Re: [Opencryptoki-tech] [libica PATCH] make suite.out user-friendly
Brought to you by:
ebarretto
From: Dan H. <da...@da...> - 2017-01-17 12:36:06
|
On Mon, 16 Jan 2017 12:47:21 +0100 "Patrick Steuer" <pat...@de...> wrote: > > Hi, > > When libica is running in fips mode (see icastats), /dev/hwrng > or /dev/prandom must be available. yes, that's what I got from reading the sources too. Currently I've added a check to the spec file [1] and asked the mock guys to install /dev/{hwrng,prandom} in the chroots [2]. [1] http://pkgs.fedoraproject.org/cgit/rpms/libica.git/commit/?id=2d708aec776cc071cb81079a70c3efcaffe835c8 [2] https://github.com/rpm-software-management/mock/issues/33 Dan > Best regards > -- Patrick Steuer > > Crypto for Linux on z Systems > Phone: +49-7031-16-1600 > IBM Deutschland Research & Development GmbH > > > > From: Harald Freudenberger <fr...@li...> > To: Dan Horák <da...@da...> > Cc: ope...@li..., Patrick > Steuer/Germany/IBM@IBMDE > Date: 16.01.2017 12:41 > Subject: Re: [Opencryptoki-tech] [libica PATCH] make suite.out > user-friendly > > > > > > On 01/13/2017 07:35 PM, Dan Horák wrote: > > On Fri, 13 Jan 2017 16:01:34 +0100 > > Harald Freudenberger <fr...@li...> wrote: > > > >> On 01/13/2017 02:27 PM, Dan Horák wrote: > >>> On Fri, 13 Jan 2017 13:52:19 +0100 > >>> Dan Horák <da...@da...> wrote: > >>> > >>>> On Fri, 13 Jan 2017 11:17:47 +0100 > >>>> Dan Horák <da...@da...> wrote: > >>>> > >>>>> Put some separators to the test cases outputs so suite.out > >>>>> is more readable. > >>>> you can see the result in the build.log at > >>>> https://s390.koji.fedoraproject.org/koji/taskinfo?taskID=2446194 > >>>> > >>>> Hm, the tests all passed when building the rpm locally. > >>> it's missing /dev/prandom in the builder's chroot > >> Hi Dan > >> Why should opencryptoki have an dependency to /dev/prandom ? > >> Libica and thus on top the ica token would attempt to > >> open /dev/prandom during shared library initialization but if this > >> node is not available the fallback is to use /dev/urandom instead. > > that's what strace told me, libica is built with FIPS support > > enabled > > > > running LD_LIBRARY_PATH=../.libs PATH=..:$PATH > > strace ./icastats_test in Fedora Rawhide (to-be Fedora 26) gives > > ... > > set_tid_address(0x3ff876767d0) = 45248 > > set_robust_list(0x3ff876767e0, 24) = 0 > > rt_sigaction(SIGRTMIN, {0x3ff87206000, [], SA_SIGINFO}, NULL, 8) = 0 > > rt_sigaction(SIGRT_1, {0x3ff872060c0, [], SA_RESTART|SA_SIGINFO}, > > NULL, > 8) = 0 > > rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 > > prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, > rlim_max=RLIM64_INFINITY}) = 0 > > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP RTMIN RT_1], [], 8) = 0 > > rt_sigaction(SIGILL, {0x3ff873c3f98, ~[ILL TRAP RTMIN RT_1], 0}, > {SIG_DFL, [], 0}, 8) = 0 > > rt_sigprocmask(SIG_BLOCK, NULL, ~[ILL TRAP KILL STOP RTMIN RT_1], > > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0 > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > access("/etc/system-fips", F_OK) = -1 ENOENT (No such file or > directory) > > geteuid() = 0 > > statfs("/dev/shm/", {f_type=TMPFS_MAGIC, f_bsize=4096, > > f_blocks=238325, > f_bfree=238324, f_bavail=238324, f_files=238325, f_ffree=238323, > f_fsid={0, 0}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID| > ST_RELATIME}) = 0 > > futex(0x3ff87222370, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > > open("/dev/shm/icastats_0", O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC, > > 0600) = > 3 > > ftruncate(3, 464) = 0 > > mmap(NULL, 464, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = > > 0x3ff87500000 rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0 > > rt_sigaction(SIGILL, {0x3ff87596690, [], 0}, {SIG_DFL, [], 0}, 8) = > > 0 futex(0x3ff875ad838, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > > brk(NULL) = 0x8536d000 > > brk(0x8538e000) = 0x8538e000 > > rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0 > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0 > > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0}, > > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0 > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0 > > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0}, > > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0 > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0 > > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0}, > > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0 > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4 > > fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 > > read(4, "0\n", 1024) = 2 > > close(4) = 0 > > open("/dev/hwrng", O_RDONLY) = -1 ENOENT (No such file or > directory) > > open("/dev/prandom", O_RDONLY) = -1 ENOENT (No such file or > directory) > > open("/dev/hwrng", O_RDONLY) = -1 ENOENT (No such file or > directory) > > open("/dev/prandom", O_RDONLY) = -1 ENOENT (No such file or > directory) > > open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4 > > fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0 > > fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0 > > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0 > > \0"..., > 4096) = 2102 > > lseek(4, -1337, SEEK_CUR) = 765 > > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0 > > \0"..., > 4096) = 1337 > > close(4) = 0 > > socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4 > > connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 > > ENOENT (No > such file or directory) > > close(4) = 0 > > futex(0x3ff874a6490, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > > futex(0x3ff874a659c, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > > open("/udev/z90crypt", O_RDWR) = -1 ENOENT (No such file or > directory) > > open("/dev/z90crypt", O_RDWR) = -1 ENOENT (No such file or > directory) > > open("/dev/zcrypt", O_RDWR) = -1 ENOENT (No such file or > directory) > > open("/sys/devices/ap/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) > > = -1 > ENOENT (No such file or directory) > > rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0 > > rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0 > > rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0 > > clone(child_stack=NULL, flags=CLONE_PARENT_SETTID|SIGCHLD, > parent_tidptr=0x3ffe37fe87c) = 45249 > > wait4(45249, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = > > 45249 rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0 > > rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, NULL, 8) = 0 > > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 > > --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=45249, > si_uid=0, si_status=0, si_utime=0, si_stime=0} --- > > fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > > geteuid() = 0 > > munmap(0x3ff87500000, 464) = 0 > > close(3) = 0 > > write(1, "Error in ica_random_number_gener"..., 37Error in > ica_random_number_generate: ) = 37 > > exit_group(13) = ? > > +++ exited with 13 +++ > > > > > > Dan > > > > looks like you are running an fips enabled kernel. Well then libica > (if build with FIPS support) > is also running in fips mode. Not sure if libica initialization will > refuse if there is no > /dev/hwrng and /dev/prandom available. @Patrick can you answer this ? > > regards H.Freudenberger > > |