Ubuntu
s390-tools package

[UBUNTU 20.04] SE-tooling: New IBM host-key subject locality (s390-tools)

Bug #2059303 reported by bugproxy on 2024-03-27

258

This bug affects 1 person

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	In Progress	Critical	Skipper Bug Screeners
s390-tools (Ubuntu)	Fix Released	High	Frank Heimes
Focal	In Progress	Critical	Unassigned
Jammy	In Progress	Critical	Unassigned
Mantic	In Progress	Critical	Unassigned
Noble	Fix Released	High	Frank Heimes
s390-tools-signed (Ubuntu)	Fix Released	High	Frank Heimes
Focal	In Progress	Critical	Unassigned
Jammy	In Progress	Critical	Unassigned
Mantic	In Progress	Critical	Unassigned
Noble	Fix Released	High	Frank Heimes

Bug Description

SRU Justification:

[ Impact ]

* Symptom:

   * There is an issue with the Secure Execution (SE) tooling,
     especially the new IBM host-key subject locality,
     that leads to the fact that on April 24 (z15) / March 29 (z16)
     users will notice that the tooling for Secure execution will no
     longer detect that the provided IBM signing key for that generation
     is a valid IBM signing key.

   * The error message will contain "no IBM signing key found" or similar.
     The respective tool will reject creating an encrypted request/image
     as it could not verify the host-key for its validity.

   * This affects the genprotimg, pvattest, and pvsecret tools.
     (Please notice that these tools got introduced over time with different
      s390-tools versions that belong to different Ubuntu releases).

* Problem:

* The new IBM signing keys no longer contain 'Poughkeepsie' as
'subject locality' and 'Armonk' is used.

* The SE tooling checks, beside other things, for the subject in the
IBM signing key.

   * If the subject is not the expected one, the certificate is not
     recognized as a valid IBM signing key.
     And without a valid IBM signing key, the host-key verification
     cannot succeed and users cannot build trustable SE images and
     attestation or add-secret requests.

* Solution:

* Mitigations are available upstream.

   * The fixes allow Armonk as additional locality in the subject
     and allow potential mismatches in the locality of revocation list
     or host-key issuer subject that may still contain Poughkeepsie
     instead of Armonk.

[ Test Plan ]

* The testing is required for all three affected tools:
genprotimg, pvattest, and pvsecret

* Obtain a (z15) Host-key document e.g. via the official channel
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document

* Get a signing key (z15) + intermediate certificate
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document

* (optional) verify that the signing key is a new one
   check for: Locality Armonk
   $ openssl x509 -text -in international_business_machines_corporation.crt | grep Subject
   Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation
   Here "L" **must** be Armonk, and not Poughkeepsie!

* Run the tools (if available, depends on the s390-tools version):
   The fixed tools will accept the cert chain and exit with exit code 0
   and the output generated.
   The non-fixed will print n error message, abort, and report exit != 0

* $ genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
   # BEFORE_FIX:
   Failed to verify host-key document: please specify at least one IBM Z signing key
   # AFTER_FIX:
   # exit code 0

* $ pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt
   # BEFORE_FIX:
   ERROR: Creating the attestation request failed:
   Specify at least one IBM Z signing key
   # AFTER_FIX:
   # exit code 0

* $ pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertCA.crt meta
   # BEFORE_FIX:
   error: Host-key verification failed: Specify one IBM Z signing key
   # AFTER FIX:
   Successfully generated the request

* Note: You can use any z15 host-key you like.
   It does not has to match to the machine you are running on.
   For the secure-guest.hdr in pvsecret you can use any se-header you like.
   You can use a test-asset from s390-tools repository:
   https://github.com/ibm-s390-linux/s390-tools/raw/master/rust/pv/tests/assets/exp/secure_guest.hdr

[ Where problems could occur ]

* The tools genprotimg, pvattest, and pvsecret tools are affected.
   Since they got introduced over time with different s390-tools versions
   that belong to different Ubuntu releases, it's important to figure out the
   commits/patches that are required for each release.

* The refactoring commit f6c6f0cc712433221fb0588c754e0d09884453dd
   ("rust/pv/test: Code + Certificate refactoring") is needed
   for noble and mantic, but needs several adjustments due to context changes.
   The code could be negatively affected and the build might even break.
   (A test build in PPA mitigates such issues.)

* As host host-key issuer subject now Poughkeepsie and Armonk is allowed.
   If the conditional statements are not properly coded, either Poughkeepsie
   or Armonk might be allowed, which would fails in case the opposite is used.
   (Testing if the IBM signing key is valid will mitigate this.)

* In worst case a broken detection of the host-key issuer subject may lead
to positive validations, regardless of the subject content.
(Testing if the IBM signing key is valid will mitigate this.)

* A test build for all affected Ubuntu releases (N, M, J and F) succeeded
and is available via this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303

* These test packages will be pre-tested by IBM.

* This affected Secure Execution (SE) functionality only on s390x.
No other tools that are part of the s390-tools packages are affected
(or got modified in any way).

[ Other Info ]

* Secure Execution (SE) was introduced with in Ubuntu Server for s390x
with 20.04 LTS, hence 20.04 LTS and higher is affected.

* The following commits / patches need to be applied to the following
   s390-tools versions:
   * f6c6f0cc712433221fb0588c754e0d09884453dd
     ("rust/pv/test: Code + Certificate refactoring")
     to noble, mantic
   * 1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc
     ("rust/pv: Support `Armonk` in IBM signing key subject")
     to noble, mantic
   * d14e7593cc6380911ca42b09e11c53477ae13d5c
     ("genprotimg: support `Armonk` in IBM signing key subject")
     to noble, mantic, jammy, focal
   * d7c95265cdb6217b0203efa5893c3a27838af63c
     ("libpv: Support `Armonk` in IBM signing key subject")
     to noble, mantic, jammy
   * 2b5e7b049123aff094c7de79ba57a5df09471b2e
     ("pvattest: Fix root-ca parsing")
     to noble, mantic, jammy
   * 8723dbce048add87ce10fe8c72eea75c4f828ef8
     ("genprotimg: add OpenSSL 3.0 support")
     c5d566a4dab559f4d42c62181fcf314a4042bc6d
     ("genprotimg/crypto: use X509_get0_not(After|Before)")
     f5744b95db93fa9d5cfd6fb206767ad2dcc3c804
     ("genprotimg: Fix build with OpenSSL 1.1")
     all to focal only
__________

Description: SE-tooling: New IBM host-key subject locality
Symptom:
        On April 24 (z15) / March 29 (z16) user will notice that the
        tooling for Secure execution will no longer detect that the provided
        IBM signing key for that generation is a valid IBM signing key. The
        error message will contain "no IBM signing key found" or similar. The
        respective tool will reject creating an encrypted request/image as it
        could not verify the host-key for its validity. This affects
        genprotimg, pvattest, and pvsecret.
Problem:
        The new IBM signing keys no longer contain 'Poughkeepsie' as 'subject
        locality' and 'Armonk' is used. The SE tooling checks, beside other
        things, for the subject in the IBM signing key. If the subject is not
        the expected one, the certificate is not recognized as a valid IBM
        signing key. With no valid IBM signing key, the host-key verification
        cannot succeed and users cannot build trustable SE images and
        attestation or add-secret requests.
Solution:
        Mitigations are available upstream. The fixes allow Armonk as
        additional locality in the subject and allow potential mismatches in
        the locality of revocation list or host-key issuer subject that may
        still contain Poughkeepsie instead of Armonk.
Reproduction: Use a new IBM signing key in the unpatched tooling.

The fix is required due to the circumstances described here:
https://www.ibm.com/docs/en/linux-on-systems?topic=systems-whats-new#iplsdkwhatsnew__title__2

This is required for all Ubuntu releases in service that support secure execution.
Therefore, Ubuntu 20.04 LTS (focal) and above are affected and need to be fixed.

See original description

Tags:

bugproxy (bugproxy) on 2024-03-27

tags:	added: architecture-s39064 bugnameltc-205928 severity-critical targetmilestone-inin---
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Revision history for this message

bugproxy (bugproxy) wrote on 2024-03-27: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2024-03-27 16:09 EDT-------
Full list of patches:

a54daf459e7504c0f42d3eb028100b7ab07894ff ("pvattest: Fix root-ca parsing")
5e1cb58a21ae0707d1993de3c8fc078c5cffed88 ("libpv: Support `Armonk` in IBM signing key subject")
d14e7593cc6380911ca42b09e11c53477ae13d5c ("genprotimg: support `Armonk` in IBM signing key subject")
1a3d0b74f7819f5e087e6ecbf3ec879a05a88bbc ("rust/pv: Support `Armonk` in IBM signing key subject")

Frank Heimes (fheimes) on 2024-04-02

affects:	linux (Ubuntu) → s390-tools (Ubuntu)
Changed in ubuntu-z-systems:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in s390-tools (Ubuntu):
assignee:	Skipper Bug Screeners (skipper-screen-team) → nobody
Changed in ubuntu-z-systems:
importance:	Undecided → Critical
information type:	Public → Public Security

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-04-02:

Well, I already had a hard time to get the requested commits applied to noble (which is on 2.31.0).

I figured out that:
1) commit f6c6f0cc712433221fb0588c754e0d09884453dd ("rust/pv/test: Code + Certificate refactoring") is needed on top as pre-requisite, otherwise the other patches do not apply.
2) the commit id for ("libpv: Support `Armonk` in IBM signing key subject") is d7c95265cdb6217b0203efa5893c3a27838af63c (and not 5e1cb58a21ae0707d1993de3c8fc078c5cffed88 - this commit id does not exist in upstream master)
3) the commit id for ("pvattest: Fix root-ca parsing") is 2b5e7b049123aff094c7de79ba57a5df09471b2e (and not a54daf459e7504c0f42d3eb028100b7ab07894ff - again this commit id does not exist in upstream master).

I'm really wondering if it wouldn't be best to have a new minor version tagged upstream (like a 2.31.1) that includes everything needed, since I can't patch binary files with quilt (rust/pv/tests/assets/cert/der.crl and rust/pv/tests/assets/cert/der.crt), hence had to skip these hunks.

Revision history for this message

bugproxy (bugproxy) wrote on 2024-04-02:

------- Comment From <email address hidden> 2024-04-02 09:17 EDT-------
(In reply to comment #11)
> Well, I already had a hard time to get the requested commits applied to
> noble (which is on 2.31.0).
>
> I figured out that:
> 1) commit f6c6f0cc712433221fb0588c754e0d09884453dd ("rust/pv/test: Code +
> Certificate refactoring") is needed on top as pre-requisite, otherwise the
> other patches do not apply.
> 2) the commit id for ("libpv: Support `Armonk` in IBM signing key subject")
> is d7c95265cdb6217b0203efa5893c3a27838af63c (and not
> 5e1cb58a21ae0707d1993de3c8fc078c5cffed88 - this commit id does not exist in
> upstream master)
> 3) the commit id for ("pvattest: Fix root-ca parsing") is
> 2b5e7b049123aff094c7de79ba57a5df09471b2e (and not
> a54daf459e7504c0f42d3eb028100b7ab07894ff - again this commit id does not
> exist in upstream master).
>
> I'm really wondering if it wouldn't be best to have a new minor version
> tagged upstream (like a 2.31.1) that includes everything needed, since I
> can't patch binary files with quilt (rust/pv/tests/assets/cert/der.crl and
> rust/pv/tests/assets/cert/der.crt), hence had to skip these hunks.

Your proposal makes sense. Let me see what we can do.

Steffen

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-04-02:

debdiffs.tgz Edit (78.0 KiB, application/x-tar)

Meanwhile I've navigated through the challenges in noble and have a successful PPA build here:
launchpad.net/~fheimes/+archive/ubuntu/lp2059303
and the s390-tools and the s390-tools-signed debdiffs attached.

Changed in s390-tools (Ubuntu Noble):
assignee:	nobody → Frank Heimes (fheimes)
Changed in s390-tools-signed (Ubuntu Noble):
assignee:	nobody → Frank Heimes (fheimes)
Changed in s390-tools (Ubuntu Noble):
status:	New → In Progress
Changed in s390-tools-signed (Ubuntu Noble):
status:	New → In Progress
importance:	Undecided → High
Changed in s390-tools (Ubuntu Noble):
importance:	Undecided → High

Frank Heimes (fheimes) on 2024-04-03

description:

updated

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-04-04:

Builds finally completed:
noble: https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
mantic, jammy, focal: https://launchpad.net/~fheimes/+archive/ubuntu/test

Revision history for this message

bugproxy (bugproxy) wrote on 2024-04-05:

------- Comment From <email address hidden> 2024-04-05 04:40 EDT-------
(In reply to comment #15)
> Builds finally completed:
> noble: https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303
> mantic, jammy, focal: https://launchpad.net/~fheimes/+archive/ubuntu/test

Hi Frank

Thank you for the supply of packages.

I currently have no noble (24.04) system by hand. I will test noble as soon as I have access.

For mantic, jammy, focal, it seems that a new s390-tools-signed package is missing in the PPA (it is there in the noble PPA). Tested only on focal.

Example for focal:

after adding the ppa + update.
> apt upgrade s390-tools
[...]
The following packages have unmet dependencies:
s390-tools : Depends: s390-tools-signed (= 2.12.0-0ubuntu3.8) but 2.12.0-0ubuntu3.7 is to be installed

Thank you in advance for a fix/solution.

And also, sorry for the Rust-backport inconvenience.
BTW, I released a new s390-tools version on Wednesday (https://github.com/ibm-s390-linux/s390-tools/releases/tag/v2.32.0) with the armonk problem resolved.

Steffen

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-04-06:

Hi Steffen,
thanks for checking the updated packages.
Indeed, I had to restart the build of the s390-tools-signed packages for mantic/23.10, /jammy/22.04 and focal/20.04.
These build will be complete in an hour or so (so well before Monday).

Since the updates need to be done starting with the newest to oldest, a test on noble/24.04 would be most important.

Do you have a mantic/23.10 or jammy/22.04 test system over?
In this case you should be able to upgrade to noble/24.04 in just a few minutes.

First of all ensure that your current system (mantic or jammy) is up-to-date with:

sudo apt update && && sudo apt full-upgrade
(with a potential reboot)

You should then be able to upgrade with:
sudo do-release-upgrade -d

(or in case you are brave enough - but on a test/dev system ;-) :
sudo do-release-upgrade --quiet --devel-release --frontend=DistUpgradeViewNonInteractive && sudo reboot )

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-04-09:

This bug was fixed in the package s390-tools - 2.31.0-0ubuntu5

---------------
s390-tools (2.31.0-0ubuntu5) noble; urgency=medium

  * Add the following commits as patches:
    - d/p/lp-2059303-rust-pv-test-Code-Certificate-refactoring.patch
      (excluded patching binary files rust/pv/tests/assets/cert/der.crl and
       rust/pv/tests/assets/cert/der.crt, which is not supported by quilt
       - these files are needed for testing only)
    - d/p/lp-2059303-rust-pv-Support-Armonk-in-IBM-signing-key-subject.patch
    - d/p/lp-2059303-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
    - d/p/lp-2059303-libpv-Support-Armonk-in-IBM-signing-key-subject.patch
    - d/p/lp-2059303-pvattest-Fix-root-ca-parsing.patch
    to fix Secure Execution tooling and accept new IBM host-key
    subject locality. LP: #2059303
  * Add d/p/lp-2058944-dbginfo.sh-dash-compatible-copy-sequence.patch
    to fix dash incompatibility in dbginfo.sh. LP: #2058944

-- Frank Heimes <email address hidden> Tue, 02 Apr 2024 12:45:30 +0200

Changed in s390-tools (Ubuntu Noble):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-04-09:

This bug was fixed in the package s390-tools-signed - 2.31.0-0ubuntu5

---------------
s390-tools-signed (2.31.0-0ubuntu5) noble; urgency=medium

* Rebuild against 2.31.0-0ubuntu5 (LP: #2058944, LP: #2059303)

-- Frank Heimes <email address hidden> Tue, 02 Apr 2024 12:55:52 +0200

Changed in s390-tools-signed (Ubuntu Noble):
status:	In Progress → Fix Released

bugproxy (bugproxy) on 2024-04-10

tags:

added: targetmilestone-inin2004
removed: targetmilestone-inin---

Frank Heimes (fheimes) on 2024-04-10

Changed in ubuntu-z-systems:
status:	New → In Progress

Revision history for this message

bugproxy (bugproxy) wrote on 2024-04-12:

#10

Download full text (3.6 KiB)

------- Comment From <email address hidden> 2024-04-12 10:22 EDT-------
Hi Frank,

An update from my side:

!SHORT:

GOOD:
noble(with a nit), mantic, jammy
BAD/not verifyable:
focal

!LONG:

Verified for:

* 24.04 (noble):

with today's (2024-apr-12) s390tools version from noble repository (after a release-upgrade from jammy):
- genprotimg
- pvattest
- pvsecret
work.
did **not** use your PPA

But there is a mismatch from the package version to the version that the tools report:

> apt-cache showpkg s390-tools
Package: s390-tools
Versions:
2.31.0-0ubuntu5 (/var/lib/apt/lists/ports.ubuntu.com_ubuntu-ports_dists_noble_main_binary-s390x_Packages)

> pvattest --version
pvattest version 2.31.0-build-20240409

You very likely forgot to change the DISTRELEASE variable in common.mak

* 23.10 (mantic):
All work with your PPA
- genprotimg
- pvattest
- pvsecret

* 22.04 (jammy):
All work with your PPA
- genprotimg
- pvattest

* 20:04 (focal):

the updated s390-tools package from your PPA has no genprotimg in it:

> dpkg --contents s390-tools_2.12.0-0ubuntu3.8_s390x.deb | grep genprot
-rw-r--r-- root/root 1775 2024-04-03 14:10 ./usr/share/man/man8/genprotimg.8.gz
drwxr-xr-x root/root 0 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/
-rw-r--r-- root/root 9656 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/stage3a.bin
-rw-r--r-- root/root 5498 2024-04-03 14:10 ./usr/share/s390-tools/genprotimg/stage3b_reloc.bin

(before the update(s390-tools2.12.0-ubuntu3.7))
> apt-file list s390-tools | grep genprotimg
s390-tools: /usr/bin/genprotimg
[....]

Verify process:
1) Obtain a (z15) Host-key document e.g. via the official channel
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-obtain-host-key-document

2) Get a signing key (z15) + intermediate certificate
see: https://www.ibm.com/docs/en/linux-on-systems?topic=execution-verify-host-key-document

3) (optional) verify that the signing key is a new one (checl for: Locality Armonk)
> openssl x509 -text -in international_business_machines_corporation.crt | grep Subject
Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM Z Host Key Signing Service, CN = International Business Machines Corporation

L **must** be Armonk, and not Poughkeepsie

4) run the tools if available:
The fixed tools will accept the cert chain and exit with exit code 0 and the output generated.
The non-fixed will print n error message, abort, and report exit != 0

> genprotimg: genprotimg -o tmp -i /boot/vmlinuz-$(uname -r) -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt

#BEFORE_FIX:
Failed to verify host-key document: please specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0

> pvattest create -VVV -o tmp --arpk arpk -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/DigiCertCA.crt

#BEFORE_FIX:
ERROR: Creating the attestation request failed:
Specify at least one IBM Z signing key
# AFTER_FIX:
# exit code 0

> pvsecret create --hdr ~/secure_guest.hdr -o tmp -k ~/hostkey.crt --cert ~/international_business_machines_corporation.crt --cert ~/armonk/DigiCertC...

For focal the commit d14e7593cc6
(https://github.com/ibm-s390-linux/s390-tools/commit/d14e7593cc6380911ca42b09e11c53477ae13d5c)
does not properly build and the logs show a few errors:
https://launchpadlibrarian.net/723098720/buildlog_ubuntu-focal-s390x.s390-tools_2.12.0-0ubuntu3.8_BUILDING.txt.gz
(search for "error:")
"
utils/crypto.c: In function ‘x509_armonk_locality_fixup’:
utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  770 |  ret = X509_NAME_dup(name);
      |                      ^~~~
In file included from /usr/include/openssl/pem.h:17,
                 from utils/crypto.c:17:
/usr/include/openssl/x509.h:482:12: note: expected ‘X509_NAME *’ {aka ‘struct X509_name_st *’} but argument is of type ‘const X509_NAME *’ {aka ‘const struct X509_name_st *’}
  482 | X509_NAME *X509_NAME_dup(X509_NAME *xn);
      |            ^~~~~~~~~~~~~
utils/crypto.c: In function ‘quirk_X509_STORE_ctx_get1_crls’:
utils/crypto.c:888:8: error: implicit declaration of function ‘Pv_X509_STORE_CTX_get1_crls’; did you mean ‘X509_STORE_CTX_get1_crls’? [-Werror=implicit-function-declaration]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
      |        ^~~~~~~~~~~~~~~~~~~~~~~~~~~
      |        X509_STORE_CTX_get1_crls
utils/crypto.c:888:8: error: nested extern declaration of ‘Pv_X509_STORE_CTX_get1_crls’ [-Werror=nested-externs]
utils/crypto.c:888:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
      |      ^
utils/crypto.c:902:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  902 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |       ^
utils/crypto.c:913:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  913 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |       ^
utils/crypto.c:925:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  925 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |      ^
"
and
"
utils/crypto.c: In function ‘x509_armonk_locality_fixup’:
utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  770 |  ret = X509_NAME_dup(name);
      |                      ^~~~
In file included from /usr/include/openssl/pem.h:17,
                 from utils/crypto.c:17:
/usr/include/openssl/x509.h:482:12: note: expected ‘X509_NAME *’ {aka ‘struct X509_name_st *’} but argument is of type ‘const X509_NAME *’ {aka ‘const struct X509_name_st *’}
  482 | X509_NAME *X509_NAME_dup(X509_NAME *xn);
      |            ^~~~~~~~~~~~~
utils/crypto.c: In function ‘quirk_X509_STORE_ctx_get1_crls’:
utils/crypto.c:888:8: error: implicit declaration of function ‘Pv_X509_STORE_CTX_get1_crls’; did you mean ‘X509_STORE_CTX_get1_crls’? [-Werror=implicit-function-declaration]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
      |        ^~~~~~~~~~~~~~~~~~~~~~~~~~~
      |        X509_STORE_CTX_get1_crls
utils/crypto.c:888:8: error: nested extern declaration of ‘Pv_X509_STORE_CTX_get1_crls’ [-Werror=nested-externs]
utils/crypto.c:888:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
      |      ^
utils/crypto.c:902:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  902 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |       ^
utils/crypto.c:913:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  913 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |       ^
utils/crypto.c:925:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  925 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |      ^
utils/crypto.c: In function ‘x509_armonk_locality_fixup’:
utils/crypto.c:770:22: error: passing argument 1 of ‘X509_NAME_dup’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  770 |  ret = X509_NAME_dup(name);
      |                      ^~~~
In file included from /usr/include/openssl/pem.h:17,
                 from utils/crypto.c:17:
/usr/include/openssl/x509.h:482:12: note: expected ‘X509_NAME *’ {aka ‘struct X509_name_st *’} but argument is of type ‘const X509_NAME *’ {aka ‘const struct X509_name_st *’}
  482 | X509_NAME *X509_NAME_dup(X509_NAME *xn);
      |            ^~~~~~~~~~~~~
utils/crypto.c: In function ‘quirk_X509_STORE_ctx_get1_crls’:
utils/crypto.c:888:8: error: implicit declaration of function ‘Pv_X509_STORE_CTX_get1_crls’; did you mean ‘X509_STORE_CTX_get1_crls’? [-Werror=implicit-function-declaration]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
      |        ^~~~~~~~~~~~~~~~~~~~~~~~~~~
      |        X509_STORE_CTX_get1_crls
utils/crypto.c:888:8: error: nested extern declaration of ‘Pv_X509_STORE_CTX_get1_crls’ [-Werror=nested-externs]
utils/crypto.c:888:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  888 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
      |      ^
utils/crypto.c:902:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  902 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |       ^
utils/crypto.c:913:7: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  913 |   ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |       ^
utils/crypto.c:925:6: error: assignment to ‘STACK_OF_X509_CRL_autoptr’ {aka ‘struct stack_st_X509_CRL *’} from ‘int’ makes pointer from integer without a cast [-Werror=int-conversion]
  925 |  ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
      |      ^
cc1: all warnings being treated as errors
make[4]: *** [../../common.mak:237: utils/crypto.o] Error 1
"

With that that the genprotimg build fails, genprotimg is omitted, but the rest of the package can be build and is finally packaged (without genprotimg).

This does not happen while building the s390-tools version for jammy and mantic,
so it's either another commit needed, or due to the different tool-chain.

So this unfortunately means that a backport of d14e7593cc6 is needed for focal.

Frank Heimes (fheimes) on 2024-04-16

description:	updated
Changed in s390-tools-signed (Ubuntu Mantic):
status:	New → In Progress
Changed in s390-tools-signed (Ubuntu Jammy):
status:	New → In Progress
Changed in s390-tools (Ubuntu Mantic):
status:	New → In Progress
Changed in s390-tools (Ubuntu Jammy):
status:	New → In Progress
Changed in s390-tools (Ubuntu Focal):
status:	New → Incomplete

Revision history for this message

bugproxy (bugproxy) wrote on 2024-04-16:

#15

------- Comment From <email address hidden> 2024-04-16 05:22 EDT-------
Can you please pick this commit:

https://github.com/ibm-s390-linux/s390-tools/commit/f5744b95db93fa9d5cfd6fb206767ad2dcc3c804

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-04-16:

#16

Hi Marc,
I've added f5744b95db9, but I unfortunately still get the build errors:
https://launchpadlibrarian.net/724893134/buildlog_ubuntu-focal-s390x.s390-tools_2.12.0-0ubuntu3.9_BUILDING.txt.gz
(search for "error:")

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-04-16:

#17

debdiff_focal.tgz Edit (7.2 KiB, application/x-tar)

Marc and me, we had a side discussion and finally found the missing commits and have a proper build for focal.
The build is available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp205930
and the debdiff(s) attached.

Changed in s390-tools (Ubuntu Focal):
status:	Incomplete → In Progress
Changed in s390-tools-signed (Ubuntu Focal):
status:	New → In Progress

Revision history for this message

bugproxy (bugproxy) wrote on 2024-04-17:

#18

------- Comment From <email address hidden> 2024-04-17 04:28 EDT-------
Thanks Frank and Marc.

Verified for focal with the focal-package in PPA at http://ppa.launchpad.net/fheimes/lp2059303/ubuntu (2.12.0-0ubuntu3.8)

-> verified for all releases in service.
focal, jammy, mantic, and noble.

Steffen

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-04-17:

#19

Cool, thanks a lot Steffen!

Frank Heimes (fheimes) on 2024-04-17

description:	updated
Changed in s390-tools-signed (Ubuntu Mantic):
importance:	Undecided → Critical
Changed in s390-tools-signed (Ubuntu Jammy):
importance:	Undecided → Critical
Changed in s390-tools-signed (Ubuntu Focal):
importance:	Undecided → Critical
Changed in s390-tools (Ubuntu Mantic):
importance:	Undecided → Critical
Changed in s390-tools (Ubuntu Jammy):
importance:	Undecided → Critical
Changed in s390-tools (Ubuntu Focal):
importance:	Undecided → Critical

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2024-04-23:

#20

I've been asked to try to help these updates along; I'm not on the SRU team so I can't give concrete directions, only suggestions.

My assumption is that these package updates should be published first to -updates for autopkgtest testing, and once they have passed testing and phased to users, then we should republish these updates to -security so that they are available to all users. Does this sound correct?

This is much easier to execute if the updates have been built in a PPA with only -security enabled, and not -updates. (The -security pocket is built with only packages from -release and -security, not -updates.) Do packages built in such a PPA exist?

The SRU workflow asks for packages to be either uploaded with dput to the queue or debdiffs provided. I see some debdiffs here, but some additional work was performed after most of the debdiffs were uploaded. Are the posted debdiffs something that the SRU team should work with? The Ubuntu Sponsors team was added around three weeks ago, before much of the work was done, it's entirely possible that this has fallen off their radar as a result. (And, the general hustle of responding to the xz-utils issue, release time goals, etc.)

So, with the reminder that I'm not on the SRU team, I think the next steps should be:

- prepare a PPA with only -security enabled
- build packages
- ask SRU team to move the packages to -proposed and see how autopkgtests go
- phase the update
- ask the security team to binary copy the packages to -security once it's proven in the field

What do you think?

Thanks

Revision history for this message

Frank Heimes (fheimes) wrote on 2024-04-23:

#21

debdiffs.tgz Edit (79.5 KiB, application/x-tar)

Hi @seth-arnold,
I am not in-depth familiar with security related updates (since they happen rarely for me, and if private-security are handled by the security team anyway).

"
My assumption is that these package updates should be published first to -updates for autopkgtest testing, and once they have passed testing and phased to users, then we should republish these updates to -security so that they are available to all users. Does this sound correct?
"
There are no autopkgtests (for historical reasons and since lot's of functions in that package req. the hw to be configured in a certain way, which cannot guaranteed by the build systems), but the packages get (and already got) already manually tested upfront, with focus on the changes (according to test plan in SRU justification).

"
This is much easier to execute if the updates have been built in a PPA with only -security enabled, and not -updates. (The -security pocket is built with only packages from -release and -security, not -updates.) Do packages built in such a PPA exist?
"
I've now kicked off build in a -security only PPA here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp2059303-sec
(so yes, they build there, but it'll take a while until published)

"
The SRU workflow asks for packages to be either uploaded with dput to the queue or debdiffs provided. I see some debdiffs here, but some additional work was performed after most of the debdiffs were uploaded.
"
The changes are some broken URL references in some quilt patch headers, I've fixed those.

"
Are the posted debdiffs something that the SRU team should work with? The Ubuntu Sponsors team was added around three weeks ago, before much of the work was done, it's entirely possible that this has fallen off their radar as a result. (And, the general hustle of responding to the xz-utils issue, release time goals, etc.)
"
I think the debdiffs should be taken (as usual).
It's difficult to get SRUs processed around release times.

One concern I have is that copying the packages might not work, since there is a bootloader component that is signed, and the signing key is based on the location where the package is build.
Hence a package build in PPA will be signed with the PPA key and not with the official ('production') key
and so copying it over from PPA to archive will probably mess up things.

So I believe the debdiffs need to be the base for an upload (by a sponsor), then build for the archives (that will ensure signing with the proper key), then published on -proposed, verified there and then eventually released.

(I'm attaching the debdiffs again, with fixed urls)

Hi @seth-arnold,
I am not in-depth familiar with security related updates (since they happen rarely for me, and if private-security are handled by the security team anyway).

(I'm attaching the debdiffs again, with fixed urls)