Fixing zKVM: Host Key Document Verification - SRU to U20.04LTS

Since this is already completed for Impish (with LP#1882807),
I'm updating the Impish entries to Fix Released.
The SRU to F (and therefore also to H) now came on top.

Since this is already completed for Impish (with LLP#1882807),
The SRUs to F (and therefore also to H) now came on top.

------- Comment on attachment From <email address hidden> 2021-09-20 03:27 EDT-------

Patches for Focal:
 + backport from commit 074de1e14ed785c18f55ecf9762ac3f5de3465b4 (see patch '0001-genprotimg-add-host-key-document-verification-suppor.patch')
 + cherry pick from commit 7827a791c98dbf14f7e5dfd1c9ea14365cac6272
 + cherry pick from commit d90344a2d5ca3a0caacf7d0c12f981be86862d8c

Patches for Hirsute:
 + cherry pick from commit d90344a2d5ca3a0caacf7d0c12f981be86862d8c

s390-tools sru debdiff (hirsute)

s390-tools-signed sru debdiff (hirsute)

s390-tools sru debdiff (focal)

s390-tools-signed sru debdiff (focal)

Patches package have been build and are available for further testing here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908/

The patch applied to Hirsute resembles the upstream commit and applies cleanly. LGTM.

$ dput ubuntu ../s390-tools_2.16.0-0ubuntu1.1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../s390-tools_2.16.0-0ubuntu1.1_source.changes: Valid signature from 5889C17AB1C8D890
Checking signature on .dsc
gpg: ../s390-tools_2.16.0-0ubuntu1.1.dsc: Valid signature from 5889C17AB1C8D890
Uploading to ubuntu (via sftp to upload.ubuntu.com):
  Uploading s390-tools_2.16.0-0ubuntu1.1.dsc: done.
  Uploading s390-tools_2.16.0-0ubuntu1.1.debian.tar.xz: done.
  Uploading s390-tools_2.16.0-0ubuntu1.1_source.buildinfo: done.
  Uploading s390-tools_2.16.0-0ubuntu1.1_source.changes: done.
Successfully uploaded packages.

As mentioned by paelzer on the MP, the s390-tools-signed package should be updated with a comment, but that can be done with the next package upload and should also be applied to the package in -devel first.

Thx for the upload @slyon
(I've made a personal note about the suggested comment in control.in and plan to include it with the next update, starting with -devel first.)

For focal the patches look good, too. The cherry-picks match upstream and the backport looks sane.

I only have two small questions regarding the backpor:

1/ Should we cherry-pick https://github.com/ibm-s390-linux/s390-tools/commit/db6f272607842a6279fee589fb101f3a1f6148f3 as well? This would reduce some delta from the backport patch.

2/ the genprotimg/src/utils/curl.{c,h} files are created with 644 permissions upstream, while we ship them as 664 (like all the other genprotimg files). Both should work IMO and this should not have any significance, or does it?

Well.. considering this is a SRU, we should probably not fix the memory-leak within this bug but restrict ourselves to the minimal required change, as provided here.
Also, checking out the upstream github repo shows a 664 filemode for curl.* so that must have been a hiccup on my side.

So LGTM after all!

$ dput ubuntu ../s390-tools_2.12.0-0ubuntu3.4_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../s390-tools_2.12.0-0ubuntu3.4_source.changes: Valid signature from 5889C17AB1C8D890
Checking signature on .dsc
gpg: ../s390-tools_2.12.0-0ubuntu3.4.dsc: Valid signature from 5889C17AB1C8D890
Uploading to ubuntu (via sftp to upload.ubuntu.com):
  Uploading s390-tools_2.12.0-0ubuntu3.4.dsc: done.
  Uploading s390-tools_2.12.0-0ubuntu3.4.debian.tar.xz: done.
  Uploading s390-tools_2.12.0-0ubuntu3.4_source.buildinfo: done.
  Uploading s390-tools_2.12.0-0ubuntu3.4_source.changes: done.
Successfully uploaded packages.

------- Comment From <email address hidden> 2021-09-27 08:09 EDT-------
(In reply to comment #20)
> For focal the patches look good, too. The cherry-picks match upstream and
> the backport looks sane.
>
> I only have two small questions regarding the backpor:
>
> 1/ Should we cherry-pick
> https://github.com/ibm-s390-linux/s390-tools/commit/
> db6f272607842a6279fee589fb101f3a1f6148f3 as well? This would reduce some
> delta from the backport patch.

If that is possible, then I would prefer it. Thanks.

Let's create a separate small LP bug for the memory leak,
since the above got just uploaded.
This can then be handled with the next upcoming package patch request at once.

------- Comment From <email address hidden> 2021-09-27 13:22 EDT-------
(In reply to comment #17)
> Patches package have been build and are available for further testing here:
> https://launchpad.net/~fheimes/+archive/ubuntu/lp1942908/

I tried your packages...

$ sudo add-apt-repository ppa:fheimes/lp1942908
$ sudo apt update
$ sudo apt upgrade -y
$ stat /usr/bin/genprotimg
stat: cannot stat '/usr/bin/genprotimg': No such file or directory
$ sudo apt install s390-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
s390-tools is already the newest version (2.12.0-0ubuntu3.4~ppa1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$ dpkg -L s390-tools |grep genprotimg
/usr/share/man/man8/genprotimg.8.gz
/usr/share/s390-tools/genprotimg
/usr/share/s390-tools/genprotimg/stage3a.bin
/usr/share/s390-tools/genprotimg/stage3b_reloc.bin

...so it seems that the /usr/bin/genprotimg file is missing. Have I forgotten anything?

Hi Marc, the new curl bits that were added require an additional build dependency (libcurl-dev).
I've now added "libcurl4-openssl-dev" to achieve this, since this is the build dependency that is also used in newer s390-tools releases, like hirsute (2.16) and impish (2.17).
The corresponding makefile was written in a way that it just skipped the compile of genprotimg if the build dependencies are not satisfied, hence the PPA build did not fail, and I didn't noticed the issue earlier.
I did a new compile and genprotimg is not in (it was already in the set of packages for hirsute).
You may try again ... (it can be found at /usr/bin/genprotimg)

s390-tools sru debdiff (focal)

------- Comment From <email address hidden> 2021-09-28 12:47 EDT-------
(In reply to comment #25)
> Hi Marc, the new curl bits that were added require an additional build
> dependency (libcurl-dev).
> I've now added "libcurl4-openssl-dev" to achieve this, since this is the
> build dependency that is also used in newer s390-tools releases, like
> hirsute (2.16) and impish (2.17).
> The corresponding makefile was written in a way that it just skipped the
> compile of genprotimg if the build dependencies are not satisfied, hence the
> PPA build did not fail, and I didn't noticed the issue earlier.
> I did a new compile and genprotimg is not in (it was already in the set of
> packages for hirsute).
> You may try again ... (it can be found at /usr/bin/genprotimg)

FYI, the problem you've mentioned is already fixed upstream by commit https://github.com/ibm-s390-linux/s390-tools/commit/6db7fbe0187042f44a63a5c7dbeb9f116909d02e

I'll try the new package tomorrow.

Default Comment by Bridge

I've just updated the debdiff and the MP with the missing "libcurl4-openssl-dev" build dependency

------- Comment From <email address hidden> 2021-09-30 03:11 EDT-------
(In reply to comment #25)
> Hi Marc, the new curl bits that were added require an additional build
> dependency (libcurl-dev).
> I've now added "libcurl4-openssl-dev" to achieve this, since this is the
> build dependency that is also used in newer s390-tools releases, like
> hirsute (2.16) and impish (2.17).
> The corresponding makefile was written in a way that it just skipped the
> compile of genprotimg if the build dependencies are not satisfied, hence the
> PPA build did not fail, and I didn't noticed the issue earlier.
> I did a new compile and genprotimg is not in (it was already in the set of
> packages for hirsute).
> You may try again ... (it can be found at /usr/bin/genprotimg)

The new packages LGTM.

Great - thx Marc!

Hello bugproxy, or anyone else affected,

Accepted s390-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.12.0-0ubuntu3.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello bugproxy, or anyone else affected,

Accepted s390-tools into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.16.0-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

------- Comment From <email address hidden> 2021-10-05 05:55 EDT-------
I've tested the new packages for Ubuntu Focal:

Package: s390-tools
Version: 2.12.0-0ubuntu3.4

and Ubuntu Hursuit:

Package: s390-tools
Version: 2.16.0-0ubuntu1.1

What I did:
1. Regression testing for genprotimg (e.g. verified that the generation of a IBM Secure Execution image is still working)
2. Verified that the feature 'host-key document verification' works as expected

Great - many thanks for the verification(s), Marc!
With that I'm adjusting the tags accordingly ... (that were eaten up by the BZ bridge on Oct 1st, like I just noticed)

With that I'm adjusting the tags accordingly ...

This bug was fixed in the package s390-tools - 2.16.0-0ubuntu1.1

---------------
s390-tools (2.16.0-0ubuntu1.1) hirsute; urgency=medium

  * debian/patches/0001-genprotimg-check-return-value-of-BIO_reset.patch
    Fix of genprotimg allowing the tool to verify the validity
    of IBM Secure Execution host key documents.
    (LP: #1942908)

 -- Frank Heimes <email address hidden> Mon, 20 Sep 2021 14:01:06 +0200

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package s390-tools - 2.12.0-0ubuntu3.4

---------------
s390-tools (2.12.0-0ubuntu3.4) focal; urgency=medium

  * Fixing zKVM: Host Key Document Verification
    Fix of genprotimg allowing the tool to verify the validity of
    IBM Secure Execution host key documents.
    commit 074de1e required a backport, 7827a79 and d90344a are cherry-picks
    - 074de1e d/p/0001-genprotimg-add-host-key-document-verification.patch
    - 7827a79 d/p/0002-genprotimg-add-missing-return.patch
    - d90344a d/p/0003-genprotimg-check-return-value-of-BIO_reset.patch
    Added additional build dependency libcurl4-openssl-dev to debian/control,
    needed by d/p/0001-genprotimg-add-host-key-document-verification.patch.
    (LP: #1942908)

 -- Frank Heimes <email address hidden> Tue, 28 Sep 2021 16:37:28 +0200

------- Comment From <email address hidden> 2021-10-12 05:46 EDT-------
Bug fixed in focal as part of the package s390-tools - 2.16.0-0ubuntu1.1, hence closing the bug.
Changing IBM BZ status:-> CLOSED