Thursday, April 21, 2022

Howto: Verifying Secure Execution Host Key Documents

TL;DR

Using genprotimg to build an IBM Secure Execution for Linux image may fail after CA certificate reissue in April 2022.
If this happens you can work around it by using this script
to verify the validity of the host key document and run genprotimg with the --noverify option.

The certificates used to verify Host Key Documents for IBM Secure Execution for Linux are about to be renewed in April 2022. As a result, the genprotimg tool contained in your Linux distribution may report a verification failure and refuse to build a secure image. Patches for RHEL 8 as well as for SLES 15 and Ubuntu 20.04 are underway, so the issue can eventually be fixed by updating your Linux installation.
Until then, it is possible to work around as follows:
  1. Download the check_hostkeydoc script at https://github.com/ibm-s390-linux/s390-tools/blob/master/genprotimg/samples/check_hostkeydoc.
  2. Run
    check_hostkeydoc <your host key document> \
        ibm-z-host-key-signing.crt -c DigiCertCA.crt
     
  3. If the previous step succeeded, it's safe to
    run genprotimg --no-verify -k <your host key document> \
        -o <output file> -i <kernel file> -r <ramdisk file> \
        -p <parameter file>
More information about IBM Secure Execution for Linux can be found here.

No comments:

Post a Comment