Comment 0 for bug 2018911

Revision history for this message
bugproxy (bugproxy) wrote :

---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
    providing
    opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file

Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing configuration file which is not shipped/included by the opencryptoki package.

Run : dpkg -L opencryptoki and check the list of files for the /etc directory.

Furhter, enabled the opencryptoki debug messages to display why the tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then running pkcsconf -t. A log file is written to the /var/log/opencryptoki directory. Mind to unset the trace var again.

Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO: C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO: C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not initialized

Contact Information = <email address hidden>

---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023 s390x s390x s390x GNU/Linux

Machine Type = IBM Type: 3931 Model: 704 A01

---Debugger---
A debugger is not configured

---Steps to Reproduce---
 1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
    and watch the problem to occur
  # pkcsconf -t
  Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
    The debug file contains the hit to the missing .conf file

Userspace tool common name: pkcsconf

The userspace tool has the following bit modes: 64bit

Userspace rpm: opencryptoki

Userspace tool obtained from project website: na

*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.

== Comment: <email address hidden> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.

However, I don't know if the policy support was backported for/by Ubuntu to Ubuntu's opencryptoki 3.17?

If that's the case, then I would assume that only policy support, but not support for statistics was backported (you can check if 'pkcsstats' is available with Ubuntu's 3.17).

With just policy support (but not statistics), the 2 config files required for enabling policies (strength.cong and policy.conf) are intentionally not shipped and installed in /etc/opencryptoki, but it is the user's responsibility to provide both of them when enabling policies. Examples for both of these config files are provided in the documentation directory of the package: strength-example.conf and policy-example.conf.

With 3.18, statistics support was added, and with that, the strength.conf file was changed to be shipped and installed in /etc/opencryptoki, because the statistics support needs to know the strength definitions as well, independent of policies being enabled or not. So starting with 3.18, a user would only have to supply a policy.conf file to enable policies, if the provided strength configuration matches its need.

Please keep in mind, the provided strength.conf/strength-example.conf and policy-example.conf file are intentionally just examples! A user must adjust them to what its requirements on key strength and policy settings are. For example, the provided policy example config file 'policy-example.conf' contains the following:

  # Do not require any specific strength.
  # You probably do not want this!
  strength = 0

So this is something that the user must adjust in any case. Having a policy that requires a key strength of 0 bits simply means that all keys of all strength are allowed.

Please also see 'man policy.conf' and 'man strength.conf' for details.

Given above, I would tent to consider this BZ as 'works as designed', unless it turns out that the backport misses important things.

== Comment: <email address hidden> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf file.

== Comment: <email address hidden> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish). Please integrate a default strength.conf file.
Thanks.

Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work."

== Comment: <email address hidden> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode of 0640.