[22.04 FEAT] zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware (kernel part)

------- Comment From <email address hidden> 2022-01-30 23:07 EDT-------
This also has a s390-tools part:
Canonical LP#1959548 - IBM BZ#196081[22.04 FEAT] zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware - s390utils/s390-tools part

Please share the upstream kernel version where there patches landed upstream and/or the commits for this functionality, so that we can ensure that it's in - updating the ticket to Incomplete for now.

------- Comment From <email address hidden> 2022-03-10 04:41 EDT-------
Hello Canonical
The patches are currently in the s390 feature branch and will go into the next kernel. So they have these 'official' commit ids now:

d64e5e9120a6afc8ebb9e9b46c1302f13b16b68d s390/ap/zcrypt: debug feature improvements
985214af939b9935dac94aa6fb56c85039fb77e8 s390/zcrypt: CEX8S exploitation support
a7e701dba1234adbfbacad5ce19656c5606728da s390/zcrypt: handle checkstopped cards with new state
383366b58016361cc8a2e4c585b7d581eb76263a s390/zcrypt: Support CPRB minor version T7
252a1ff777639ad13978a614f2cde1f0c43a7c2f s390/zcrypt: change reply buffer size offering
1024063effc3ba86d1fec0f2ee0a9259a1065ed5 s390/zcrypt: Provide target domain for EP11 cprbs to scheduling function
9d792ef17f18734bca823910b89254dec37b50c5 s390/airq: use DMA memory for summary indicators

Thx Harald, we need to wait until it officially arrives at least in 'linux-next', but I'm sure that will be the case soon, since upstream starts with 5.18 anyway and that should land there easily ...

Looks like the patches landed in linux-next over the weekend - updating status ...

Hi Harald, a7e701dba1234adbfbacad5ce19656c5606728da "s390/zcrypt: handle checkstopped cards with new state" did not apply cleanly for me when trying to cherry-pick it.

The conflicts are relatively straight forward, mainly changes in the context - I mainly had to move from 'dev' to 'device' at the content of several messages.
Looks like the messages were refined at some time.

Please have a look and let me know if you agree to the backport or if you want it to be handled in a different way.

A test kernel was successfully built and is available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1959547

------- Comment From <email address hidden> 2022-03-15 06:49 EDT-------
I checked your issue with the patch series:
Please pull also
3f74eb5f7819 s390/zcrypt: rework of debug feature messages
and then the patches do apply cleanly.

Pull request submitted to kernel team's mailing list:
https://lists.ubuntu.com/archives/kernel-team/2022-March/thread.html#128669
changing status to 'In Progress'.

This bug is awaiting verification that the linux-hwe-5.15/5.15.0-25.25~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This feature was request for 22.04, hence the hwe kernel is more a fall out.
Hence updating tag to unblock the process.

This bug was fixed in the package linux - 5.15.0-25.25

---------------
linux (5.15.0-25.25) jammy; urgency=medium

  * jammy/linux: 5.15.0-25.25 -proposed tracker (LP: #1967146)

  * Miscellaneous Ubuntu changes
    - SAUCE: Revert "scsi: core: Reallocate device's budget map on queue depth
      change"

 -- Paolo Pisati <email address hidden> Wed, 30 Mar 2022 17:28:11 +0200

------- Comment From <email address hidden> 2022-04-06 05:34 EDT-------
Hm, I am not an expert in this -proposed thing...

I am currently using an Ubuntu 20.04 and added these lines to /etc/apt/source.list:

deb http://us.ports.ubuntu.com/ubuntu-ports/ focal-proposed main
deb http://us.ports.ubuntu.com/ubuntu-ports/ jammy-proposed main

then I run an apt update and then I do a
apt list --upgradable | grep proposed

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

dpkg-dev/focal-proposed 1.19.7ubuntu3.1 all [upgradable from: 1.19.7ubuntu3]
dpkg/focal-proposed 1.19.7ubuntu3.1 s390x [upgradable from: 1.19.7ubuntu3]
kmod/focal-proposed 27-1ubuntu2.1 s390x [upgradable from: 27-1ubuntu2]
libc-bin/focal-proposed 2.31-0ubuntu9.8 s390x [upgradable from: 2.31-0ubuntu9.2]
libc-dev-bin/focal-proposed 2.31-0ubuntu9.8 s390x [upgradable from: 2.31-0ubuntu9.2]
libc6-dev/focal-proposed 2.31-0ubuntu9.8 s390x [upgradable from: 2.31-0ubuntu9.2]
libc6/focal-proposed 2.31-0ubuntu9.8 s390x [upgradable from: 2.31-0ubuntu9.2]
libcurl4/focal-proposed 7.68.0-1ubuntu2.8 s390x [upgradable from: 7.68.0-1ubuntu2.7]
libdpkg-perl/focal-proposed 1.19.7ubuntu3.1 all [upgradable from: 1.19.7ubuntu3]
libgstreamer1.0-0/focal-proposed 1.16.3-0ubuntu1 s390x [upgradable from: 1.16.2-2]
libjpeg8/jammy-proposed 8c-2ubuntu9 s390x [upgradable from: 8c-2ubuntu8]
libkmod2/focal-proposed 27-1ubuntu2.1 s390x [upgradable from: 27-1ubuntu2]
liblzma5/jammy-proposed 5.2.5-2build2 s390x [upgradable from: 5.2.4-1ubuntu1]
libnss-systemd/focal-proposed 245.4-4ubuntu3.16 s390x [upgradable from: 245.4-4ubuntu3.15]
libpam-systemd/focal-proposed 245.4-4ubuntu3.16 s390x [upgradable from: 245.4-4ubuntu3.15]
libsystemd0/focal-proposed 245.4-4ubuntu3.16 s390x [upgradable from: 245.4-4ubuntu3.15]
libudev1/focal-proposed 245.4-4ubuntu3.16 s390x [upgradable from: 245.4-4ubuntu3.15]
libx11-6/jammy-proposed 2:1.7.5-1 s390x [upgradable from: 2:1.6.9-2ubuntu1.2]
libx11-data/jammy-proposed 2:1.7.5-1 all [upgradable from: 2:1.6.9-2ubuntu1.2]
libzstd1/jammy-proposed 1.4.8+dfsg-3build1 s390x [upgradable from: 1.4.4+dfsg-3ubuntu0.1]
linux-generic/focal-proposed 5.4.0.108.112 s390x [upgradable from: 5.4.0.97.101]
linux-headers-generic/focal-proposed 5.4.0.108.112 s390x [upgradable from: 5.4.0.97.101]
linux-image-generic/focal-proposed 5.4.0.108.112 s390x [upgradable from: 5.4.0.97.101]
linux-libc-dev/focal-proposed 5.4.0-108.122 s390x [upgradable from: 5.4.0-94.106]
linux-source-5.4.0/focal-proposed 5.4.0-108.122 all [upgradable from: 5.4.0-94.106]
locales/focal-proposed 2.31-0ubuntu9.8 all [upgradable from: 2.31-0ubuntu9.2]
login/focal-proposed 1:4.8.1-1ubuntu5.20.04.2 s390x [upgradable from: 1:4.8.1-1ubuntu5.20.04.1]
ltrace/jammy-proposed 0.7.3-6.1ubuntu5 s390x [upgradable from: 0.7.3-6.1ubuntu1]
passwd/focal-proposed 1:4.8.1-1ubuntu5.20.04.2 s390x [upgradable from: 1:4.8.1-1ubuntu5.20.04.1]
python3-gdbm/jammy-proposed 3.10.4-0ubuntu1 s390x [upgradable from: 3.8.10-0ubuntu1~20.04]
systemd-sysv/focal-proposed 245.4-4ubuntu3.16 s390x [upgradable from: 245.4-4ubuntu3.15]
systemd-timesyncd/focal-proposed 245.4-4ubuntu3.16 s390x [upgradable from: 245.4-4ubuntu3.15]
systemd/focal-proposed 245.4-4...

Hi Harald, well, this is an Ubuntu 22.04 feature (like the Launchpad ticket title indicated), hence need to be used/tested on a Ubuntu 22.04 codename 'jammy' system.
(You may upgrade your 20.04 / focal system directly to 22.04 / jammy using 'do-release-upgrade -d' - '-d' because jammy is still in development).

Once on a 22.04 / jammy system, things are relatively straight forward - let me go into the details:

First of all check what's available in the (jammy) archives, in case of this tickets, it's about the kernel (package called 'linux-generic'):
$ rmadison --arch=s390x linux-generic | grep $(lsb_release -cs)
 linux-generic | 5.15.0.25.27 | jammy | s390x
Well, this tells us that there is only one kernel available,
and that one is in jammy(-release) and there is no kernel in jammy-proposed right now.

Means the kernel is already rolled out and you don't need -proposed anymore.
So you can go with the kernel that you get by default if running jammy/22.04.

[
If there is another kernel in -proposed for testing, things look like in this mockup:
 linux-generic | 5.15.0.25.27 | jammy | s390x
 linux-generic | 5.15.0.26.30 | jammy-proposed | s390x
]
___

Anyway, just for the reason of completeness, here are the steps needed in case a kernel from
 -proposed should be installed and tested:

1) make sure your system is at the latest level:
sudo apt -y -q update && sudo apt -y -q full-upgrade

2) activate '-proposed' with:
sudo add-apt-repository -y "deb http://us.ports.ubuntu.com/ubuntu-ports/ $(lsb_release -sc)-proposed main universe"
(and update the package index with 'sudo apt -y -q update' if not already triggered automatically)

3) now check for the available versions that can be installed:
$ apt-cache policy linux-generic
linux-generic:
  Installed: 5.15.0.25.27
  Candidate: 5.15.0.26.30
  Version table:
...
And the version table shows you where the kernels are coming from (either main, proposed, updates, or security).

[Btw. ignore the right-most digit, since it's just the build/meta digit.
If there is a request to test 5.15.0-25.25, it usually points to the kernel source package,
and the binary kernel is (in this case) 5.15.0.25.27. So it's save to ignore '27'.]

4) update the kernel by either 'installing' the latest one that is available, like:
sudo apt install linux-generic
or explicitly install a specific version, like:
sudo apt install linux-generic=5.15.0.26.30

5) don't forget to reboot afterwards to activate the newly installed kernel.

------- Comment From <email address hidden> 2022-04-06 10:26 EDT-------
Ok, thanks. I updated my system to Ubuntu 22.04 and ran my testsuite.
Looks fine - all seems to be good and CEX8 exploitation support is available.

Kernel used:
root@a35lp66:~# uname -a
Linux a35lp66 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:59 UTC 2022 s390x s390x s390x GNU/Linux

S390-tools:
2.20.0-0ubuntu1

So this is now verified :-)

Fantastic - many thx, Harald!