Ubuntu
s390-tools package

[22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - s390-tools part

Bug #1959965 reported by bugproxy
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Fix Released
High
Skipper Bug Screeners

Bug Description

KVM: Secure Execution guest dump encryption with customer keys - s390-tools part

Description:
Hypervisor-initiated dumps for Secure Execution guests are not helpful because memory and CPU state is encrypted by a transient key only available to the Ultravisor. Workload owners can still configure kdump in order to obtain kernel crash infomation, but there are situation where kdump doesn't work. In such situations problem determination is severely impeded. This feature will implement dumps created in a way that can only be decrypted by the owner of the guest image and be used for problem determination.

Request Type: Package - Update Version
Upstream Acceptance: In Progress
Code Contribution: IBM code

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-196318 severity-high targetmilestone-inin2204
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-02-03 17:23 EDT-------
This also has an kernel and qemu part:

IBM BZ 196316 - LP#1959940 : [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - kernel part

IBM BZ 196317 - LP#1959966 : [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part

Revision history for this message
Frank Heimes (fheimes) wrote :

Please share the s390-tools version and/or commit(s) that incl. this functionality.

Ideally this would be part of the next and upcoming s390-tools version that is planned to be the one for jammy anyway.

affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in s390-tools (Ubuntu):
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → High
Changed in s390-tools (Ubuntu):
status: New → Incomplete
Changed in ubuntu-z-systems:
status: New → Incomplete
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-02-21 20:07 EDT-------
The code is now upstream:
a9e13a2d - genprotimg: introduce macro for the control flags and sort them
0906293c - genprotimg: --enable-pckmo and --disable-pckmo are mutually exclusive
5394cd36 - genprotimg: add PV guest dump support

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Incomplete → In Progress
Changed in s390-tools (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.20.0-0ubuntu1

---------------
s390-tools (2.20.0-0ubuntu1) jammy; urgency=medium

  * New upstream release. LP: #1959420
  * Refresh several patches
  * Remove d/p/0001-libkmipclient-Fix-parsing-of-hex-values-for-XML-and-.patch
    since it's upstream with >= v2.18
  * Add d/adjust-runlevels-in-dumpconf-initd-script.patch to fix issue
    with runlevels in init.d/dumpconf
  * Add upstream commit/patch
    e8fca95-zdev-Fix-off-by-one-errors-in-cio_ignore-handling.patch
  * Add upstream commit/patch 455ad95-zdump-Fix-dev-mem-reading.patch
  * Remove d/p/zipl-optional.patch an replaced it by upstream commit/patch
    d/p/ee2c6d4-zipl-Allow-optional-entries-that-are-left-out-when-f.patch
  * Change d/control to:
    - remove the udeb packages from d/c, d/r and d/s390-tools*-udeb.*
    - add support for and updated Build-Depends to libfuse3-dev LP: #1935666
    - add new binary package s390-tools-chreipl-fcp-mpath
      incl. s390-tools-cpuplugd.install
    - change s390-tools Depends from perl to ${perl:Depends}
    - remove unneeded Depends on ${misc:Depends} from the lib*-dev packages
  * Change d/rules to fix permissions
  * Expand d/debian/s390-tools.install to include 81-dpm.rules
  * Add patches for KVM: Secure Execution guest dump encryption with
    customer keys LP: #1959965
    - d/p/a9e13a2d-genprotimg-introduce-macro-for-the-control-flags-and.patch
    - d/p/0906293c-genprotimg-enable-pckmo-and-disable-pckmo-are-mutual.patch
    - d/p/5394cd36-genprotimg-add-PV-guest-dump-support.patch

 -- Frank Heimes <email address hidden> Sun, 06 Feb 2022 11:27:24 +0100

Changed in s390-tools (Ubuntu):
status: In Progress → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Released
Frank Heimes (fheimes)
information type: Private → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.