Bug #1959966 “[23.04 FEAT] KVM: Secure Execution guest dump encr...” : Bugs : Ubuntu on IBM z Systems

bugproxy (bugproxy) on 2022-02-03

tags:	added: architecture-s39064 bugnameltc-196317 severity-high targetmilestone-inin2204
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Revision history for this message

bugproxy (bugproxy) wrote on 2022-02-03: Comment bridged from LTC Bugzilla

#1

------- Comment From <email address hidden> 2022-02-03 17:25 EDT-------
This also has an kernel and s390-tools part:

IBM BZ 196316 - LP#1959940 : [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - kernel part
IBM BZ 196318 - LP1#959965 : [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - s390-tools part

Frank Heimes (fheimes) on 2022-02-04

affects:	linux (Ubuntu) → qemu (Ubuntu)
Changed in ubuntu-z-systems:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in qemu (Ubuntu):
importance:	Undecided → High
Changed in ubuntu-z-systems:
importance:	Undecided → High
Changed in qemu (Ubuntu):
status:	New → Incomplete
Changed in ubuntu-z-systems:
status:	New → Incomplete
tags:	added: qemu-22.04

Revision history for this message

bugproxy (bugproxy) wrote on 2022-03-20:

#2

------- Comment From <email address hidden> 2022-03-20 19:31 EDT-------
Item didn't make it in time for jammy / 22.04, therefore we need to move this to Ubuntu 22.10.
Changing Target Milestone: from 22.04 ==> 22.10

tags:

added: targetmilestone-inin2210
removed: targetmilestone-inin2204

Frank Heimes (fheimes) on 2022-03-21

summary:

- [22.04 FEAT] KVM: Secure Execution guest dump encryption with customer
+ [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer
keys - qemu part

Revision history for this message

bugproxy (bugproxy) wrote on 2022-09-12:

#3

------- Comment From <email address hidden> 2022-09-12 00:57 EDT-------
This item didn't make it in time for kinetic / 22.10, therefore we have to move it to Ubuntu 23.04.
Changing Target Milestone to: 23.04

tags:

added: targetmilestone-inin2304
removed: targetmilestone-inin2210

Frank Heimes (fheimes) on 2022-09-12

summary:	- [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer + [23.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part
tags:	added: qemu-23.04 removed: qemu-22.04

Frank Heimes (fheimes) on 2022-11-17

Changed in ubuntu-z-systems:
status:	Incomplete → New
Changed in qemu (Ubuntu):
status:	Incomplete → New

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2023-01-05:

#4

Hi,
I'm merging qemu 7.2 now, is this completed upstream by now?
Either in 7.2 or at least in the latest main branch to pick from?

Revision history for this message

bugproxy (bugproxy) wrote on 2023-01-09:

#5

------- Comment From <email address hidden> 2023-01-09 03:03 EDT-------
It's both in master and 7.2 AFAIK

Frank Heimes (fheimes) on 2023-01-09

Changed in ubuntu-z-systems:
status:	New → Confirmed
Changed in qemu (Ubuntu):
status:	New → Confirmed

Frank Heimes (fheimes) on 2023-01-25

Changed in qemu (Ubuntu):
status:	Confirmed → In Progress
Changed in ubuntu-z-systems:
status:	Confirmed → In Progress

Revision history for this message

bugproxy (bugproxy) wrote on 2023-02-14:

#6

------- Comment From <email address hidden> 2023-02-14 10:18 EDT-------
For this item there's a fix available but it's not yet merged into qemu:
https://<email address hidden>/T/#t

Revision history for this message

Frank Heimes (fheimes) wrote on 2023-02-15:

#7

Meanwhile 7.2 landed in lunar-proposed:
qemu | 1:7.2+dfsg-3ubuntu1 | lunar-proposed
hence updating ticket status to Fix Committed.

Changed in qemu (Ubuntu):
status:	In Progress → Fix Committed
Changed in ubuntu-z-systems:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-06:

#8

Download full text (9.9 KiB)

This bug was fixed in the package qemu - 1:7.2+dfsg-4ubuntu1

---------------
qemu (1:7.2+dfsg-4ubuntu1) lunar; urgency=medium

  * Merge with Debian unstable (LP: #1993438), among many other fixes
    this resolvs these bugs:
    (LP: #1957924) - support for querying stats,
    (LP: #1853307) - Enhanced Interpretation for PCI Functions (s390x)
    (LP: #1959966) - guest dump encryption with customer keys (s390x)
    (LP: #1999885) - pv: don't allow userspace to set the clock under PV
    (LP: #1957924) - add filtering of statistics by target vCPU
    remaining changes:
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-system-common.qemu-kvm.service: systemd unit to call
        qemu-kvm-init
      - d/qemu-system-common.install: install helper script
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
    - Distribution specific machine type
      (LP: 1304107 1621042 1776189 1761372 1761372 1776189)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types containing release versioned machine attributes
      - d/qemu-system-x86.NEWS Info on fixed machine type defintions
        for host-phys-bits=true
      - Add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
    - Enable nesting by default
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
        [ No more strictly needed, but required for backward compatibility ]
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/qemu-system-x86.README.Debian: add info about updated nesting changes
    - Ease the use of module retention on upgrades (LP 1913421)
      - debian/qemu-block-extra.postinst: enable mount unit on install/upgrade
    - d/control-in: switch qemu-system-x86-xen to qemu-system-xen as this
      landed in Debian but under a different name.
    - Remaining GCC-12 FTBFS (LP 1988710 + LP 1921664)
      + d/p/u/qboot-Disable-LTO-for-ELF-binary-build-step.patch:
        fix qboot FTBFS with LTO
  * Dropped Changes [now part of upstream v7.2.0]
    - d/p/u/lp1994002-migration-Read-state-once.patch: Fix for libvirt
      error 'migration was active, but no RAM info was set' (LP 1994002)
    - d/p/u/ebpf-replace-deprecated-bpf_program__set_socket_filt.patch:
      Fix FTBFS with libbpf 1.0.1-2.
      + Header updates that were added as part of the libbpf fixes
        but not mentioned in changelog
    - d/p/u/lp-1981339-*: fix s390x system emulation (LP 1981339)
    - Fix I/O stalls when using NVMe storage (LP 1970737).
      + d/p/lp1970737-linux-aio-*.patch: Fix unbalanced plugged counter
        in laio_io_unplug.
    - SECURITY UPDATE...

This bug was fixed in the package qemu - 1:7.2+dfsg-4ubuntu1

---------------
qemu (1:7.2+dfsg-4ubuntu1) lunar; urgency=medium

* Merge with Debian unstable (LP: #1993438), among many other fixes
    this resolvs these bugs:
    (LP: #1957924) - support for querying stats,
    (LP: #1853307) - Enhanced Interpretation for PCI Functions (s390x)
    (LP: #1959966) - guest dump encryption with customer keys (s390x)
    (LP: #1999885) - pv: don't allow userspace to set the clock under PV
    (LP: #1957924) - add filtering of statistics by target vCPU
    remaining changes:
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-system-common.qemu-kvm.service: systemd unit to call
        qemu-kvm-init
      - d/qemu-system-common.install: install helper script
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
    - Distribution specific machine type
      (LP: 1304107 1621042 1776189 1761372 1761372 1776189)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types containing release versioned machine attributes
      - d/qemu-system-x86.NEWS Info on fixed machine type defintions
        for host-phys-bits=true
      - Add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
    - Enable nesting by default
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
        [ No more strictly needed, but required for backward compatibility ]
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/qemu-system-x86.README.Debian: add info about updated nesting changes
    - Ease the use of module retention on upgrades (LP 1913421)
      - debian/qemu-block-extra.postinst: enable mount unit on install/upgrade
    - d/control-in: switch qemu-system-x86-xen to qemu-system-xen as this
      landed in Debian but under a different name.
    - Remaining GCC-12 FTBFS (LP 1988710 + LP 1921664)
      + d/p/u/qboot-Disable-LTO-for-ELF-binary-build-step.patch:
        fix qboot FTBFS with LTO
  * Dropped Changes [now part of upstream v7.2.0]
    - d/p/u/lp1994002-migration-Read-state-once.patch: Fix for libvirt
      error 'migration was active, but no RAM info was set' (LP 1994002)
    - d/p/u/ebpf-replace-deprecated-bpf_program__set_socket_filt.patch:
      Fix FTBFS with libbpf 1.0.1-2.
      + Header updates that were added as part of the libbpf fixes
        but not mentioned in changelog
    - d/p/u/lp-1981339-*: fix s390x system emulation (LP 1981339)
    - Fix I/O stalls when using NVMe storage (LP 1970737).
      + d/p/lp1970737-linux-aio-*.patch: Fix unbalanced plugged counter
        in laio_io_unplug.
    - SECURITY UPDATE: heap overflow in floppy disk emulator
      + debian/patches/CVE-2021-3507.patch: prevent end-of-track overrun in
        hw/block/fdc.c.
    - SECURITY UPDATE: use-after-free vulnerability
      + debian/patches/CVE-2022-0216-*.patch: fix use-after-free in
        lsi_do_msgout
    - SECURITY UPDATE: heap overflow vulnerability
      + debian/patches/CVE-2022-2962.patch: tulip: Restrict DMA engine to
        memories
    - SECURITY UPDATE: integer underflow vulnerability
      + debian/patches/CVE-2022-3165.patch: fix integer underflow in
        vnc_client_cut_text_ext
  * Dropped Changes in regard to GCC-12 FTBFS (LP 1988710)
    [not all are needed in lunar]
    -  d/p/u/lp1988710-silence-openbios-array-bounds-false-positive.patch.
       Silence -Warray-bounds false positive [no more needed]
    - d/rules: set -O1 for alpha firmware build
    - d/p/u/lp1988710-opensbi-Makefile-fix-build-with-binutils-2.38.patch:
      further FTBFS fixup
  * Dropped Changes [in Debian 1:7.2+dfsg-3]
    - d/rules: disable LTO on non-amd64 builds (LP 1921664)
  * Added Changes
    - d/control-in: libnfs is in main since focal, enable direct nfs
      storage support (LP: #1988704)
    - d/control-in: libsndio is in universe in ubuntu

qemu (1:7.2+dfsg-4) unstable; urgency=medium

* block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch:
    re-pick now from master (the same patch, moved to master/).
  * revert x86-don-t-let-decompressed-kernel-image-clobber-setu.patch
    Closes: ##1031682 .
    This turned out to be wrong move, breaking more stuff than fixing.
    Upstream is going to revert it too.

qemu (1:7.2+dfsg-3) unstable; urgency=medium

[ Paride Legovini ]
  * Disable LTO on non-amd64 builds (LP: #1921664)

[ Michael Tokarev ]
  * target-arm-Fix-physical-address-resolution-for-Stage2.patch:
    re-fetch now from master branch
  * 4 more patches picked from master:
    x86-don-t-let-decompressed-kernel-image-clobber-setu.patch
    migration-ram-Fix-error-handling-in-ram_write_tracki.patch
    migration-ram-Fix-populate_read_range.patch
    qcow2-Fix-theoretical-corruption-in-store_bitmap-err.patch
  * 5 fixes picked from current pullreqs:
    block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
    tests_tcg_i386-introduce-and-use-reg_t-consistently.patch
    target_i386-fix-BEXTR-instruction.patch
    target_i386-fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
    target_i386-fix-ADOX-followed-by-ADCX.patch
  * disable dwz on certain architectures for older dwz
    (FTBFS on bullseye, #968670)

qemu (1:7.2+dfsg-2) unstable; urgency=medium

* d/rules: add -ffile-prefix-map when building skiboot
  * d/control: provide qemu-kvm in qemu-system-misc on s390x
    (Closes: #1029309)
  * d/control: drop dependency of qemu-guest-agent on lsb-base
  * Picked patches from qemu master branch tagged for qemu-stable
    up to commit deabea6e88 (2023-02-02):
    target-sh4-Mask-restore-of-env-flags-from-tb-flags.patch
    vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
    virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
    virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
    target-arm-fix-handling-of-HLT-semihosting-in-system.patch
    meson-accept-relative-symlinks-in-meson-introspect-i.patch
    target-riscv-Set-pc_succ_insn-for-rvc-illegal-insn.patch
    acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
    hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
    hw-nvme-fix-missing-cq-eventidx-update.patch
    configure-fix-GLIB_VERSION-for-cross-compilation.patch
    target-arm-Fix-sve_probe_page.patch
    target-arm-allow-writes-to-SCR_EL3.HXEn-bit-when-FEA.patch
    target-arm-Fix-in_debug-path-in-S1_ptw_translate.patch
  * Also: target-arm-Fix-physical-address-resolution-for-Stage.patch

qemu (1:7.2+dfsg-1) unstable; urgency=medium

* new upstream release
    Closes: #1025123 CVE-2022-4172
    (erst: undefined behavior in memcpy in write_erst_record)
    Closes: #1021981 qemu-user: faccessat2 is not implemented
    Closes: #1021019 CVE-2022-3165 (VNC: integer underflow in
    vnc_client_cut_text_ext leads to CPU exhaustion)
  * remove patches applied upstream
  * refresh note-missing-module-pkg-name.diff
  * slirp is always external package now, not a submodule anymore
  * d/control: require meson >> 0.61.5~ for build
  * spelling.diff: update with more spelling error
  * add some lintian-overrides
  * fix minor spelling errors in patches
  * d/control: Bump Standards-Version to 4.6.1
  * debian shell programs use "which" instead of the "command -v",
    fix that (Closes: #1018254)
  * Better fix for #1019011 (gcc ICE building palcode-clipper), use -O1
    instead of -O2 for the failing compile when it actually fails
    (no need to depend on gcc-11, Closes: #1011003)

qemu (1:7.1+dfsg-2) unstable; urgency=medium

* tulip-restrict-DMA-engine-to-memories-CVE-2022-2962.patch
    fix possible stack or heap overflow (tulip: DMA reentrancy issue)
    Closes: #1018055, CVE-2022-2962
  * hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch
    fix possible use-after-free in paravirtual RDMA device.
    Closes: #1014589, CVE-2022-1050
  * mention closing of #979677 (CVE-2020-14394) by 7.1
  * d/rules: parametrify extra-cflags & extra-ldflags
  * d/rules: explicitly disable pie on arm64 due to
    https://sourceware.org/bugzilla/show_bug.cgi?id=29514
    Fixes FTBFS.

qemu (1:7.1+dfsg-1) unstable; urgency=medium

* new upstream release (7.1)
    Closes: #1014958, CVE-2022-35414
    Closes: #1014590, CVE-2022-0216
    Closes: #979677, CVE-2020-14394
    Closes: #987410, CVE-2021-3507
    Closes: #988333, #1018913
  * d/copyright:
   - remove mentions of slirp (packaged separately)
   - blindly convert to dep-5 (it needs a complete rewrite)
   - add Files-Excluded from d/get-orig-source.sh
  * d/gbp.conf: remove filter= (and whole [import-orig])
  * d/watch: verify upstream tarballs
  * d/rules: stop faking skiboot version, it is now properly included in
    roms/skiboot/.version file. Add a dependency on this file too
  * d/patches:
   - remove use-fixed-data-path.patch: not needed anymore
   - linux-user-binfmt-P.diff: refresh
   - remove patches applied upstream
  * d/control:
   - it is --enable-capstone now, not --enable-capstone=system
   - it is --enable-png now, not --enable-vnc-png
  * d/rules: fix --enable-vhost-* options
  * d/rules: remove vnc-png for xen too
  * openbios-array-bounds-gcc12.patch
  * opensbi-fix-build-with-binutils-2.38.patch
  * d/rules: adopt vof build changes
  * d/qemu-system-data.docs: omit ccid.txt (removed)
  * temporary workaround for gcc-12 bug #1019011: use gcc-11-alpha-linux-gnu
    instead of gcc-alpha-linux-gnu (another option is to use -Os)
  * d/control: temporarily build-depend on libva-dev till #1019485 is fixed
  * add loongarch64 qemu-user and qemu-user arch

-- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 04 Jan 2023 13:18:43 +0100

Changed in qemu (Ubuntu):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2023-03-06

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released
information type:	Private → Public

Ubuntu on IBM z Systems

[23.04 FEAT] KVM: Secure Execution guest dump encryption with customer keys - qemu part

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu on IBM z Systems	Fix Released	High	Skipper Bug Screeners
	qemu (Ubuntu)	Fix Released	High	Skipper Bug Screeners