[SEC2340] zkey: support for key type PKEY_TYPE_EP11_AES (s390-tools)

------- Comment From <email address hidden> 2023-08-16 11:55 EDT-------
This feature is not yet available.
With this, we are missing Mantic FF. Therefore, we need to postpone to the next Ubuntu release.

==> Changing target milestone to: "24.04"

------- Comment From <email address hidden> 2023-08-21 11:26 EDT-------
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/1b044b8a40ab59e4f5ffe66e3ad81499b0beccce "zkey: Support EP11 AES keys with prepended header to retain EP11 session"

Modified packages are build in this PPA - for noble and mantic:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2028936

------- Comment From <email address hidden> 2023-11-29 02:59 EDT-------
A real test of this fix would require a system running in secure execution mode that has access to a CryptoExpress adapter in EP11 mode via secure AP passthrough.
There all EP11 keys are session bound, and without that fix all EP11 keys generated by zkey would simply not work, i.e. they could not be used for dm-crypt.

However, even without secure execution the effect of this fix can be checked.
You still need a system with a CryptoExpress adapter in EP11 mode (CEX7P or later).

Generate an AES key with zkey using key type EP11-AES:

# zkey generate --name test1 --key-type EP11-AES --apqns <EP11-APQN(s)>

Then look at the hex dump of the generated key:

# xxd /etc/zkey/repository/test1.skey
00000000: 0000 0100 0300 0100 0000 0000 0000 0000 ................
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: ef92 899e be57 291e c8e8 716d 850e e2f7 .....W)...qm....
00000030: 0000 0000 0020 8d26 0000 0000 0000 0001 ..... .&........
00000040: 1234 d2ae cfff aa9d 15cd d2ad 9a7b 082b .4...........{.+
....

The first 16 bytes are a header indicating the type of the key.
Above example is a version 3 key (see offset 4).
This is what you get WITHOUT the fixes.

A key generated with the fixes present would look like this:

# xxd /etc/zkey/repository/test1.skey
00000000: 0000 0110 0600 0100 0000 0000 0000 0000 ................
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: ef92 899e be57 291e c8e8 716d 850e e2f7 .....W)...qm....
00000040: 0000 0000 0020 8d26 0000 0000 0000 0001 ..... .&........
00000050: 1234 c393 b33e fcdd 1c8f ecb6 3230 186d .4...>......20.m
...

Here, its a version 6 key (see offset 4, PKEY_TYPE_EP11_AES = 6).
With the fixes present, you should always get version 6 keys.
So if you see a version 6 key, then the fix is present and working.

FYI: The 32 bytes following the 16 bytes header are the session ID of the key.
Unless you are in a secure execution environment they are zero.
If you are in a secure execution environment they would be non-zero.
For a version 3 key, the session ID would be the very first 32 bytes, but it is overlayed (and thus destroyed) by the 16 bytes header information.
So version 3 keys can not be session bound, but version 6 keys can be session bound.
Thus, only version 6 keys can be used in a secure execution environment.

To test if the key is usable, run a validate command:

# zkey validate --name test1

Furthermore, setup a dm-crypt volume using such a version 6 key by following the steps described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=volumes-creating-volume-pervasive-encryption

If you can successfully open that dm-crypt volume then it ensures that also
the pkey/paes_s390 kernel modules contains the required fixes and can work with such a key.

Thanks Ingo, I added an excerpt of your test plan to the SRU Justification at the bug description.

all debdiffs - s390-tools and s390-tools-signed, noble and mantic

Dropping ubuntu-sponsors and assigning this to myself, since I'm familiar with the package. I'll get to the actual review/sponsorship later in the week.

Uploaded s390-tools{-signed} to Mantic and Noble, they are now waiting in the various queues as usual.

Many thx!

As this patch touches a lot of EP11 code, should there be a corresponding test case to ensure we are not regressing support for non-AES EP11 keys? (I haven't checked but I'm guessing from the code there'll be a syntax like `zkey generate --key-type EP11` or `zkey generate --key-type EP11-ECC`)

------- Comment From <email address hidden> 2023-12-11 02:26 EDT-------
Please see what I have written in comment #12 in tis BZ.

Please notice that the comment numbering between Launchpad and Bugzilla is not in sync.
I guess Ingo refers to Launchpad comment #2:
https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/2028936/comments/4
with the zkey generate and validate commands.

And what Steve thought about adding another step to the test plan that does a 'zkey generate --key-type EP11` (so for the traditional type), but the zkey gen command only support secure keys of type CCA‐AESDATA keys, CCA‐AESCIPHER and EP11‐AES (so no EP11-ECC for suchlike).

Instead I'm wondering if it makes sense to generate a zkey on such a newer system (means with this updated s390-tools version and the right kernel), but doing a validate on an older system (without these patches), like for example on 22.04.
Would that be a meaningful regression test case?

------- Comment From <email address hidden> 2023-12-11 03:40 EDT-------
zkey does NOT support ECC keys, since dm-crypt only works with AES keys, not with ECC. So ECC keys are totally out if scope of this feature (SEC2340). SEC2340 only cares about the updates in the zkey tool as of s390-tools.

The updates in the pkey kernel module are tracked in feature SEC2341, which I guess is this launchpad: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2028937
Note that 'pkey' != 'zkey' although only one letter difference :-)

For testing the ECC key support of the pkey device driver, you need to use a self written test program that calls the ioctl. You might get in touch with Holger Dengler about how to test the other functions of the pkey module.

I remembered LP#1928780 and thought we can run the test from there here as well (for regression testing).
It would be like this:

[Test Case]

* Have an Ubuntu noble or mantic installation on LPAR, z/VM or KVM
  and install opencryptoki:
  ubuntu@zbox:~$ sudo apt install opencryptoki

* Now check if there is a soft token available (should be by default):
  ubuntu@zbox:~$ pkcsconf -t
  Token #1 Info:
 Label: icatok
 Manufacturer: IBM
 Model: ICA
 Serial Number:
 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGE)|
 Sessions: 0/[effectively infinite]
 R/W Sessions: 0/[effectively infinite]
 PIN Length: 4-8
 Public Memory: [information unavailable]/[information unavailable]
 Private Memory: [information unavailable]/[information unavailable]
 Hardware Version: 0.0
 Firmware Version: 0.0
 Time: 2023062111512600
 URI: pkcs11:manufacturer=IBM;model=ICA;token=icatok
Token #3 Info:
 Label: softtok
 Manufacturer: IBM
 Model: Soft
 Serial Number:
 Flags: 0x880045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGE)|
 Sessions: 0/[effectively infinite]
 R/W Sessions: 0/[effectively infinite]
 PIN Length: 4-8
 Public Memory: [information unavailable]/[information unavailable]
 Private Memory: [information unavailable]/[information unavailable]
 Hardware Version: 0.0
 Firmware Version: 0.0
 Time: 2023062111512600
 URI: pkcs11:manufacturer=IBM;model=Soft;token=softtok

* Now initialize and re-label the soft token:
  ubuntu@zbox:~$ pkcsconf -I -c 3
  Enter the SO PIN:
  Enter a unique token label: mysofttok

* And set the user password to be 1234 (since it's hardcoded in the testfile).
  ubuntu@zbox:~$ sudo pkcsconf -c 3 -u

* Now install the opencryptoki lib headers:
  ubuntu@zbox:~$ sudo apt install libopencryptoki-dev

* Download this test code:
  https://launchpadlibrarian.net/551280308/test.c
  and compile it:
  ubuntu@zbox:~$ gcc test.c -o test -lopencryptoki

* And run the resulting binary as root:
  ubuntu@zbox:~$ sudo ./test
  It'll return 56 is the correct key is rejected (0 for the incorrect).

------- Comment From <email address hidden> 2023-12-14 08:13 EDT-------
hm no.... The soft token does not use the pkey module. So you won't be testing pkey nor the PKEY_TYPE_EP11_AES key type of it.

Instead, a possible test case could be run the libzpc testcases. But make sure to use the very latest from the libzpc master branch, since there have been fixes in libzpc to support that key type. You may talk to Joerg Schmidbauer about libzpc.

------- Comment From <email address hidden> 2023-12-27 09:10 EDT-------
As Ingo mentioned, testcases for pkey with non-AES keys are out of scope of this bz/launchpad. But we can continue this discussion in the BZ203279/LP2028937.

https://bugzilla.linux.ibm.com/show_bug.cgi?id=203279
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2028937

Following up on the regression testing discussion and desire,
I like the hint to base the regression testing on the pkey kernel module modifications.
So using the libzpc tests (directly from upstream) is a good option:
https://github.com/opencryptoki/libzpc#Testing

libzpc's runtest runs by default 140 tests from 13 test suites
and allows to explicitly enable EC test in combination with EP11 using the env. var.
ZPC_TEST_EC_KEY_TYPE=ZPC_EC_KEY_TYPE_EP11

These are the additional steps that are needed on Ubuntu to get the test suite going:
  ~$ git clone https://github.com/opencryptoki/libzpc
  ~$ sudo apt install libjson-c-dev cmake
  ~$ cd libzpc/
  ~/libzpc$ mkdir build && cd build
  ~/libzpc/build$ cmake -DBUILD_TEST=ON ..
  [ in case a proxy is required, like in our case: $ export https_proxy="http://your.proxy:3128/" ]
  ~/libzpc/build$ make
  ~/libzpc/build$ ./runtest

Notice that this is currently not possible with the libzpc package we have in 'noble',
since it req. commits that are not yet included in a published version.

But it's planned to release a new version of libzpc in time for 'noble' feature freeze,
that will allow me to version bump libzpc to that new and upcoming version (even if not strictly needed for the regression test here, however it's nice and clean to have it in the archive).

I'll update the SRU justification in the Bug description with these add. steps for regression testing and update the status from Incomplete again to New.

This bug was fixed in the package s390-tools-signed - 2.29.0-0ubuntu3

---------------
s390-tools-signed (2.29.0-0ubuntu3) noble; urgency=medium

  * Rebuild against 2.29.0-0ubuntu3 (LP: #2028936)

 -- Frank Heimes <email address hidden> Tue, 28 Nov 2023 14:14:50 +0100

This bug was fixed in the package s390-tools - 2.29.0-0ubuntu3

---------------
s390-tools (2.29.0-0ubuntu3) noble; urgency=medium

  * Change zkey to generate EP11 keys using a new format (PKEY_TYPE_EP11_AES),
    that allows to keep support for existing key blobs by adding d/p/
    lp-2028936-zkey-Support-EP11-AES-keys-with-prepended-header-to-.patch
    (LP: #2028936)

 -- Frank Heimes <email address hidden> Tue, 28 Nov 2023 12:00:58 +0100

Hello bugproxy, or anyone else affected,

Accepted s390-tools into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.29.0-0ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-mantic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello bugproxy, or anyone else affected,

Accepted s390-tools-signed into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools-signed/2.29.0-0ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-mantic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

------- Comment From <email address hidden> 2024-01-09 05:34 EDT-------
Thanks a lot @Ingo for successfully testing this on Mantic (Ubuntu 23.10) using s390-tools-zkey from mantic-proposed.

This is what Ingo did for verification:
"I did generate a key using 'zkey generate --name test1 --key-type EP11-AES --apqns <EP11-APQN(s)>' and verified that a version 6 key is generated. I also did set up an encrypted disk (LUKS2) using this key, and was able to format and open that encrypted disk just fine.

I furthermore did run the libzpc testsuite and it showed no failures either."

With this successful verification, we can set the tags to
"verification-done, verification-done-mantic "

Many thanks for the prompt verification !

This bug was fixed in the package s390-tools - 2.29.0-0ubuntu2.1

---------------
s390-tools (2.29.0-0ubuntu2.1) mantic; urgency=medium

  * Change zkey to generate EP11 keys using a new format (PKEY_TYPE_EP11_AES),
    that allows to keep support for existing key blobs by adding d/p/
    lp-2028936-zkey-Support-EP11-AES-keys-with-prepended-header-to-.patch
    (LP: #2028936)

 -- Frank Heimes <email address hidden> Tue, 28 Nov 2023 14:25:41 +0100

This bug was fixed in the package s390-tools-signed - 2.29.0-0ubuntu2.1

---------------
s390-tools-signed (2.29.0-0ubuntu2.1) mantic; urgency=medium

  * Rebuild against 2.29.0-0ubuntu2.1 (LP: #2028936)

 -- Frank Heimes <email address hidden> Tue, 28 Nov 2023 14:34:50 +0100

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.