2022-03-30 14:09:24 |
bugproxy |
bug |
|
|
added bug |
2022-03-30 14:09:26 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-197386 severity-critical targetmilestone-inin--- |
|
2022-03-30 14:09:27 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-03-30 14:09:30 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2022-03-30 14:30:34 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2022-03-31 12:57:10 |
Frank Heimes |
attachment added |
|
debdiff_openssl-ibmca_from_2.2.2-0ubuntu1_to_2.2.3-0ubuntu1.diff https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575218/+files/debdiff_openssl-ibmca_from_2.2.2-0ubuntu1_to_2.2.3-0ubuntu1.diff |
|
2022-03-31 12:57:28 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-03-31 12:57:31 |
Frank Heimes |
linux (Ubuntu): importance |
Undecided |
High |
|
2022-03-31 12:57:37 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2022-03-31 12:57:45 |
Frank Heimes |
linux (Ubuntu): status |
New |
In Progress |
|
2022-03-31 12:57:49 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2022-03-31 13:42:01 |
Frank Heimes |
attachment added |
|
install-log_and_virification.txt https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt |
|
2022-03-31 13:45:19 |
Frank Heimes |
summary |
[UBUNTU 22.04] ibmca engine with libica = libica.so.4 - sshd dumps core (openssl-ibmca) |
[FFe] [UBUNTU 22.04] ibmca engine with libica = libica.so.4 - sshd dumps core (openssl-ibmca) |
|
2022-03-31 13:52:19 |
Frank Heimes |
description |
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
Please consider to accept the integration of this new openssl-ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because:
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
Here is the diff of the upstream ChangeLog:
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
The buildlog:
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
The installlog:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
|
2022-03-31 13:52:22 |
Frank Heimes |
linux (Ubuntu): status |
In Progress |
New |
|
2022-03-31 13:52:43 |
Frank Heimes |
bug |
|
|
added subscriber Ubuntu Release Team |
2022-03-31 13:53:42 |
Frank Heimes |
description |
Please consider to accept the integration of this new openssl-ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because:
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
Here is the diff of the upstream ChangeLog:
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
The buildlog:
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
The installlog:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
Please consider to accept the integration of this new openssl-ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because:
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
Here is the diff of the upstream ChangeLog:
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
The buildlog:
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
The installlog:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
The openssl-ibmca package is a universe package that is available for s390x only.
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
|
2022-03-31 13:56:45 |
Frank Heimes |
description |
Please consider to accept the integration of this new openssl-ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because:
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
Here is the diff of the upstream ChangeLog:
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
The buildlog:
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
The installlog:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
The openssl-ibmca package is a universe package that is available for s390x only.
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
Please consider to accept the integration of this new openssl-ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because:
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would then be a package version that's a super-set
of upstream 2.2.3 anyway, hence asking for the FFe.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
Here is the diff of the upstream ChangeLog:
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
The buildlog:
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
The installlog:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
The openssl-ibmca package is a universe package that is available for s390x only.
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
|
2022-03-31 14:21:55 |
Frank Heimes |
description |
Please consider to accept the integration of this new openssl-ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because:
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would then be a package version that's a super-set
of upstream 2.2.3 anyway, hence asking for the FFe.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
Here is the diff of the upstream ChangeLog:
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
The buildlog:
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
The installlog:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
The openssl-ibmca package is a universe package that is available for s390x only.
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
Dear Ubuntu Reelase Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would then be a package version that's a super-set
of upstream 2.2.3 anyway, hence asking for the FFe.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
|
2022-03-31 14:25:22 |
Dimitri John Ledkov |
affects |
linux (Ubuntu) |
openssl-ibmca (Ubuntu) |
|
2022-03-31 14:35:24 |
Frank Heimes |
attachment added |
|
package upgrade test https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+attachment/5575247/+files/package_upgrade_test.txt |
|
2022-03-31 14:36:02 |
Frank Heimes |
description |
Dear Ubuntu Reelase Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would then be a package version that's a super-set
of upstream 2.2.3 anyway, hence asking for the FFe.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
Dear Ubuntu Reelase Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would then be a package version that's a super-set
of upstream 2.2.3 anyway, hence asking for the FFe.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Package upgrade log:
--------------------
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+attachment/5575247/+files/package_upgrade_test.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
|
2022-03-31 14:38:56 |
Frank Heimes |
description |
Dear Ubuntu Reelase Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would then be a package version that's a super-set
of upstream 2.2.3 anyway, hence asking for the FFe.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Package upgrade log:
--------------------
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+attachment/5575247/+files/package_upgrade_test.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
Dear Ubuntu Reelase Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would then be a package version that's a super-set
of upstream 2.2.3 anyway, hence asking for the FFe.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Package upgrade log:
--------------------
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+attachment/5575247/+files/package_upgrade_test.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
Dependencies:
-------------
openssl-ibmca has no reverse dependencies:
$ apt-cache depends openssl-ibmca
openssl-ibmca
Depends: libica4
Depends: libc6
Depends: libssl3
$ apt-cache rdepends openssl-ibmca
openssl-ibmca
Reverse Depends:
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
|
2022-03-31 14:42:44 |
Frank Heimes |
ubuntu-z-systems: importance |
High |
Critical |
|
2022-03-31 15:01:54 |
Frank Heimes |
description |
Dear Ubuntu Reelase Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
6563dd2 ("use correct libica for ibmca_mechaList_test")
- another segmentation fault is fixed by:
e91e179 ("PKEY: Fix usage of ECX keys")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- But to get the new version compiled (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would then be a package version that's a super-set
of upstream 2.2.3 anyway, hence asking for the FFe.
- The package now ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Package upgrade log:
--------------------
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+attachment/5575247/+files/package_upgrade_test.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
Dependencies:
-------------
openssl-ibmca has no reverse dependencies:
$ apt-cache depends openssl-ibmca
openssl-ibmca
Depends: libica4
Depends: libc6
Depends: libssl3
$ apt-cache rdepends openssl-ibmca
openssl-ibmca
Reverse Depends:
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
Dear Ubuntu Reelase Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
e91e179 ("PKEY: Fix usage of ECX keys")
- another potential segmentation fault is fixed by:
6563dd2 ("use correct libica for ibmca_mechaList_test")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- but to get the new version build (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would end up in a package version that's a super-set
of upstream 2.2.3 anyway )but named 2.2.2-0ubuntu1,
hence asking for the FFe.
- The package now also ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Package upgrade log:
--------------------
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+attachment/5575247/+files/package_upgrade_test.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
Dependencies:
-------------
openssl-ibmca has no reverse dependencies:
$ apt-cache depends openssl-ibmca
openssl-ibmca
Depends: libica4
Depends: libc6
Depends: libssl3
$ apt-cache rdepends openssl-ibmca
openssl-ibmca
Reverse Depends:
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
|
2022-03-31 15:10:21 |
Frank Heimes |
description |
Dear Ubuntu Reelase Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
e91e179 ("PKEY: Fix usage of ECX keys")
- another potential segmentation fault is fixed by:
6563dd2 ("use correct libica for ibmca_mechaList_test")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- but to get the new version build (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would end up in a package version that's a super-set
of upstream 2.2.3 anyway )but named 2.2.2-0ubuntu1,
hence asking for the FFe.
- The package now also ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Package upgrade log:
--------------------
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+attachment/5575247/+files/package_upgrade_test.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
Dependencies:
-------------
openssl-ibmca has no reverse dependencies:
$ apt-cache depends openssl-ibmca
openssl-ibmca
Depends: libica4
Depends: libc6
Depends: libssl3
$ apt-cache rdepends openssl-ibmca
openssl-ibmca
Reverse Depends:
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
Dear Ubuntu Release Team, please consider the acceptance this feature freeze exception about a new openssl-ibmca-2.2.3-0ubuntu1 package for jammy, because:
Rationale for the exception:
----------------------------
- a severe issue is fixed (sshd core dump while using hw crypto)
e91e179 ("PKEY: Fix usage of ECX keys")
- another potential segmentation fault is fixed by:
6563dd2 ("use correct libica for ibmca_mechaList_test")
- and since these are the only two fixes between 2.2.2 and 2.2.3:
93a12d3 (tag: v2.2.3) Update to version 2.2.3
6563dd2 use correct libica for ibmca_mechaList_test
e91e179 PKEY: Fix usage of ECX keys
fae4490 (tag: v2.2.2) Update to version 2.2.2
the version 2.2.3 is a bug-fix only release,
and could be acceptable for a FFe
(according to https://wiki.ubuntu.com/FreezeExceptionProcess)
- but to get the new version build (esp. with e91e179) a backport of
e59cce5 ("Fix compilation for OpenSSL 3.0")
was needed on top.
- To me it wouldn't make sense to add the 3 commits above to v2.2.2,
since it would end up in a package version that's a super-set
of upstream 2.2.3 anyway )but named 2.2.2-0ubuntu1,
hence asking for the FFe.
- The package now also ships a sample config
(as well as the script to generate it,
in case one wants/needs to re-generate it).
upstream ChangeLog diff:
------------------------
$ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog
--- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100
+++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200
@@ -1,3 +1,6 @@
+* openssl-ibmca 2.2.3
+- Fix PKEY segfault with OpenSSL 3.0
+
* openssl-ibmca 2.2.2
- Fix tests with OpenSSL 3.0
- Build against libica 4.0
News:
-----
There is no upstream NEWS file (or suchlike - the README.md is unchanged).
build log:
----------
https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz
Install log:
------------
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt
Package upgrade log:
--------------------
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+attachment/5575247/+files/package_upgrade_test.txt
Testing:
--------
The previous link also includes the testing and verification that I did,
hence I can confirm that the reported problem is solved.
On top a testsuite is executed when the package is build.
Local build:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 28
# SKIP: 6
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
PPA:
========================================================================
Testsuite summary for openssl-ibmca 2.2.3
========================================================================
# TOTAL: 34
# PASS: 26
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
========================================================================
(Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware.
(The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems).
description of proposed changes:
--------------------------------
"PKEY: Fix usage of ECX keys" - the usage of ECX keys was fixed by using proper missing set/get methods for opaque types.
New file src/openssl-compat.h introduced that holds the specific ossl_ecx* function.
All this only effects ED25519, ED448, X25519 and X448 using s390x hardware crypto.
"use correct libica for ibmca_mechaList_test" - the Makefile for ibmca_mechaList_test is now generated during the configure run, to make sure it links with the same libica variant as used by the ibmca.so module.
"Fix compilation for OpenSSL 3.0" - the API used in the above commit is not public (and introduces a line "include <crypto/evp.h>" that cannot be resolved all the time - only compile if the OpenSSL 3.0 source tree is present). Hence the defines to be used are now copied over, which makes the engine compile even without OpenSSL 3.0 source tree.
In addition a sample config that allows to be simply copied over is added to the package, as well as the script that generates it. That is done for convenience reasons and reduces the configuration time to just seconds.
The openssl-ibmca package is a universe package that is available for s390x only.
Dependencies:
-------------
openssl-ibmca has no reverse dependencies:
$ apt-cache depends openssl-ibmca
openssl-ibmca
Depends: libica4
Depends: libc6
Depends: libssl3
$ apt-cache rdepends openssl-ibmca
openssl-ibmca
Reverse Depends:
_________________________
---Problem Description---
Summary
=======
New IBM HW with Crypto Accelerator cards attached
Kernel level: 5.14
Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section.
The problem only occurs with OpenSSL 3.0 and is immediately reproducible.
Details
=======
HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read
DefaultLimitCORE=infinity:infinity
On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt.
# openssl engine -c
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
[RSA, DSA, DH]
Debug Data
==========
core dump file in the attachments.
Contact Information = christian.rund@de.ibm.com
---uname output---
Linux system 5.14.
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Edit /etc/systemd/system.conf file to allow core dumps:
Change the line DefaultLimitCORE=0:infinity
to read DefaultLimitCORE=infinity:infinity
2.) run: systemctl daemon-reload
systemctl restart systemd-coredump.socket
3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script
4.) Edit the /etc/pki/tls file near the end to contain the line
to back the ibmca engine by the libica.so.4 library as outlined in the
/usr/share/doc/openssl-ibmca/README.md file
5.) Run: openssl engine -c
6.) Keep the current session open for subsequently stepping back to the
original openssl.cnf!
7.) Open up a new ssh session to the system under test
and watch the login to fail with broken pipe
8.) On the remaining session, run
coreumpctl list / coredumpctl dump
Userspace tool common name: openssl-ibmca
Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x
The userspace tool has the following bit modes: 64bit
Userspace tool obtained from project website: na |
|
2022-04-01 07:50:02 |
Łukasz Zemczak |
openssl-ibmca (Ubuntu): status |
New |
Triaged |
|
2022-04-01 07:50:05 |
Łukasz Zemczak |
removed subscriber Ubuntu Release Team |
|
|
|
2022-04-01 08:30:34 |
Ubuntu Foundations Team Bug Bot |
tags |
architecture-s39064 bugnameltc-197386 severity-critical targetmilestone-inin--- |
architecture-s39064 bugnameltc-197386 patch severity-critical targetmilestone-inin--- |
|
2022-04-01 08:30:41 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2022-04-01 10:19:03 |
Frank Heimes |
openssl-ibmca (Ubuntu): status |
Triaged |
In Progress |
|
2022-04-01 11:35:47 |
Launchpad Janitor |
openssl-ibmca (Ubuntu): status |
In Progress |
Fix Released |
|
2022-04-01 11:46:32 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Released |
|
2022-06-23 09:00:09 |
bugproxy |
tags |
architecture-s39064 bugnameltc-197386 patch severity-critical targetmilestone-inin--- |
architecture-s39064 bugnameltc-197386 patch severity-critical targetmilestone-inin2204 |
|