[UBUNTU] pkey: Indicate old mkvp only if old and curr. mkvp are different
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Canonical Kernel Team | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Skipper Bug Screeners | ||
Bionic |
Fix Released
|
Medium
|
Unassigned | ||
Cosmic |
Invalid
|
Medium
|
Unassigned | ||
Disco |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU Justification:
==================
[Impact]
* 'zkey validate' shows wrong information about master key registers
* this might lead to unsuccessful usage of pkeys, although the master key and the derived keys are correct
[Fix]
* ebb7c695d3bc7a4
[Test Case]
* set a CCA master key
* generate a pkey
* 'change' (or better set) the current CCA master key to the exact same master key again which is currently in use
* execute a 'zkey validate'
[Regression Potential]
* The regression potential can be considered as very low since this is purely s390x specific
* changes are limited to a single file (drivers/
* patch changes only one line (actually expands an if stmt)
* and all this happens only in a very specific situation (in case a new master key was set, using the same key as before)
[Other Info]
* Problem was found during tests at IBM and is a so called 'preventive fix'
__________
Description: pkey: Indicate old mkvp only if old and curr. mkvp are different
Symptom: zkey validate shows wrong information about master key registers
Problem: When the CCA master key is set twice with the same master key,
then the old and the current master key are the same and thus
the verification patterns are the same, too. The check to report
if a secure key is currently wrapped by the old master key
Solution: Fix this by checking current and old mkvp and report OLD only if
Reproduction: Change the CCA master key but set the exact same master key that is already used. Then do a 'zkey validate' command on a secure key
Component: kernel 5.1 rc1
Upstream-ID: ebb7c695d3bc7a4
This fix will be provided with kernel >=5.1 , will be integrate in 19.10 by default.
But should also be applied to 18.04 and 19.04
CVE References
tags: | added: architecture-s39064 bugnameltc-178127 severity-high targetmilestone-inin1910 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
assignee: | nobody → Canonical Kernel Team (canonical-kernel-team) |
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Cosmic): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Disco): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Bionic): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Cosmic): | |
status: | New → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Kernel SRU request submitted: /lists. ubuntu. com/archives/ kernel- team/2019- June/thread. html#101400
https:/