Ubuntu
linux package

[22.04 FEAT] KVM: Attestation support for Secure Execution (crypto)

Bug #1959973 reported by bugproxy
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
linux (Ubuntu)
Invalid
High
Unassigned
Jammy
Fix Released
High
Canonical Kernel Team

Bug Description

SRU Justification:
==================

[Impact]

 * This is a hardware enablement SRU in support of
   IBM z15 and LinuxONE III (FC 115) secure execution feature.

 * It adds a misc character device to expose some Ultravisor
   functions to userspace.

 * The device is only available if the (optional) Ultravisor
   Facility (158) is present in the system.

 * Two Ultravisor calls are supported:
   - Query Ultravisor Information (QUI) and
   - Receive Attestation Measurement (Attest[ation])

 * This is in support of for example. external frameworks,
   specific deployment models or especially
   potentially regulatory requirements.

[Fix]

 * 4689752c79fa 4689752c79fa30e91b49b39a9fba93c4d1f3e20c "drivers/s390/char: Add Ultravisor io device"

 * eb3de2d8f78d eb3de2d8f78d893303891d879f941c47f2f2d13d "s390/uv_uapi: depend on CONFIG_S390"

 * patch to set kernel config option 'CONFIG_S390_UV_UAPI=y'

[Test Plan]

 * An IBM z15 or LinuxONE III LPAR with FC 115 enabled is required.

 * Installation of Ubuntu Server 22.04 LTS on top.

 * Install a kernel that incl. the above patches/commits
   (that has the kernel config option 'CONFIG_S390_UV_UAPI' enabled).

 * Activate the kernel (reboot) and look for the existence of
   the uvdevice '/dev/uv'.

 * Use a userspace test program that makes use of the new
   misc device by exploiting 'ATTEST'.

 * Due to hardware requirements this test needs to be conducted by IBM.

[Where problems could occur]

 * The definitions in uv_cmds_inst and uv_feat_ind could be wrong
   and the codes wrong or mixed up, which would lead to a broken
   functionality/interface.

 * The uvdevice header definitions could be erroneous,
   defining an wrong interface.

 * The newly added kernel options could be implemented in a wrong way,
   so that it doesn't enable the 'uvdevice', but unlikely.

 * The implementation of the device itself in 'uvdevice.c' could be broken
   by wrong or broken pointer arithmetics, wrong method arguments,
   wrong sizeof/length calculations, which - in worst case - could entirely
   crash a system.

 * The ioctl control block implementation could be wrong in a way,
   that it doesn't properly handle the case where the facility is not
   available in the system.

 * Entry point, copy and check routines could be wrong,
   allowing non-desired calls.

 * This is an s390x-only functionality,
   that is only available on IBM z15 / LinuxONE III systems and newer,
   and only is the optional feature 'FC 115' in place,
   which is limited to 'secure-execution' workloads.

[Other Info]

 * The above commit is marked to be merged into 5.19-rc2,
   and since the planned target kernel for kinetic is
   5.19, the SRU is not needed for kinetic.

__________

KVM: Attestation support for Secure Execution (crypto)

Description:
Provide attestations support, e.g. for external frameworks, specific deployment models or potentially regulatory requirements.

Request Type: Kernel - Enhancement from IBM
Upstream Acceptance: In Progress

See original description
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-196320 severity-high targetmilestone-inin2204
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
Frank Heimes (fheimes) wrote :

Changing to Incomplete for now, until kernel version and or commits are shared for integration.

Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in linux (Ubuntu):
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → High
Changed in linux (Ubuntu):
status: New → Incomplete
Changed in ubuntu-z-systems:
status: New → Incomplete
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-02-17 07:32 EDT-------
Not commits yet, but a first glimpse:
https://<email address hidden>/

Revision history for this message
Frank Heimes (fheimes) wrote :

Looks like there is a v2 upcoming...

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-06-07 10:34 EDT-------
[Fix]

pick upstream commit 4689752c79fa (drivers/s390/char: Add Ultravisor io device)

applies cleanly on jammy-master-next

Upstream patch attached

Revision history for this message
bugproxy (bugproxy) wrote : VS2021 upstream patch file

------- Comment (attachment only) From <email address hidden> 2022-06-07 10:34 EDT-------

Revision history for this message
Frank Heimes (fheimes) wrote :

Thank you.

(Btw. if the commit can simply be cherry-picked from upstream into Ubuntu 22.04/kernel 5.15 (like it seems to be the case here) and simple pointer to the upstream commit (hash and/or name) is sufficient.
And if it's even tagged upstream as for stable, it will be included into Ubuntu automatically.)

Changed in ubuntu-z-systems:
status: Incomplete → New
Changed in linux (Ubuntu):
status: Incomplete → New
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-06-08 04:53 EDT-------
There's another (trivial) commit that has been applied by Paolo while merging the original series, which also should be picked on top of the original commit.
Thanks.

commit eb3de2d8f78d893303891d879f941c47f2f2d13d
Author: Paolo Bonzini <email address hidden>
Date: Mon May 23 15:23:21 2022 -0400

s390/uv_uapi: depend on CONFIG_S390

Signed-off-by: Paolo Bonzini <email address hidden>

Revision history for this message
Frank Heimes (fheimes) wrote :

Thx Viktor, that came just in time - since I already started to work on this SRU.

Frank Heimes (fheimes)
description: updated
Revision history for this message
Frank Heimes (fheimes) wrote :

A PPA with a patched test kernel (for jammy/22.04) is right now building at:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1959973

It would be great if this could be tested upfront, due to the amount of new code and the new kernel option, before we proceed with the SRU...

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-06-14 11:26 EDT-------
Verified using the package `linux-image-unsigned-5.15.0-36-generic` from the https://launchpad.net/~fheimes/+archive/ubuntu/lp1959973 PPA.

Note: It's a builtin module for Ubuntu.

Revision history for this message
Frank Heimes (fheimes) wrote :

Many thx for this early testing!

Not sure if I got you - yes it's here a builtin module; did you expected to have it as loadable module - any preference?

Revision history for this message
Frank Heimes (fheimes) wrote :

SRU request submitted to the Ubuntu kernel team mailing list for jammy.
https://lists.ubuntu.com/archives/kernel-team/2022-June/thread.html#131146
Changing status to 'In Progress' for jammy.

information type: Private → Public
Changed in linux (Ubuntu):
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
Changed in linux (Ubuntu Jammy):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Changed in linux (Ubuntu):
status: In Progress → Invalid
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
Stefan Bader (smb)
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-43.46 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-jammy
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-07-18 08:00 EDT-------
verified presence of feature using jammy-proposed archive
module is builtin (which is completely fine)

~# ll /dev/uv
crw------- 1 root root 10, 122 Jul 18 11:47 /dev/uv

corresponding Kselftests succeed

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Frank Heimes (fheimes) wrote :

Great, thx for the verification, Steffen!

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.6 KiB)

This bug was fixed in the package linux - 5.15.0-43.46

---------------
linux (5.15.0-43.46) jammy; urgency=medium

  * jammy/linux: 5.15.0-43.46 -proposed tracker (LP: #1981243)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2022.07.11)

  * nbd: requests can become stuck when disconnecting from server with qemu-nbd
    (LP: #1896350)
    - nbd: don't handle response without a corresponding request message
    - nbd: make sure request completion won't concurrent
    - nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed
    - nbd: fix io hung while disconnecting device

  * Ubuntu 22.04 and 20.04 DPC Fixes for Failure Cases of DownPort Containment
    events (LP: #1965241)
    - PCI/portdrv: Rename pm_iter() to pcie_port_device_iter()
    - PCI: pciehp: Ignore Link Down/Up caused by error-induced Hot Reset
    - [Config] Enable config option CONFIG_PCIE_EDR

  * [SRU] Ubuntu 22.04 Feature Request-Add support for a NVMe-oF-TCP CDC Client
    - TP 8010 (LP: #1948626)
    - nvme: add CNTRLTYPE definitions for 'identify controller'
    - nvme: send uevent on connection up
    - nvme: expose cntrltype and dctype through sysfs

  * [UBUNTU 22.04] Kernel oops while removing device from cio_ignore list
    (LP: #1980951)
    - s390/cio: derive cdev information only for IO-subchannels

  * Jammy Charmed OpenStack deployment fails over connectivity issues when using
    converged OVS bridge for control and data planes (LP: #1978820)
    - net/mlx5e: TC NIC mode, fix tc chains miss table

  * Hairpin traffic does not work with centralized NAT gw (LP: #1967856)
    - net: openvswitch: fix misuse of the cached connection on tuple changes

  * alsa: asoc: amd: the internal mic can't be dedected on yellow carp machines
    (LP: #1980700)
    - ASoC: amd: Add driver data to acp6x machine driver
    - ASoC: amd: Add support for enabling DMIC on acp6x via _DSD

  * AMD ACP 6.x DMIC Supports (LP: #1949245)
    - ASoC: amd: add Yellow Carp ACP6x IP register header
    - ASoC: amd: add Yellow Carp ACP PCI driver
    - ASoC: amd: add acp6x init/de-init functions
    - ASoC: amd: add platform devices for acp6x pdm driver and dmic driver
    - ASoC: amd: add acp6x pdm platform driver
    - ASoC: amd: add acp6x irq handler
    - ASoC: amd: add acp6x pdm driver dma ops
    - ASoC: amd: add acp6x pci driver pm ops
    - ASoC: amd: add acp6x pdm driver pm ops
    - ASoC: amd: enable Yellow carp acp6x drivers build
    - ASoC: amd: create platform device for acp6x machine driver
    - ASoC: amd: add YC machine driver using dmic
    - ASoC: amd: enable Yellow Carp platform machine driver build
    - ASoC: amd: fix uninitialized variable in snd_acp6x_probe()
    - [Config] Enable AMD ACP 6 DMIC Support

  * [UBUNTU 20.04] Include patches to avoid self-detected stall with Secure
    Execution (LP: #1979296)
    - KVM: s390: pv: add macros for UVC CC values
    - KVM: s390: pv: avoid stalls when making pages secure

  * [22.04 FEAT] KVM: Attestation support for Secure Execution (crypto)
    (LP: #1959973)
    - drivers/s390/char: Add Ultravisor io device
    - s390/uv_uapi: depend on CONFIG_S390
    - [Co...

Read more...

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-gkeop-5.15/5.15.0-1003.5~20.04.2 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message
Frank Heimes (fheimes) wrote :

linux-gkeop-5.15 is out of scope for this bug (does not exist for s390x).
To unblock the process I'll add the 'verification-done-focal' tag.

tags: added: verification-done-focal
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.