** Description changed: + Please consider to accept the integration of this new openssl- + ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception + Process', because: + + - a severe issue is fixed (sshd core dump while using hw crypto) + 6563dd2 ("use correct libica for ibmca_mechaList_test") + + - another segmentation fault is fixed by: + e91e179 ("PKEY: Fix usage of ECX keys") + + - and since these are the only two fixes between 2.2.2 and 2.2.3: + 93a12d3 (tag: v2.2.3) Update to version 2.2.3 + 6563dd2 use correct libica for ibmca_mechaList_test + e91e179 PKEY: Fix usage of ECX keys + fae4490 (tag: v2.2.2) Update to version 2.2.2 + the version 2.2.3 is a bug-fix only release, + and could be acceptable for a FFe + (according to https://wiki.ubuntu.com/FreezeExceptionProcess) + + - But to get the new version compiled (esp. with e91e179) a backport of + e59cce5 ("Fix compilation for OpenSSL 3.0") + was needed on top. + + - The package now ships a sample config + (as well as the script to generate it, + in case one wants/needs to re-generate it). + + Here is the diff of the upstream ChangeLog: + $ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog + --- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100 + +++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200 + @@ -1,3 +1,6 @@ + +* openssl-ibmca 2.2.3 + +- Fix PKEY segfault with OpenSSL 3.0 + + + * openssl-ibmca 2.2.2 + - Fix tests with OpenSSL 3.0 + - Build against libica 4.0 + + There is no upstream NEWS file (or suchlike - the README.md is + unchanged). + + The buildlog: + https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz + + The installlog: + https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt + + The previous link also includes the testing and verification that I did, + hence I can confirm that the reported problem is solved. + On top a testsuite is executed when the package is build. + Local build: + ======================================================================== + Testsuite summary for openssl-ibmca 2.2.3 + ======================================================================== + # TOTAL: 34 + # PASS: 28 + # SKIP: 6 + # XFAIL: 0 + # FAIL: 0 + # XPASS: 0 + # ERROR: 0 + ======================================================================== + PPA: + ======================================================================== + Testsuite summary for openssl-ibmca 2.2.3 + ======================================================================== + # TOTAL: 34 + # PASS: 26 + # SKIP: 8 + # XFAIL: 0 + # FAIL: 0 + # XPASS: 0 + # ERROR: 0 + ======================================================================== + (Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware. + (The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems). + + _________________________ + + ---Problem Description--- Summary ======= New IBM HW with Crypto Accelerator cards attached - Kernel level: 5.14 + Kernel level: 5.14 Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section. The problem only occurs with OpenSSL 3.0 and is immediately reproducible. - Details ======= HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read - DefaultLimitCORE=infinity:infinity + DefaultLimitCORE=infinity:infinity On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt. # openssl engine -c (dynamic) Dynamic engine loading support (ibmca) Ibmca hardware engine support - [RSA, DSA, DH] - + [RSA, DSA, DH] Debug Data ========== core dump file in the attachments. - - Contact Information = christian.r...@de.ibm.com - + + Contact Information = christian.r...@de.ibm.com + ---uname output--- Linux system 5.14. - + ---Debugger--- A debugger is not configured - + ---Steps to Reproduce--- 1.) Edit /etc/systemd/system.conf file to allow core dumps: - Change the line DefaultLimitCORE=0:infinity - to read DefaultLimitCORE=infinity:infinity + Change the line DefaultLimitCORE=0:infinity + to read DefaultLimitCORE=infinity:infinity 2.) run: systemctl daemon-reload - systemctl restart systemd-coredump.socket + systemctl restart systemd-coredump.socket 3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script 4.) Edit the /etc/pki/tls file near the end to contain the line - to back the ibmca engine by the libica.so.4 library as outlined in the - /usr/share/doc/openssl-ibmca/README.md file + to back the ibmca engine by the libica.so.4 library as outlined in the + /usr/share/doc/openssl-ibmca/README.md file 5.) Run: openssl engine -c 6.) Keep the current session open for subsequently stepping back to the - original openssl.cnf! + original openssl.cnf! 7.) Open up a new ssh session to the system under test - and watch the login to fail with broken pipe + and watch the login to fail with broken pipe 8.) On the remaining session, run - coreumpctl list / coredumpctl dump - - Userspace tool common name: openssl-ibmca + coreumpctl list / coredumpctl dump - Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x - - The userspace tool has the following bit modes: 64bit + Userspace tool common name: openssl-ibmca + + Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x + + The userspace tool has the following bit modes: 64bit Userspace tool obtained from project website: na
** Changed in: linux (Ubuntu) Status: In Progress => New ** Description changed: Please consider to accept the integration of this new openssl- ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because: - a severe issue is fixed (sshd core dump while using hw crypto) - 6563dd2 ("use correct libica for ibmca_mechaList_test") + 6563dd2 ("use correct libica for ibmca_mechaList_test") - another segmentation fault is fixed by: - e91e179 ("PKEY: Fix usage of ECX keys") + e91e179 ("PKEY: Fix usage of ECX keys") - and since these are the only two fixes between 2.2.2 and 2.2.3: - 93a12d3 (tag: v2.2.3) Update to version 2.2.3 - 6563dd2 use correct libica for ibmca_mechaList_test - e91e179 PKEY: Fix usage of ECX keys - fae4490 (tag: v2.2.2) Update to version 2.2.2 - the version 2.2.3 is a bug-fix only release, - and could be acceptable for a FFe - (according to https://wiki.ubuntu.com/FreezeExceptionProcess) + 93a12d3 (tag: v2.2.3) Update to version 2.2.3 + 6563dd2 use correct libica for ibmca_mechaList_test + e91e179 PKEY: Fix usage of ECX keys + fae4490 (tag: v2.2.2) Update to version 2.2.2 + the version 2.2.3 is a bug-fix only release, + and could be acceptable for a FFe + (according to https://wiki.ubuntu.com/FreezeExceptionProcess) - But to get the new version compiled (esp. with e91e179) a backport of - e59cce5 ("Fix compilation for OpenSSL 3.0") - was needed on top. + e59cce5 ("Fix compilation for OpenSSL 3.0") + was needed on top. - The package now ships a sample config - (as well as the script to generate it, - in case one wants/needs to re-generate it). + (as well as the script to generate it, + in case one wants/needs to re-generate it). Here is the diff of the upstream ChangeLog: $ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog --- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100 +++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200 @@ -1,3 +1,6 @@ +* openssl-ibmca 2.2.3 +- Fix PKEY segfault with OpenSSL 3.0 + - * openssl-ibmca 2.2.2 - - Fix tests with OpenSSL 3.0 - - Build against libica 4.0 + * openssl-ibmca 2.2.2 + - Fix tests with OpenSSL 3.0 + - Build against libica 4.0 There is no upstream NEWS file (or suchlike - the README.md is unchanged). The buildlog: https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz The installlog: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt The previous link also includes the testing and verification that I did, hence I can confirm that the reported problem is solved. On top a testsuite is executed when the package is build. Local build: ======================================================================== Testsuite summary for openssl-ibmca 2.2.3 ======================================================================== # TOTAL: 34 # PASS: 28 # SKIP: 6 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ======================================================================== PPA: ======================================================================== Testsuite summary for openssl-ibmca 2.2.3 ======================================================================== # TOTAL: 34 # PASS: 26 # SKIP: 8 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ======================================================================== (Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware. (The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems). + The openssl-ibmca package is a universe package that is available for + s390x only. + _________________________ - ---Problem Description--- Summary ======= New IBM HW with Crypto Accelerator cards attached Kernel level: 5.14 Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section. The problem only occurs with OpenSSL 3.0 and is immediately reproducible. Details ======= HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read DefaultLimitCORE=infinity:infinity On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt. # openssl engine -c (dynamic) Dynamic engine loading support (ibmca) Ibmca hardware engine support [RSA, DSA, DH] Debug Data ========== core dump file in the attachments. Contact Information = christian.r...@de.ibm.com ---uname output--- Linux system 5.14. ---Debugger--- A debugger is not configured ---Steps to Reproduce--- 1.) Edit /etc/systemd/system.conf file to allow core dumps: Change the line DefaultLimitCORE=0:infinity to read DefaultLimitCORE=infinity:infinity 2.) run: systemctl daemon-reload systemctl restart systemd-coredump.socket 3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script 4.) Edit the /etc/pki/tls file near the end to contain the line to back the ibmca engine by the libica.so.4 library as outlined in the /usr/share/doc/openssl-ibmca/README.md file 5.) Run: openssl engine -c 6.) Keep the current session open for subsequently stepping back to the original openssl.cnf! 7.) Open up a new ssh session to the system under test and watch the login to fail with broken pipe 8.) On the remaining session, run coreumpctl list / coredumpctl dump Userspace tool common name: openssl-ibmca Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x The userspace tool has the following bit modes: 64bit Userspace tool obtained from project website: na ** Description changed: Please consider to accept the integration of this new openssl- ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because: - a severe issue is fixed (sshd core dump while using hw crypto) 6563dd2 ("use correct libica for ibmca_mechaList_test") - another segmentation fault is fixed by: e91e179 ("PKEY: Fix usage of ECX keys") - and since these are the only two fixes between 2.2.2 and 2.2.3: 93a12d3 (tag: v2.2.3) Update to version 2.2.3 6563dd2 use correct libica for ibmca_mechaList_test e91e179 PKEY: Fix usage of ECX keys fae4490 (tag: v2.2.2) Update to version 2.2.2 the version 2.2.3 is a bug-fix only release, and could be acceptable for a FFe (according to https://wiki.ubuntu.com/FreezeExceptionProcess) - But to get the new version compiled (esp. with e91e179) a backport of e59cce5 ("Fix compilation for OpenSSL 3.0") was needed on top. + + - To me it wouldn't make sense to add the 3 commits above to v2.2.2, + since it would then be a package version that's a super-set + of upstream 2.2.3 anyway, hence asking for the FFe. - The package now ships a sample config (as well as the script to generate it, in case one wants/needs to re-generate it). Here is the diff of the upstream ChangeLog: $ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog --- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100 +++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200 @@ -1,3 +1,6 @@ +* openssl-ibmca 2.2.3 +- Fix PKEY segfault with OpenSSL 3.0 + * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 There is no upstream NEWS file (or suchlike - the README.md is unchanged). The buildlog: https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz The installlog: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt The previous link also includes the testing and verification that I did, hence I can confirm that the reported problem is solved. On top a testsuite is executed when the package is build. Local build: ======================================================================== Testsuite summary for openssl-ibmca 2.2.3 ======================================================================== # TOTAL: 34 # PASS: 28 # SKIP: 6 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ======================================================================== PPA: ======================================================================== Testsuite summary for openssl-ibmca 2.2.3 ======================================================================== # TOTAL: 34 # PASS: 26 # SKIP: 8 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ======================================================================== (Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware. (The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems). The openssl-ibmca package is a universe package that is available for s390x only. _________________________ ---Problem Description--- Summary ======= New IBM HW with Crypto Accelerator cards attached Kernel level: 5.14 Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section. The problem only occurs with OpenSSL 3.0 and is immediately reproducible. Details ======= HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read DefaultLimitCORE=infinity:infinity On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt. # openssl engine -c (dynamic) Dynamic engine loading support (ibmca) Ibmca hardware engine support [RSA, DSA, DH] Debug Data ========== core dump file in the attachments. Contact Information = christian.r...@de.ibm.com ---uname output--- Linux system 5.14. ---Debugger--- A debugger is not configured ---Steps to Reproduce--- 1.) Edit /etc/systemd/system.conf file to allow core dumps: Change the line DefaultLimitCORE=0:infinity to read DefaultLimitCORE=infinity:infinity 2.) run: systemctl daemon-reload systemctl restart systemd-coredump.socket 3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script 4.) Edit the /etc/pki/tls file near the end to contain the line to back the ibmca engine by the libica.so.4 library as outlined in the /usr/share/doc/openssl-ibmca/README.md file 5.) Run: openssl engine -c 6.) Keep the current session open for subsequently stepping back to the original openssl.cnf! 7.) Open up a new ssh session to the system under test and watch the login to fail with broken pipe 8.) On the remaining session, run coreumpctl list / coredumpctl dump Userspace tool common name: openssl-ibmca Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x The userspace tool has the following bit modes: 64bit Userspace tool obtained from project website: na -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1967141 Title: [FFe] [UBUNTU 22.04] ibmca engine with libica = libica.so.4 - sshd dumps core (openssl-ibmca) Status in Ubuntu on IBM z Systems: In Progress Status in linux package in Ubuntu: New Bug description: Please consider to accept the integration of this new openssl- ibmca-2.2.3-0ubuntu1 package for jammy under the 'Freeze Exception Process', because: - a severe issue is fixed (sshd core dump while using hw crypto) 6563dd2 ("use correct libica for ibmca_mechaList_test") - another segmentation fault is fixed by: e91e179 ("PKEY: Fix usage of ECX keys") - and since these are the only two fixes between 2.2.2 and 2.2.3: 93a12d3 (tag: v2.2.3) Update to version 2.2.3 6563dd2 use correct libica for ibmca_mechaList_test e91e179 PKEY: Fix usage of ECX keys fae4490 (tag: v2.2.2) Update to version 2.2.2 the version 2.2.3 is a bug-fix only release, and could be acceptable for a FFe (according to https://wiki.ubuntu.com/FreezeExceptionProcess) - But to get the new version compiled (esp. with e91e179) a backport of e59cce5 ("Fix compilation for OpenSSL 3.0") was needed on top. - To me it wouldn't make sense to add the 3 commits above to v2.2.2, since it would then be a package version that's a super-set of upstream 2.2.3 anyway, hence asking for the FFe. - The package now ships a sample config (as well as the script to generate it, in case one wants/needs to re-generate it). Here is the diff of the upstream ChangeLog: $ diff -u openssl-ibmca-2.2.2/ChangeLog openssl-ibmca-2.2.3/ChangeLog --- openssl-ibmca-2.2.2/ChangeLog 2022-01-27 17:23:55.000000000 +0100 +++ openssl-ibmca-2.2.3/ChangeLog 2022-03-31 10:32:20.935374435 +0200 @@ -1,3 +1,6 @@ +* openssl-ibmca 2.2.3 +- Fix PKEY segfault with OpenSSL 3.0 + * openssl-ibmca 2.2.2 - Fix tests with OpenSSL 3.0 - Build against libica 4.0 There is no upstream NEWS file (or suchlike - the README.md is unchanged). The buildlog: https://launchpadlibrarian.net/594086046/buildlog_ubuntu-jammy-s390x.openssl-ibmca_2.2.3-0ubuntu1_BUILDING.txt.gz The installlog: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1967141/+attachment/5575230/+files/install-log_and_virification.txt The previous link also includes the testing and verification that I did, hence I can confirm that the reported problem is solved. On top a testsuite is executed when the package is build. Local build: ======================================================================== Testsuite summary for openssl-ibmca 2.2.3 ======================================================================== # TOTAL: 34 # PASS: 28 # SKIP: 6 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ======================================================================== PPA: ======================================================================== Testsuite summary for openssl-ibmca 2.2.3 ======================================================================== # TOTAL: 34 # PASS: 26 # SKIP: 8 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ======================================================================== (Two more tests are (auto-)skipped when running a PPA build, because the builder does not have access to the s390x crypto hardware. (The other skipped tests are skipped by upstream, since they are known to cause issues on openssl 3 systems). The openssl-ibmca package is a universe package that is available for s390x only. _________________________ ---Problem Description--- Summary ======= New IBM HW with Crypto Accelerator cards attached Kernel level: 5.14 Core dump when configuring the ibmca engine with libica = libica.so.4 in the openssl.cnf file in the engine section. The problem only occurs with OpenSSL 3.0 and is immediately reproducible. Details ======= HINT: To be able to receive core dump files at all it is needed to change the /etc/systemd/system.conf file entry DefaultLimitCORE=0:infinity to read DefaultLimitCORE=infinity:infinity On a system with ibmca engine configured system wide, when trying to use the libica.so.4 to support the ibmca engine the sshd daemon dumps core upon the first login attempt. # openssl engine -c (dynamic) Dynamic engine loading support (ibmca) Ibmca hardware engine support [RSA, DSA, DH] Debug Data ========== core dump file in the attachments. Contact Information = christian.r...@de.ibm.com ---uname output--- Linux system 5.14. ---Debugger--- A debugger is not configured ---Steps to Reproduce--- 1.) Edit /etc/systemd/system.conf file to allow core dumps: Change the line DefaultLimitCORE=0:infinity to read DefaultLimitCORE=infinity:infinity 2.) run: systemctl daemon-reload systemctl restart systemd-coredump.socket 3.) Run the /usr/share/doc/openssl-ibmca/ibmca-engine-opensslconfig perl script 4.) Edit the /etc/pki/tls file near the end to contain the line to back the ibmca engine by the libica.so.4 library as outlined in the /usr/share/doc/openssl-ibmca/README.md file 5.) Run: openssl engine -c 6.) Keep the current session open for subsequently stepping back to the original openssl.cnf! 7.) Open up a new ssh session to the system under test and watch the login to fail with broken pipe 8.) On the remaining session, run coreumpctl list / coredumpctl dump Userspace tool common name: openssl-ibmca Userspace rpm: openssl-ibmca-2.2.2-1.el9.s390x The userspace tool has the following bit modes: 64bit Userspace tool obtained from project website: na To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1967141/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp