PPA). + * So at least a modified kernel and qemu test builds are needed + or both should be in -proposed at the same time (which might + be difficult). + A modified s390-tools is not urgently needed, since for the + verification of the kernel and qemu part a newer version + can be used (but a modified s390-tools is also available in PPA). - * A detailed description (using Ubuntu as example) on how to setup - secure execution is available here: - Introducing IBM Secure Execution for Linux, April 2024 update - https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf + * A detailed description (using Ubuntu as example) on how to setup + secure execution is available here: + Introducing IBM Secure Execution for Linux, April 2024 update + https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf - * And information on 'Working with dumps of KVM guests in - IBM Secure Execution mode' is available here: - https://www.ibm.com/docs/en/linux-on-systems?topic=commands-zgetdump#czgetdump__se_dump_examples + * And information on 'Working with dumps of KVM guests in + IBM Secure Execution mode' is available here: + https://www.ibm.com/docs/en/linux-on-systems?topic=commands-zgetdump#czgetdump__se_dump_examples [ Where problems could occur ] - * Mainly dump code (dump/dump.c and include/sysemu/dump.h) is modified, - which may lead to broken or incorrect dumps, - also for non-secure-execution guests. (So testing of both is needed.) + * Mainly dump code (dump/dump.c and include/sysemu/dump.h) is modified, + which may lead to broken or incorrect dumps, + also for non-secure-execution guests. (So testing of both is needed.) - * Modifications in the elf header header handling - as well as wrong hardware address and offset calculation can - (in worst case) lead to unusable files. + * Modifications in the elf header header handling + as well as wrong hardware address and offset calculation can + (in worst case) lead to unusable files. - * Modification in dump state handling may cause issue generating - the dump itself. + * Modification in dump state handling may cause issue generating + the dump itself. - * Modifications need to be endianess-aware, since this secure - execution dump is for s390x - if not dumps become useless. + * Modifications need to be endianess-aware, since this secure + execution dump is for s390x - if not dumps become useless. - * Functions for writing the header got modified (and split), - which may lead to wrong headers (if done erroneously). + * Functions for writing the header got modified (and split), + which may lead to wrong headers (if done erroneously). - * It's a big patch set in general, which may bring further unforeseen - effects, but it's worth to mention that the code is upstream accepted - since quite a while (qemu 7.2) and already included in Ubuntu - since 23.04 and successfully in use. + * It's a big patch set in general, which may bring further unforeseen + effects, but it's worth to mention that the code is upstream accepted + since quite a while (qemu 7.2) and already included in Ubuntu + since 23.04 and successfully in use. - * On top the packages from the PPA test build were tested upfront. + * On top the packages from the PPA test build were tested upfront. [ Other Info ] - * Since 22.04 is a popular LTS release, it is already in use by many - secure execution customers. - But in case of severe crashes or issues in the secure execution - (KVM) guests dumps cannot be used as of today. + * Since 22.04 is a popular LTS release, it is already in use by many + secure execution customers. + But in case of severe crashes or issues in the secure execution + (KVM) guests dumps cannot be used as of today. - * This enables customers, IBM and Canonical to support in case of - crashes/dumps on hardware that runs secure execution environments. + * This enables customers, IBM and Canonical to get support in case of + crashes/dumps on hardware that runs secure execution environments. __________ KVM: Secure Execution guest dump encryption with customer keys - qemu part Description: Hypervisor-initiated dumps for Secure Execution guests are not helpful because memory and CPU state is encrypted by a transient key only available to the Ultravisor. Workload owners can still configure kdump in order to obtain kernel crash infomation, but there are situation where kdump doesn't work. In such situations problem determination is severely impeded. This feature will implement dumps created in a way that can only be decrypted by the owner of the guest image and be used for problem determination. Request Type: Package - Update Version Upstream Acceptance: In Progress Code Contribution: IBM code
** Description changed: SRU Justification: [ Impact ] * Hypervisor-initiated dumps for Secure Execution (aka confidential computing) guests are not helpful because memory and CPU state is encrypted by a transient key only available to the Ultravisor. * Workload owners can still configure kdump in order to obtain kernel crash information, but there are situation where kdump doesn't work. * In such situations problem determination is severely impeded. * This patch set solves this by implementing dumps created in a way that can only be decrypted by the owner of the guest image and be used for problem determination. [ Test Plan ] * The setup of a Secure Execution environment is not trivial - and requires a certain set of hardware (IBM Z15 or higher) + and requires a certain set of hardware (IBM z15 or higher) with FC 115). * On top of the modification of qemu that are handled in this LP bug, modifications of the Kernel (LP#1959940) and the s390-tools (LP#1959965) are required on top. * So at least a modified kernel and qemu test builds are needed or both should be in -proposed at the same time (which might be difficult). A modified s390-tools is not urgently needed, since for the verification of the kernel and qemu part a newer version can be used (but a modified s390-tools is also available in PPA). * A detailed description (using Ubuntu as example) on how to setup secure execution is available here: Introducing IBM Secure Execution for Linux, April 2024 update https://www.ibm.com/docs/en/linuxonibm/pdf/lx24se04.pdf * And information on 'Working with dumps of KVM guests in IBM Secure Execution mode' is available here: https://www.ibm.com/docs/en/linux-on-systems?topic=commands-zgetdump#czgetdump__se_dump_examples [ Where problems could occur ] * Mainly dump code (dump/dump.c and include/sysemu/dump.h) is modified, which may lead to broken or incorrect dumps, also for non-secure-execution guests. (So testing of both is needed.) * Modifications in the elf header header handling as well as wrong hardware address and offset calculation can (in worst case) lead to unusable files. * Modification in dump state handling may cause issue generating the dump itself. * Modifications need to be endianess-aware, since this secure execution dump is for s390x - if not dumps become useless. * Functions for writing the header got modified (and split), which may lead to wrong headers (if done erroneously). * It's a big patch set in general, which may bring further unforeseen effects, but it's worth to mention that the code is upstream accepted since quite a while (qemu 7.2) and already included in Ubuntu since 23.04 and successfully in use. * On top the packages from the PPA test build were tested upfront. [ Other Info ] * Since 22.04 is a popular LTS release, it is already in use by many secure execution customers. But in case of severe crashes or issues in the secure execution (KVM) guests dumps cannot be used as of today. * This enables customers, IBM and Canonical to get support in case of crashes/dumps on hardware that runs secure execution environments. __________ KVM: Secure Execution guest dump encryption with customer keys - qemu part Description: Hypervisor-initiated dumps for Secure Execution guests are not helpful because memory and CPU state is encrypted by a transient key only available to the Ultravisor. Workload owners can still configure kdump in order to obtain kernel crash infomation, but there are situation where kdump doesn't work. In such situations problem determination is severely impeded. This feature will implement dumps created in a way that can only be decrypted by the owner of the guest image and be used for problem determination. Request Type: Package - Update Version Upstream Acceptance: In Progress Code Contribution: IBM code -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1959966 Title: [23.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1959966/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
