Re: [Opencryptoki-tech] [libica PATCH] make suite.out user-friendly

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Mon, 16 Jan 2017 12:47:21 +0100
"Patrick Steuer" <pat...@de...> wrote:

> 
> Hi,
> 
> When libica is running in fips mode (see icastats), /dev/hwrng
> or /dev/prandom must be available.

yes, that's what I got from reading the sources too. Currently I've
added a check to the spec file [1] and asked the mock guys to
install /dev/{hwrng,prandom} in the chroots [2].

[1] http://pkgs.fedoraproject.org/cgit/rpms/libica.git/commit/?id=2d708aec776cc071cb81079a70c3efcaffe835c8
[2] https://github.com/rpm-software-management/mock/issues/33

		Dan

> Best regards
> -- Patrick Steuer
> 
> Crypto for Linux on z Systems
> Phone: +49-7031-16-1600
> IBM Deutschland Research & Development GmbH
> 
> 
> 
> From:	Harald Freudenberger <fr...@li...>
> To:	Dan Horák <da...@da...>
> Cc:	ope...@li..., Patrick
>             Steuer/Germany/IBM@IBMDE
> Date:	16.01.2017 12:41
> Subject:	Re: [Opencryptoki-tech] [libica PATCH] make suite.out
>             user-friendly
> 
> 
> 
> 
> 
> On 01/13/2017 07:35 PM, Dan Horák wrote:
> > On Fri, 13 Jan 2017 16:01:34 +0100
> > Harald Freudenberger <fr...@li...> wrote:
> >
> >> On 01/13/2017 02:27 PM, Dan Horák wrote:
> >>> On Fri, 13 Jan 2017 13:52:19 +0100
> >>> Dan Horák <da...@da...> wrote:
> >>>
> >>>> On Fri, 13 Jan 2017 11:17:47 +0100
> >>>> Dan Horák <da...@da...> wrote:
> >>>>
> >>>>> Put some separators to the test cases outputs so suite.out
> >>>>> is more readable.
> >>>> you can see the result in the build.log at
> >>>> https://s390.koji.fedoraproject.org/koji/taskinfo?taskID=2446194
> >>>>
> >>>> Hm, the tests all passed when building the rpm locally.
> >>> it's missing /dev/prandom in the builder's chroot
> >> Hi Dan
> >> Why should opencryptoki have an dependency to /dev/prandom ?
> >> Libica and thus on top the ica token would attempt to
> >> open /dev/prandom during shared library initialization but if this
> >> node is not available the fallback is to use /dev/urandom instead.
> > that's what strace told me, libica is built with FIPS support
> > enabled
> >
> > running LD_LIBRARY_PATH=../.libs PATH=..:$PATH
> > strace ./icastats_test in Fedora Rawhide (to-be Fedora 26) gives
> > ...
> > set_tid_address(0x3ff876767d0)          = 45248
> > set_robust_list(0x3ff876767e0, 24)      = 0
> > rt_sigaction(SIGRTMIN, {0x3ff87206000, [], SA_SIGINFO}, NULL, 8) = 0
> > rt_sigaction(SIGRT_1, {0x3ff872060c0, [], SA_RESTART|SA_SIGINFO},
> > NULL,
> 8) = 0
> > rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
> > prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024,
> rlim_max=RLIM64_INFINITY}) = 0
> > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP RTMIN RT_1], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff873c3f98, ~[ILL TRAP RTMIN RT_1], 0},
> {SIG_DFL, [], 0}, 8) = 0
> > rt_sigprocmask(SIG_BLOCK, NULL, ~[ILL TRAP KILL STOP RTMIN RT_1],
> > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > access("/etc/system-fips", F_OK)        = -1 ENOENT (No such file or
> directory)
> > geteuid()                               = 0
> > statfs("/dev/shm/", {f_type=TMPFS_MAGIC, f_bsize=4096,
> > f_blocks=238325,
> f_bfree=238324, f_bavail=238324, f_files=238325, f_ffree=238323,
> f_fsid={0, 0}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|
> ST_RELATIME}) = 0
> > futex(0x3ff87222370, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > open("/dev/shm/icastats_0", O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC,
> > 0600) =
> 3
> > ftruncate(3, 464)                       = 0
> > mmap(NULL, 464, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) =
> > 0x3ff87500000 rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff87596690, [], 0}, {SIG_DFL, [], 0}, 8) =
> > 0 futex(0x3ff875ad838, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > brk(NULL)                               = 0x8536d000
> > brk(0x8538e000)                         = 0x8538e000
> > rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0},
> > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0},
> > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0},
> > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> > fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> > read(4, "0\n", 1024)                    = 2
> > close(4)                                = 0
> > open("/dev/hwrng", O_RDONLY)            = -1 ENOENT (No such file or
> directory)
> > open("/dev/prandom", O_RDONLY)          = -1 ENOENT (No such file or
> directory)
> > open("/dev/hwrng", O_RDONLY)            = -1 ENOENT (No such file or
> directory)
> > open("/dev/prandom", O_RDONLY)          = -1 ENOENT (No such file or
> directory)
> > open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
> > fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
> > fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
> > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0
> > \0"...,
> 4096) = 2102
> > lseek(4, -1337, SEEK_CUR)               = 765
> > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0
> > \0"...,
> 4096) = 1337
> > close(4)                                = 0
> > socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
> > connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1
> > ENOENT (No
> such file or directory)
> > close(4)                                = 0
> > futex(0x3ff874a6490, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > futex(0x3ff874a659c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > open("/udev/z90crypt", O_RDWR)          = -1 ENOENT (No such file or
> directory)
> > open("/dev/z90crypt", O_RDWR)           = -1 ENOENT (No such file or
> directory)
> > open("/dev/zcrypt", O_RDWR)             = -1 ENOENT (No such file or
> directory)
> > open("/sys/devices/ap/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)
> > = -1
> ENOENT (No such file or directory)
> > rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
> > rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
> > rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
> > clone(child_stack=NULL, flags=CLONE_PARENT_SETTID|SIGCHLD,
> parent_tidptr=0x3ffe37fe87c) = 45249
> > wait4(45249, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) =
> > 45249 rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=45249,
> si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
> > fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> > geteuid()                               = 0
> > munmap(0x3ff87500000, 464)              = 0
> > close(3)                                = 0
> > write(1, "Error in ica_random_number_gener"..., 37Error in
> ica_random_number_generate: ) = 37
> > exit_group(13)                          = ?
> > +++ exited with 13 +++
> >
> >
> > 		 		 Dan
> >
> 
> looks like you are running an fips enabled kernel. Well then libica
> (if build with FIPS support)
> is also running in fips mode. Not sure if libica initialization will
> refuse if there is no
> /dev/hwrng and /dev/prandom available. @Patrick can you answer this ?
> 
> regards H.Freudenberger
> 
> 