Ubuntu
s390-tools package

[Ubuntu 22.04] zkey: Fix re-enciphering of EP11 identity key of KMIP plugin

Bug #1990520 reported by bugproxy
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Fix Released
High
Skipper Bug Screeners
Jammy
Fix Released
High
Unassigned
s390-tools-signed (Ubuntu)
Fix Released
High
Skipper Bug Screeners
Jammy
Fix Released
High
Unassigned

Bug Description

SRU Justification:
------------------

[ Impact ]

 * When re-enciphering the identity key
   and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher',
   the operation completes without an error,
   but the secure keys are left un-reenciphered.

 * A subsequent connection attempt with the KMIP server will fail
   because the identity key is no longer valid.

 * The re-enciphered secure key is not copied back into the key token buffer.

 * Also, the the public key part,
   i.e. the MACed SubjectPublicKeyInfo (SPKI) structure
   must also be re-enciphered (i.e. re-MACed),
   since the MAC is calculated with the EP11 master key.

[ Fix ]

 * 4e2ebe03 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 "libseckey: Fix re-enciphering of EP11 secure key"

[ Test Plan ]

 * An Ubuntu Server 22.04 for s390x installation with a CryptoExpress
   adapter in EP11 mode and at least one available/online domain is needed.

 * Perform a master key change on the EP11 APQNs used with the KMIP plugin.

 * The is done indirectly, via libkmipclient, a shared library that
   provides the KMIP client to communicate with an KMIP server.

 * Test will be done by IBM.

[ Where problems could occur ]

 * The memcpy, at the beginning and/or at the end or the inserted code
   could be wrong, and copy wrong contents.

 * The newly introduced 're-encipher MACed SPKI' code can be erroneous,
   which may lead to a non working fix.

 * The calculation and handling of the length which could lead to a broken cmdblock.

 * Problems could occur in case the re-encryption is done with a different
   master key compared to the initial encryption,
   even though if this should be caught as 'CKR_IBM_WKID_MISMATCH'.

[ Other Info ]

 * The s390-tools version v2.23 in kinetic already incl. this fix,
   hence it's not affected,
   nor versions for Ubuntu releases (in service) older than jammy
   are affected.

__________

Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin

Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.

Problem:
The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.

Solution:
Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.

Reproduction: Perform a master key change on the EP11 APQNs used with the
               KMIP plugin.

Problem-ID: 197605

Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397

Preventive: yes

Date: 2022-04-08
Author: Ingo Franzki <email address hidden>
Component: s390-tools

== Comment: #1 - Ingo Franzki <email address hidden> - 2022-04-08 09:57:45 ==
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397

See original description
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-197607 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
importance: Undecided → High
Dan Bungert (dbungert)
tags: added: foundations-triage-discuss
Revision history for this message
Frank Heimes (fheimes) wrote :

A set of test packages is now available via the PPA below that are supposed to fix LP#1990520 as well as LP#1990524:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1990520+lp1990524

Revision history for this message
Frank Heimes (fheimes) wrote :

The debdiff for the s390-tools and s390-tools-signed packages for this bug LP#1990520 as well as for LP#1990524 (all in one) are attached here.

(I do not subscribe the ubuntu-sponsors yet, since I want to wait until 2.20.0-0ubuntu3.2 is completed - so far it's still unapproved in jammy's upload queue.)

Changed in s390-tools-signed (Ubuntu):
status: New → In Progress
Changed in s390-tools (Ubuntu):
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "debdiffs.tgz" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Frank Heimes (fheimes)
description: updated
Julian Andres Klode (juliank)
tags: added: foundations-todo
removed: foundations-triage-discuss
Changed in s390-tools (Ubuntu):
importance: Undecided → High
Changed in s390-tools-signed (Ubuntu):
importance: Undecided → High
Simon Chopin (schopin)
Changed in s390-tools (Ubuntu Jammy):
status: New → Confirmed
Changed in s390-tools-signed (Ubuntu Jammy):
status: New → Confirmed
Changed in s390-tools (Ubuntu Jammy):
status: Confirmed → Triaged
Changed in s390-tools-signed (Ubuntu Jammy):
status: Confirmed → Triaged
Changed in s390-tools (Ubuntu):
status: In Progress → Fix Released
Changed in s390-tools-signed (Ubuntu):
status: In Progress → Fix Released
Changed in s390-tools (Ubuntu Jammy):
importance: Undecided → High
Changed in s390-tools-signed (Ubuntu Jammy):
importance: Undecided → High
Revision history for this message
Simon Chopin (schopin) wrote :

Uploaded into the Jammy queue.

Julian Andres Klode (juliank)
Changed in s390-tools-signed (Ubuntu):
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted s390-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Jammy):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-jammy
Changed in s390-tools-signed (Ubuntu Jammy):
status: Triaged → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools-signed/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-12-05 04:30 EDT-------
I have successfully tested this with the updated packages from https://launchpad.net/ubuntu/+source/s390-tools/2.20.0-0ubuntu3.2

With this update re-enciphering an EP11 identity key of KMIP plugin now works.

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Frank Heimes (fheimes) wrote :

Many thx for the verification, Ingo!

Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
bugproxy (bugproxy)
tags: added: targetmilestone-inin2204
removed: targetmilestone-inin---
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.20.0-0ubuntu3.2

---------------
s390-tools (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Fix zipl segfaults when "parameters=" is missing (LP: #1974109) with:
    d/p/6ff8202f-zipl-Add-missing-check-for-a-nullpointer.patch
  * Add KVM Secure Execution Attestation Userspace Tool to enhance secure
    execution (hardware feature: FC 115) exploitation (LP: #1959987) with:
    d/p/38639269-libpv-New-library-for-PV-tools.patch
    d/p/3ab06d77-pvattest-Create-perform-and-verify-attestation-measu.patch
    d/p/26148740-pvattest-tools-Add-tool-for-attestation.patch
  * Fix re-enciphering of EP11 identity key of KMIP plugin (LP: #1990520) with:
    d/p/4e2ebe03-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
  * Fix KMIP plugin fails to connection to KMIP server (LP: #1990524) with:
    d/p/6c5c5f7e-libseckey-Adapt-keymgmt_match-implementation-to-Open.patch
  * d/p/5768d55-zipl-boot-add-secure-boot-trailer.patch
    Add secure boot trailer in zipl stage 3 to keep compatibility with
    upcoming IBM zSystems firmware updates. (LP: #1996069)
  * Add d/p/92b8409-dbginfo.sh-ensure-type-commands-compatible-with-dash.patch
    and d/p/9f93af6-dbginfo.sh-ensure-compatibility-with-bin-dash.patch
    to achieve dbginfo.sh compatibility with /bin/dash shell. (LP: #1996477)

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 18:14:00 +0200

Changed in s390-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools-signed - 2.20.0-0ubuntu3.2

---------------
s390-tools-signed (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Rebuild against 2.20.0-0ubuntu3.2:
    LP: #1974109, LP: #1959987, LP: #1990520,
    LP: #1990524, LP: #1996069, LP: #1996477

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 18:27:10 +0200

Changed in s390-tools-signed (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-01-15 11:00 EDT-------
Fix has been released to jammy -updates, therefore we can close this bug.
Thanks everyone for your work!

==> Changing the status to: CLOSED

Benjamin Drung (bdrung)
tags: removed: foundations-todo
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.