StarlingX

controller-0 reboot loop during the Install with extended security profile

Bug #1797204 reported by Anujeyan Manokeran on 2018-10-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Paul-Emile Element

Bug Description

Bug Description : When installing lab with extended security profile with Starlingx load controller-0 was in reboot loop when it was unlock . Below error in console, fm and IMA logs were showing authentication of signature. Further investigation found that there was wrong public certificate for the standard kernel was in load.

2018-10-10T17:30:58.000 controller-0 fmManager: info { "event_log_id" : "500.500", "reason_text" : "Host controller-0 has IMA Appraisal failure for service /usr/local/bin/fmClientCli when executing file /usr/lib64/ld-2.17.so, reason = invalid-signature", "entity_instance_id" : "host=controller-0.service=fmClientCli", "severity" : "major", "state" : "msg", "timestamp" : "2018-10-10 17:30:58.192643" }
2018-10-10T17:30:58.000 controller-0 fmManager: info { "event_log_id" : "500.500", "reason_text" : "Host controller-0 has IMA Appraisal failure for service /usr/local/bin/fmClientCli when executing file /usr/lib64/libfmcommon.so.1.0, reason = invalid-signature", "entity_instance_id" : "host=controller-0.service=fmClientCli", "severity" : "major", "state" : "msg", "timestamp" : "2018-10-10 17:30:58.230603" }
2018-10-10T17:30:58.000 controller-0 fmManager: info { "event_log_id" : "500.500", "reason_text" : "Host controller-0 has IMA Appraisal failure for service /usr/local/bin/fmClientCli when executing file /usr/lib64/libstdc++.so.6.0.19, reason = invalid-signature", "entity_instance_id" : "host=controller-0.service=fmClientCli", "severity" : "major", "state" : "msg", "timestamp" : "2018-10-10 17:30:58.267403" }

.021642] integrity: Request for unknown key 'id:d5234f52' err -11
[ 269.021670] integrity: Request for unknown key 'id:d5234f52' err -11
[ 269.021792] integrity: Request for unknown key 'id:d5234f52' err -11

2018-10-10T17:30:04.000 controller-0 audispd: info node=controller-0 type=INTEGRITY_DATA msg=audit(1539192604.934:738570): pid=111327 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="invalid-signature" comm=tr name=/usr/lib64/ld-2.17.so dev=sda3 ino=135715 res=0
2018-10-10T17:30:04.000 controller-0 audispd: info node=controller-0 type=INTEGRITY_DATA msg=audit(1539192604.935:738571): pid=111327 uid=0 auid=4294967295 ses=4294967295 op="appraise_data" cause="invalid-signature" comm=tr name=/usr/lib64/libc-2.17.so dev=sda3 ino=135722 res=0

Severity
--------
Major

Steps to Reproduce
------------------
1. Follow install procedure
2. controller-0 installed and labsetup execution
3. Unlock controller-0 lead to reboot loop as per description

Expected Behavior
------------------
No reboot loop

Actual Behavior
----------------
As per description

Reproduciblity
---------------
100% reproducible

System Configuration
--------------------
Duplex system

Branch/Pull Time/Commit
-----------------------
2018-10-10_01-52-00

Timestamp/Logs
--------------
2018-10-10T17:30:58.000

See original description

Tags:

Anujeyan Manokeran (anujeyan) on 2018-10-10

description:

updated

Paul-Emile Element (paul-emileelement) on 2018-10-10

Changed in starlingx:
assignee:	nobody → Paul-Emile Element (paul-emileelement)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-10: Fix proposed to stx-integ (master)

Fix proposed to branch: master
Review: https://review.openstack.org/609540

Changed in starlingx:
status:	New → In Progress

Revision history for this message

Paul-Emile Element (paul-emileelement) wrote on 2018-10-10: Re: STX:Controller-0 reboot loop during the Install with extended security profile

root cause is a mismatched public ima certificate in the standard kernel.
The standard kernel is built with a public IMA certificate that does not match the
signing key

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2018-10-12:

Targeting stx.2018.10 - extended security profile is broken

summary:	- STX:Controller-0 reboot loop during the Install with extended security + controller-0 reboot loop during the Install with extended security profile
tags:	added: stx.2018.10 stx.security
Changed in starlingx:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-15: Fix merged to stx-integ (master)

Reviewed: https://review.openstack.org/609540
Committed: https://git.openstack.org/cgit/openstack/stx-integ/commit/?id=7c298e93eeced9b53d2298eb24f8f9f9d25603a5
Submitter: Zuul
Branch: master

commit 7c298e93eeced9b53d2298eb24f8f9f9d25603a5
Author: Paul-Emile Element <email address hidden>
Date: Wed Oct 10 16:44:58 2018 -0400

update ima public certificate for standard kernel

the standard kernel includes a public ima certificate
that does not match the development signing key

This modification simply updates the certificate
with the proper version

Closes-Bug: #1797204

Change-Id: Ic085ad0c1c4527e31efa96906475f79701d8fb79
Signed-off-by: Paul-Emile Element <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-15: Fix proposed to stx-integ (r/2018.10)

Fix proposed to branch: r/2018.10
Review: https://review.openstack.org/610670

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-15: Fix merged to stx-integ (r/2018.10)

Reviewed: https://review.openstack.org/610670
Committed: https://git.openstack.org/cgit/openstack/stx-integ/commit/?id=e21e1d843d7d034c7fea6bc502ee94a04818996d
Submitter: Zuul
Branch: r/2018.10

commit e21e1d843d7d034c7fea6bc502ee94a04818996d
Author: Paul-Emile Element <email address hidden>
Date: Wed Oct 10 16:44:58 2018 -0400

update ima public certificate for standard kernel

the standard kernel includes a public ima certificate
that does not match the development signing key

This modification simply updates the certificate
with the proper version

Closes-Bug: #1797204

Change-Id: Ic085ad0c1c4527e31efa96906475f79701d8fb79
Signed-off-by: Paul-Emile Element <email address hidden>

Ken Young (kenyis) on 2019-04-06

tags:

added: stx.1.0
removed: stx.2018.10

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.