Ubuntu
linux package

[23.10 FEAT] [SEC2341] pkey: support generation of keys of type PKEY_TYPE_EP11_AES

Bug #2028937 reported by bugproxy
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Medium
Skipper Bug Screeners
linux (Ubuntu)
Fix Released
High
Canonical Kernel Team

Bug Description

Add support to the pkey kernel module to generate keys of key type PKEY_TYPE_EP11_AES.

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-203279 severity-high targetmilestone-inin2310
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
Changed in linux (Ubuntu):
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → Medium
Changed in linux (Ubuntu):
status: New → Incomplete
Changed in ubuntu-z-systems:
status: New → Incomplete
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in linux (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-08-16 04:30 EDT-------
This fix will be these patches:

s390/paes: fix PKEY_TYPE_EP11_AES handling for secure keyblobs
2af203f3a42b s390/pkey: fix PKEY_TYPE_EP11_AES handling for sysfs attributes
9244d29d0016 s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_VERIFYKEY2 IOCTL
b9588e8c1f6d s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_KBLOB2PROTK[23]
4da75e5be658 s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_CLR2SECK2 IOCTL
6657ea25ab3e s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_GENSECK2 IOCTL
40ffcbd6c2d3 s390/pkey: fix/harmonize internal keyblob headers

which have been tested, reviewed and released into the IBM internal Linux kernel devel branch today. As soon as these commits are upstream visible, I'll append the commid ids to this bugzilla.

Revision history for this message
Frank Heimes (fheimes) wrote :

Okay, many thanks Harald.
(For the kernel bits there is still some time ...)
Just let us know when they for example landed in linux-next,
which would be sufficient for us to pick them.

Revision history for this message
Frank Heimes (fheimes) wrote :

Just noticed that the commits just arrived in linux-next - tagged with next-20230818.

Changed in ubuntu-z-systems:
status: Incomplete → Confirmed
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Frank Heimes (fheimes) wrote :

A test build of the patched package (now gmp_6.3.0+dfsg-2ubuntu4) is being build at PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2029438

Changed in ubuntu-z-systems:
status: Confirmed → In Progress
Changed in linux (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Frank Heimes (fheimes) wrote :

The testsuite was successful - especially on s390x:

============================================================================
Testsuite summary for GNU MP 6.3.0
============================================================================
# TOTAL: 8
# PASS: 8
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================

No lintian errors.

Attaching debdiff.

Subscribing 'ubuntu-sponsors'.

information type: Private → Public
Revision history for this message
Frank Heimes (fheimes) wrote :

Excuse me - the last two comments #4 and #5 were attached to the wrong bug - please ignore.

Changed in ubuntu-z-systems:
status: In Progress → Confirmed
Changed in linux (Ubuntu):
status: In Progress → Confirmed
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2023-08-21 02:49 EDT-------
Ok, the patches are upstream now on the s390 features branch and will go into the next kernel merge window:

cba33db3fc4d s390/paes: fix PKEY_TYPE_EP11_AES handling for secure keyblobs
b9352e4b9b9e s390/pkey: fix PKEY_TYPE_EP11_AES handling for sysfs attributes
745742dbca11 s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_VERIFYKEY2 IOCTL
d1fdfb0b2f33 s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_KBLOB2PROTK[23]
da2863f15945 s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_CLR2SECK2 IOCTL
fb249ce7f7bf s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_GENSECK2 IOCTL
37a08f010b7c s390/pkey: fix/harmonize internal keyblob headers

Revision history for this message
Frank Heimes (fheimes) wrote :

Kernel test build(s) available in this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2028937

Pull request submitted to kernel team's mailing list:
https://lists.ubuntu.com/archives/kernel-team/2023-September/thread.html#142499

Changing status to 'In Progress'.

Assigning kernel team.

Changed in ubuntu-z-systems:
status: Confirmed → In Progress
Changed in linux (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
Revision history for this message
Frank Heimes (fheimes) wrote :

Updated to 'Fix Committed' since code is in mantic-proposed.

Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 6.5.0-7.7

---------------
linux (6.5.0-7.7) mantic; urgency=medium

  * mantic/linux: 6.5.0-7.7 -proposed tracker (LP: #2037611)

  * kexec enable to load/kdump zstd compressed zimg (LP: #2037398)
    - [Packaging] Revert arm64 image format to Image.gz

  * Mantic minimized/minimal cloud images do not receive IP address during
    provisioning (LP: #2036968)
    - [Config] Enable virtio-net as built-in to avoid race

  * Miscellaneous Ubuntu changes
    - SAUCE: Add mdev_set_iommu_device() kABI
    - [Config] update gcc version in annotations

 -- Andrea Righi <email address hidden> Thu, 28 Sep 2023 10:19:24 +0200

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-6.5/6.5.0-1007.7~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure-6.5' to 'verification-done-jammy-linux-azure-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure-6.5' to 'verification-failed-jammy-linux-azure-6.5'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-azure-6.5-v2 verification-needed-jammy-linux-azure-6.5
Revision history for this message
Frank Heimes (fheimes) wrote :

not needed, update tags to unblock

tags: added: verification-done-jammy-linux-azure-6.5
removed: verification-needed-jammy-linux-azure-6.5
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws-6.5/6.5.0-1008.8~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-aws-6.5' to 'verification-done-jammy-linux-aws-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws-6.5' to 'verification-failed-jammy-linux-aws-6.5'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-aws-6.5-v2 verification-needed-jammy-linux-aws-6.5
Revision history for this message
Frank Heimes (fheimes) wrote :

does not affect aws, updating tags just to unblock

tags: added: verification-done-jammy-linux-aws-6.5
removed: verification-needed-jammy-linux-aws-6.5
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.