[18.04 FEAT] Add support for CPACF enhancements to openssl

Bug #1743750 reported by bugproxy on 2018-01-17
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
High
Dimitri John Ledkov
openssl (Ubuntu)
Undecided
Skipper Bug Screeners
openssl1.0 (Ubuntu)
Undecided
Unassigned

Bug Description

Add support for CPACF enhancements to openssl

Support new CPACF instructions to accelerate the GCM mode of operation as available with IBM z14 and later hardware
This feature implements the instruction support in openssl !

A prereq within IBMCA is already available with ibmca 1.4.0. Already requested for 17.10.

bugproxy (bugproxy) on 2018-01-17
tags: added: architecture-s39064 bugnameltc-163655 severity-high targetmilestone-inin1804
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
affects: linux (Ubuntu) → openssl (Ubuntu)

------- Comment From <email address hidden> 2018-01-17 06:43 EDT-------
Since today, this function is upstream accepted .
We would like to provide a backport to openssl 1.0.2.
Can we go ahead with this procedure?

Dimitri John Ledkov (xnox) wrote :

Will it be accepted into upstream 1.0.2 series? e.g. 1.0.2o? We have cherrypicked hw optimisations into openssl before, but I'm not sure what is the current policy around it. Do you have links to patches in the current openssl master for the security team to check over them?

Changed in ubuntu-z-systems:
importance: Undecided → High
Changed in ubuntu-z-systems:
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in ubuntu-z-systems:
status: New → Triaged
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-02-05 07:22 EDT-------
Attached backports for ubuntu 18.04 openssl 1.0.2n.

------- Comment (attachment only) From <email address hidden> 2018-02-05 07:20 EDT-------

------- Comment (attachment only) From <email address hidden> 2018-02-05 07:20 EDT-------

------- Comment From <email address hidden> 2018-02-05 07:37 EDT-------
... patches are still being tested.

Dimitri John Ledkov (xnox) wrote :

So, the current plan is as follows:

18.04 LTS GA to ship with both openssl 1.1.0 and 1.0.2.

OpenSSL 1.1.0 will be the default and majority packages will use it.

When I say majority, i mean:
* everything in main
* except for openssh & possibly strongswan

About 1/4 of package in universe will be using 1.0.2 openssl.

If and when, OpenSSL 1.1.1 with TLS v1.3 is released, security team will be evaluating if we can integrate it, and into which releases.

For completeness of coverage, and consistent libssl/libcrypto performance, I think it does make sense to integrate the 1.0.2 patches backports - would you agree?

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-02-06 03:08 EDT-------
I agree - it would make sense to integrate the backports.

Dimitri John Ledkov (xnox) wrote :

In 18.04 LTS, openssl-ibmca will only be available as an engine for openssl1.1.0, and it will not be available for openssl1.0.2. openssl1.1.0 is the default openssl provide, and will be used by most packages in the archive. Thus, as far as I understand, there is little value in shipping this patch set for 1.0.2. I will upload this patchset for 1.1.0 however, such that we can get this support in with the default openssl.

information type: Private → Public
Changed in openssl (Ubuntu):
status: New → Fix Committed
Changed in ubuntu-z-systems:
status: Triaged → Fix Committed
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-02-27 08:54 EDT-------
testing of the 1.0.2 backports is complete.

openssl-ibmca is not needed/completely independent of this patch set.

Dimitri John Ledkov (xnox) wrote :

ack!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl1.0 - 1.0.2n-1ubuntu4

---------------
openssl1.0 (1.0.2n-1ubuntu4) bionic; urgency=medium

  * s390x: Add support for CPACF enhancements to openssl, for IBM z14. LP:
    #1743750

 -- Dimitri John Ledkov <email address hidden> Wed, 28 Feb 2018 14:52:10 +0000

Changed in openssl1.0 (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.1.0g-2ubuntu2

---------------
openssl (1.1.0g-2ubuntu2) bionic; urgency=medium

  * s390x: Add support for CPACF enhancements to openssl, for IBM z14. LP:
    #1743750

 -- Dimitri John Ledkov <email address hidden> Tue, 27 Feb 2018 13:01:19 +0000

Changed in openssl (Ubuntu):
status: Fix Committed → Fix Released
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-03-05 04:59 EDT-------
IBM bugzilla status -> closed, Backports accepted for 1.0.2 and 1.1.0 -> Fix Released in bionic

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers