Public bug reported: == Comment: #0 - Viktor Mihajlovski <mihaj...@de.ibm.com> - 2022-04-07 09:16:49 == The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents. The certificate verification is however too strict and doesn't match the checking performed by genprotimg. Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.
== Comment: #1 - Viktor Mihajlovski <mihaj...@de.ibm.com> - 2022-04-07 09:18:08 == Fixed by: https://github.com/ibm-s390-linux/s390-tools commit 673ff375d939d3cde674f8f99a62d456f8b1673d Author: Viktor Mihajlovski <mihaj...@linux.ibm.com> Date: Tue Mar 15 12:55:02 2022 +0100 genprotimg/check_hostkeydoc: relax default issuer check ** Affects: linux (Ubuntu) Importance: Undecided Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) Status: New ** Tags: architecture-all bugnameltc-197551 severity-high targetmilestone-inin--- ** Tags added: architecture-all bugnameltc-197551 severity-high targetmilestone-inin--- ** Changed in: ubuntu Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) ** Package changed: ubuntu => linux (Ubuntu) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1968259 Title: [UBUNTU 22.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools) Status in linux package in Ubuntu: New Bug description: == Comment: #0 - Viktor Mihajlovski <mihaj...@de.ibm.com> - 2022-04-07 09:16:49 == The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents. The certificate verification is however too strict and doesn't match the checking performed by genprotimg. Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16. == Comment: #1 - Viktor Mihajlovski <mihaj...@de.ibm.com> - 2022-04-07 09:18:08 == Fixed by: https://github.com/ibm-s390-linux/s390-tools commit 673ff375d939d3cde674f8f99a62d456f8b1673d Author: Viktor Mihajlovski <mihaj...@linux.ibm.com> Date: Tue Mar 15 12:55:02 2022 +0100 genprotimg/check_hostkeydoc: relax default issuer check To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1968259/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
