2016-07-22 07:20:33 |
Frank Heimes |
bug |
|
|
added bug |
2016-07-22 07:21:09 |
Frank Heimes |
affects |
mongodb (Ubuntu) |
openssl-ibmca (Ubuntu) |
|
2016-07-22 07:21:44 |
Frank Heimes |
tags |
|
s390x |
|
2016-07-22 07:22:09 |
Frank Heimes |
summary |
openssl engine throws errir if trying to exploit hw crypto on z due to library issue |
openssl engine throws error if trying to exploit hw crypto on z due to library issue |
|
2016-07-22 09:29:23 |
Frank Heimes |
bug task added |
|
openssl (Ubuntu) |
|
2016-07-22 09:31:21 |
Frank Heimes |
bug task added |
|
libica (Ubuntu) |
|
2016-08-06 15:45:03 |
Frank Heimes |
summary |
openssl engine throws error if trying to exploit hw crypto on z due to library issue |
openssl engine error if trying to exploit hw crypto on z due to library issue |
|
2016-09-06 17:06:18 |
Dimitri John Ledkov |
openssl (Ubuntu): assignee |
|
Dimitri John Ledkov (xnox) |
|
2016-09-06 17:06:20 |
Dimitri John Ledkov |
libica (Ubuntu): assignee |
|
Dimitri John Ledkov (xnox) |
|
2016-09-06 17:06:22 |
Dimitri John Ledkov |
openssl-ibmca (Ubuntu): assignee |
|
Dimitri John Ledkov (xnox) |
|
2016-09-07 18:58:29 |
Frank Heimes |
libica (Ubuntu): status |
New |
Confirmed |
|
2016-09-07 18:58:34 |
Frank Heimes |
openssl (Ubuntu): status |
New |
Confirmed |
|
2016-09-07 18:58:39 |
Frank Heimes |
openssl-ibmca (Ubuntu): status |
New |
Confirmed |
|
2016-10-04 13:57:59 |
Dimitri John Ledkov |
openssl (Ubuntu): status |
Confirmed |
Invalid |
|
2016-10-04 13:58:01 |
Dimitri John Ledkov |
libica (Ubuntu): status |
Confirmed |
Invalid |
|
2016-10-04 13:58:07 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Yakkety |
|
2016-10-04 13:58:07 |
Dimitri John Ledkov |
bug task added |
|
openssl (Ubuntu Yakkety) |
|
2016-10-04 13:58:07 |
Dimitri John Ledkov |
bug task added |
|
libica (Ubuntu Yakkety) |
|
2016-10-04 13:58:07 |
Dimitri John Ledkov |
bug task added |
|
openssl-ibmca (Ubuntu Yakkety) |
|
2016-10-04 13:58:07 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Xenial |
|
2016-10-04 13:58:07 |
Dimitri John Ledkov |
bug task added |
|
openssl (Ubuntu Xenial) |
|
2016-10-04 13:58:07 |
Dimitri John Ledkov |
bug task added |
|
libica (Ubuntu Xenial) |
|
2016-10-04 13:58:07 |
Dimitri John Ledkov |
bug task added |
|
openssl-ibmca (Ubuntu Xenial) |
|
2016-10-04 13:58:14 |
Dimitri John Ledkov |
openssl (Ubuntu Xenial): status |
New |
Invalid |
|
2016-10-04 13:58:21 |
Dimitri John Ledkov |
openssl-ibmca (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2016-10-04 13:58:28 |
Dimitri John Ledkov |
libica (Ubuntu Xenial): status |
New |
Invalid |
|
2016-10-04 13:58:32 |
Dimitri John Ledkov |
openssl-ibmca (Ubuntu Xenial): status |
New |
Confirmed |
|
2016-10-04 15:35:05 |
Dimitri John Ledkov |
openssl-ibmca (Ubuntu Xenial): status |
Confirmed |
In Progress |
|
2016-10-04 15:35:11 |
Dimitri John Ledkov |
openssl-ibmca (Ubuntu Yakkety): status |
Confirmed |
Fix Committed |
|
2016-10-04 15:35:19 |
Dimitri John Ledkov |
openssl-ibmca (Ubuntu Yakkety): importance |
Undecided |
Medium |
|
2016-11-14 14:05:53 |
Dimitri John Ledkov |
openssl-ibmca (Ubuntu Yakkety): status |
Fix Committed |
In Progress |
|
2016-11-14 14:05:58 |
Dimitri John Ledkov |
openssl-ibmca (Ubuntu Xenial): assignee |
|
Dimitri John Ledkov (xnox) |
|
2016-11-14 14:06:51 |
Dimitri John Ledkov |
description |
openssl-ibmca usually requires libica2 and libica-utils for proper functioning and all required tooling (like icainfo, icastats, etc.)
But after the installation of these packages and the configuration, with is like this:
sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
sudo vi /etc/ssl/openssl.cnf
adding the following line as the first active one:
openssl_conf = openssl_def
and removing or commenting all other occurrences of that line in the config file
and saving and closing the openssl.cnf file
this output of the openssl engine command is expected:
$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
or even more precise these chiphers should be listed in case of "-c":
$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
But instead openssl is giving this error, due to a missing "libica.so":
$ openssl engine
Error configuring OpenSSL
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:223:module=engines, value=engine_section, retcode=-1
$
There is no libica.so that is shipped with any of the above packages (verified with dpkg -l) or otherwise available in the filesystem:
$ sudo find / -name "libica.so" 2>/dev/null
ubuntu@HWE0001:~$
But there is a different verison of that libica:
$ sudo find / -name "*libica.so*" 2>/dev/null
/usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so.2.6.1
$
So there are right now two workarounds:
1)
creating a (symbolic) link from libica.so.2 to libica.so, like
$ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2 /usr/lib/s390x-linux-gnu/libica.so
that allows openssl to find a library named 'libica.so':
18:15:00: frank.heimes@canonical.com: ubuntu@HWE0001:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
But this could lead to issues in case of any potential functions or interface changes there we introduced with libica.so.2
2)
installation of the "libica-dev" package that provides a (development) version of libica.so:
$ dpkg -L libica-dev | grep libica.so
/usr/lib/s390x-linux-gnu/libica.so
$
But the hardware crypto exploitation should work out of the box w/o the link or the libica-dev package.
Either libica.so should be shipped (in addition to libica.so.2) with the proper dependency to openssl-ibmca - openssh-ibmca should make use of libica2 instead of libica.so.2... |
[Testcase]
* configure ibmca engine as per below instructions
* execute openssl engine -c -vvvv
* it should complete without any loading errors
openssl-ibmca usually requires libica2 and libica-utils for proper functioning and all required tooling (like icainfo, icastats, etc.)
But after the installation of these packages and the configuration, with is like this:
sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
sudo vi /etc/ssl/openssl.cnf
adding the following line as the first active one:
openssl_conf = openssl_def
and removing or commenting all other occurrences of that line in the config file
and saving and closing the openssl.cnf file
this output of the openssl engine command is expected:
$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
or even more precise these chiphers should be listed in case of "-c":
$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
But instead openssl is giving this error, due to a missing "libica.so":
$ openssl engine
Error configuring OpenSSL
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:223:module=engines, value=engine_section, retcode=-1
$
There is no libica.so that is shipped with any of the above packages (verified with dpkg -l) or otherwise available in the filesystem:
$ sudo find / -name "libica.so" 2>/dev/null
ubuntu@HWE0001:~$
But there is a different verison of that libica:
$ sudo find / -name "*libica.so*" 2>/dev/null
/usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so.2.6.1
$
So there are right now two workarounds:
1)
creating a (symbolic) link from libica.so.2 to libica.so, like
$ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2 /usr/lib/s390x-linux-gnu/libica.so
that allows openssl to find a library named 'libica.so':
18:15:00: frank.heimes@canonical.com: ubuntu@HWE0001:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
But this could lead to issues in case of any potential functions or interface changes there we introduced with libica.so.2
2)
installation of the "libica-dev" package that provides a (development) version of libica.so:
$ dpkg -L libica-dev | grep libica.so
/usr/lib/s390x-linux-gnu/libica.so
$
But the hardware crypto exploitation should work out of the box w/o the link or the libica-dev package.
Either libica.so should be shipped (in addition to libica.so.2) with the proper dependency to openssl-ibmca - openssh-ibmca should make use of libica2 instead of libica.so.2... |
|
2016-11-14 15:04:02 |
Launchpad Janitor |
openssl-ibmca (Ubuntu): status |
Fix Committed |
Fix Released |
|
2016-11-17 22:22:18 |
Dimitri John Ledkov |
description |
[Testcase]
* configure ibmca engine as per below instructions
* execute openssl engine -c -vvvv
* it should complete without any loading errors
openssl-ibmca usually requires libica2 and libica-utils for proper functioning and all required tooling (like icainfo, icastats, etc.)
But after the installation of these packages and the configuration, with is like this:
sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
sudo vi /etc/ssl/openssl.cnf
adding the following line as the first active one:
openssl_conf = openssl_def
and removing or commenting all other occurrences of that line in the config file
and saving and closing the openssl.cnf file
this output of the openssl engine command is expected:
$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
or even more precise these chiphers should be listed in case of "-c":
$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
But instead openssl is giving this error, due to a missing "libica.so":
$ openssl engine
Error configuring OpenSSL
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:223:module=engines, value=engine_section, retcode=-1
$
There is no libica.so that is shipped with any of the above packages (verified with dpkg -l) or otherwise available in the filesystem:
$ sudo find / -name "libica.so" 2>/dev/null
ubuntu@HWE0001:~$
But there is a different verison of that libica:
$ sudo find / -name "*libica.so*" 2>/dev/null
/usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so.2.6.1
$
So there are right now two workarounds:
1)
creating a (symbolic) link from libica.so.2 to libica.so, like
$ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2 /usr/lib/s390x-linux-gnu/libica.so
that allows openssl to find a library named 'libica.so':
18:15:00: frank.heimes@canonical.com: ubuntu@HWE0001:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
But this could lead to issues in case of any potential functions or interface changes there we introduced with libica.so.2
2)
installation of the "libica-dev" package that provides a (development) version of libica.so:
$ dpkg -L libica-dev | grep libica.so
/usr/lib/s390x-linux-gnu/libica.so
$
But the hardware crypto exploitation should work out of the box w/o the link or the libica-dev package.
Either libica.so should be shipped (in addition to libica.so.2) with the proper dependency to openssl-ibmca - openssh-ibmca should make use of libica2 instead of libica.so.2... |
[Testcase]
* configure ibmca engine as per below instructions
* execute openssl engine -c -vvvv
* it should complete without any loading errors
[Impact]
* Out of the box stock configuration results in non-usable engine which errors out
* Thus currently, without workarounds, the acceleration engine does not work. Meaning regression potential is low
Please note this is the first time we are integrating openssl-ibmca, and it is not enabled by default. Hopefully things will be better / more stable going forward.
openssl-ibmca usually requires libica2 and libica-utils for proper functioning and all required tooling (like icainfo, icastats, etc.)
But after the installation of these packages and the configuration, with is like this:
sudo tee -a /etc/ssl/openssl.cnf < /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
sudo vi /etc/ssl/openssl.cnf
adding the following line as the first active one:
openssl_conf = openssl_def
and removing or commenting all other occurrences of that line in the config file
and saving and closing the openssl.cnf file
this output of the openssl engine command is expected:
$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
or even more precise these chiphers should be listed in case of "-c":
$ openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, AES-256-CFB, SHA1, SHA256, SHA512]
But instead openssl is giving this error, due to a missing "libica.so":
$ openssl engine
Error configuring OpenSSL
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libica.so): libica.so: cannot open shared object file: No such file or directory
4395950360208:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
4395950360208:error:80066068:lib(128):IBMCA_INIT:dso failure:e_ibmca.c:1286:
4395950360208:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:191:section=ibmca_section, name=init, value=1
4395950360208:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:223:module=engines, value=engine_section, retcode=-1
$
There is no libica.so that is shipped with any of the above packages (verified with dpkg -l) or otherwise available in the filesystem:
$ sudo find / -name "libica.so" 2>/dev/null
ubuntu@HWE0001:~$
But there is a different verison of that libica:
$ sudo find / -name "*libica.so*" 2>/dev/null
/usr/lib/s390x-linux-gnu/libica.so.2
/usr/lib/s390x-linux-gnu/libica.so.2.6.1
$
So there are right now two workarounds:
1)
creating a (symbolic) link from libica.so.2 to libica.so, like
$ sudo ln -s /usr/lib/s390x-linux-gnu/libica.so.2 /usr/lib/s390x-linux-gnu/libica.so
that allows openssl to find a library named 'libica.so':
18:15:00: frank.heimes@canonical.com: ubuntu@HWE0001:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
But this could lead to issues in case of any potential functions or interface changes there we introduced with libica.so.2
2)
installation of the "libica-dev" package that provides a (development) version of libica.so:
$ dpkg -L libica-dev | grep libica.so
/usr/lib/s390x-linux-gnu/libica.so
$
But the hardware crypto exploitation should work out of the box w/o the link or the libica-dev package.
Either libica.so should be shipped (in addition to libica.so.2) with the proper dependency to openssl-ibmca - openssh-ibmca should make use of libica2 instead of libica.so.2... |
|
2016-11-17 22:32:58 |
Brian Murray |
openssl-ibmca (Ubuntu Yakkety): status |
In Progress |
Fix Committed |
|
2016-11-17 22:33:00 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-11-17 22:33:03 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2016-11-17 22:33:09 |
Brian Murray |
tags |
s390x |
s390x verification-needed |
|
2016-11-17 23:13:54 |
Brian Murray |
openssl-ibmca (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2016-12-06 09:45:57 |
Dimitri John Ledkov |
tags |
s390x verification-needed |
s390x verification-done |
|
2016-12-06 09:46:38 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2016-12-06 09:51:30 |
Frank Heimes |
ubuntu-z-systems: status |
New |
Fix Committed |
|
2016-12-06 09:51:49 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
Medium |
|
2016-12-06 17:15:04 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Dimitri John Ledkov (xnox) |
|
2016-12-07 13:42:37 |
Launchpad Janitor |
openssl-ibmca (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2016-12-07 13:42:43 |
Chris J Arges |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2016-12-07 13:45:29 |
Launchpad Janitor |
openssl-ibmca (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
2016-12-07 14:03:13 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|