[Touch-packages] [Bug 2064284] [NEW] apparmor.service fails because of invalid config
Public bug reported: After upgrading to noble apparmor.service fails on my machine with the following log message: Apr 30 14:28:42 shodan apparmor.systemd[1739]: Restarting AppArmor Apr 30 14:28:42 shodan apparmor.systemd[1739]: Reloading AppArmor profiles Apr 30 14:28:42 shodan apparmor.systemd[1887]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.lib.mediascanner-2.0.mediascanner-extractor at line 14: Could not open '/usr/share/apparmor/hardware/audio.d' Apr 30 14:28:42 shodan apparmor.systemd[1739]: Error: At least one profile failed to load Apr 30 14:28:42 shodan apparmor.systemd[2206]: Restarting AppArmor Apr 30 14:28:42 shodan apparmor.systemd[2206]: Reloading AppArmor profiles Apr 30 14:28:42 shodan apparmor.systemd[2334]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.lib.mediascanner-2.0.mediascanner-extractor at line 14: Could not open '/usr/share/apparmor/hardware/audio.d' Apr 30 14:28:42 shodan apparmor.systemd[2206]: Error: At least one profile failed to load Apr 30 14:28:41 shodan systemd[1]: Starting apparmor.service - Load AppArmor profiles... Apr 30 14:28:41 shodan systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Apr 30 14:28:41 shodan systemd[1]: apparmor.service: Failed with result 'exit-code'. Apr 30 14:28:41 shodan systemd[1]: Failed to start apparmor.service - Load AppArmor profiles. Apr 30 14:28:42 shodan systemd[1]: Starting apparmor.service - Load AppArmor profiles... Apr 30 14:28:42 shodan systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Apr 30 14:28:42 shodan systemd[1]: apparmor.service: Failed with result 'exit-code'. Apr 30 14:28:42 shodan systemd[1]: Failed to start apparmor.service - Load AppArmor profiles. It looks like mediascanner2.0 was installed previously and left behind a bad config. It is not currently installed which explains why /usr/share/apparmor/hardware/audio.d is missing. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2064284 Title: apparmor.service fails because of invalid config Status in apparmor package in Ubuntu: New Bug description: After upgrading to noble apparmor.service fails on my machine with the following log message: Apr 30 14:28:42 shodan apparmor.systemd[1739]: Restarting AppArmor Apr 30 14:28:42 shodan apparmor.systemd[1739]: Reloading AppArmor profiles Apr 30 14:28:42 shodan apparmor.systemd[1887]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.lib.mediascanner-2.0.mediascanner-extractor at line 14: Could not open '/usr/share/apparmor/hardware/audio.d' Apr 30 14:28:42 shodan apparmor.systemd[1739]: Error: At least one profile failed to load Apr 30 14:28:42 shodan apparmor.systemd[2206]: Restarting AppArmor Apr 30 14:28:42 shodan apparmor.systemd[2206]: Reloading AppArmor profiles Apr 30 14:28:42 shodan apparmor.systemd[2334]: AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/usr.lib.mediascanner-2.0.mediascanner-extractor at line 14: Could not open '/usr/share/apparmor/hardware/audio.d' Apr 30 14:28:42 shodan apparmor.systemd[2206]: Error: At least one profile failed to load Apr 30 14:28:41 shodan systemd[1]: Starting apparmor.service - Load AppArmor profiles... Apr 30 14:28:41 shodan systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Apr 30 14:28:41 shodan systemd[1]: apparmor.service: Failed with result 'exit-code'. Apr 30 14:28:41 shodan systemd[1]: Failed to start apparmor.service - Load AppArmor profiles. Apr 30 14:28:42 shodan systemd[1]: Starting apparmor.service - Load AppArmor profiles... Apr 30 14:28:42 shodan systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Apr 30 14:28:42 shodan systemd[1]: apparmor.service: Failed with result 'exit-code'. Apr 30 14:28:42 shodan systemd[1]: Failed to start apparmor.service - Load AppArmor profiles. It looks like mediascanner2.0 was installed previously and left behind a bad config. It is not currently installed which explains why /usr/share/apparmor/hardware/audio.d is missing. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2064284/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062667] Re: Fails on (and should be removed from) raspi desktop
> Was it it more than a red line in systemctl status output? Does it have annoying logging behaviour or break some other service if it isn't running? Red lines and an avoidable boot delay while trying to restart and failing a bunch of times. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2062667 Title: Fails on (and should be removed from) raspi desktop Status in protection-domain-mapper package in Ubuntu: Confirmed Status in qrtr package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: The protection-domain-mapper package (and qrtr-tools) are both installed by default on the Ubuntu Desktop for Raspberry Pi images, thanks to their inclusion in the desktop-minimal seed for arm64. However, there's no hardware that they target on these platforms, and the result is a permanently failed service (pd-mapper.service). It appears these were added to support the X13s laptop [1]. I've attempted to work around the issue by excluding these packages in the desktop-raspi seed (experimentally in my no-pd-mapper branch [2]) but this does not work (the packages still appear in the built images). Ideally, these packages should be moved into a hardware-specific seed for the X13s (and/or whatever other laptops need these things). Alternatively, at a bare minimum, the package should have some conditional that causes the service not to attempt to start when it's not on Qualcomm hardware. [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/commit/desktop- minimal?id=afe820cd49514896e96d02303298ed873d8d7f8a [2]: https://git.launchpad.net/~waveform/ubuntu- seeds/+git/ubuntu/commit/?id=875bddac19675f7e971f56d9c5d39a9912dc6e38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protection-domain-mapper/+bug/2062667/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062667] Re: Fails on (and should be removed from) raspi desktop
I don't think that's enough since it also gets pulled in by ubuntu- desktop and ubuntu-desktop-minimal as recommends. It would also be nice if we found a solution that fixes the issue on existing installations since upgrades from mantic to noble will trigger the bug. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2062667 Title: Fails on (and should be removed from) raspi desktop Status in protection-domain-mapper package in Ubuntu: Confirmed Status in qrtr package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: The protection-domain-mapper package (and qrtr-tools) are both installed by default on the Ubuntu Desktop for Raspberry Pi images, thanks to their inclusion in the desktop-minimal seed for arm64. However, there's no hardware that they target on these platforms, and the result is a permanently failed service (pd-mapper.service). It appears these were added to support the X13s laptop [1]. I've attempted to work around the issue by excluding these packages in the desktop-raspi seed (experimentally in my no-pd-mapper branch [2]) but this does not work (the packages still appear in the built images). Ideally, these packages should be moved into a hardware-specific seed for the X13s (and/or whatever other laptops need these things). Alternatively, at a bare minimum, the package should have some conditional that causes the service not to attempt to start when it's not on Qualcomm hardware. [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/commit/desktop- minimal?id=afe820cd49514896e96d02303298ed873d8d7f8a [2]: https://git.launchpad.net/~waveform/ubuntu- seeds/+git/ubuntu/commit/?id=875bddac19675f7e971f56d9c5d39a9912dc6e38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protection-domain-mapper/+bug/2062667/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062667] Re: Fails on (and should be removed from) raspi desktop
Looking at the diff between mantic and noble I think the regression was cause by a change to pd-mapper.service.in for https://bugs.launchpad.net/ubuntu/+source/qrtr/+bug/2054296 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2062667 Title: Fails on (and should be removed from) raspi desktop Status in protection-domain-mapper package in Ubuntu: Confirmed Status in qrtr package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: The protection-domain-mapper package (and qrtr-tools) are both installed by default on the Ubuntu Desktop for Raspberry Pi images, thanks to their inclusion in the desktop-minimal seed for arm64. However, there's no hardware that they target on these platforms, and the result is a permanently failed service (pd-mapper.service). It appears these were added to support the X13s laptop [1]. I've attempted to work around the issue by excluding these packages in the desktop-raspi seed (experimentally in my no-pd-mapper branch [2]) but this does not work (the packages still appear in the built images). Ideally, these packages should be moved into a hardware-specific seed for the X13s (and/or whatever other laptops need these things). Alternatively, at a bare minimum, the package should have some conditional that causes the service not to attempt to start when it's not on Qualcomm hardware. [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/commit/desktop- minimal?id=afe820cd49514896e96d02303298ed873d8d7f8a [2]: https://git.launchpad.net/~waveform/ubuntu- seeds/+git/ubuntu/commit/?id=875bddac19675f7e971f56d9c5d39a9912dc6e38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protection-domain-mapper/+bug/2062667/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062667] Re: Fails on (and should be removed from) raspi desktop
Can confirm that this is was a major annoyance on my m2 air after upgrading to noble. it seems like this worked better in previous releases. Looking at my logs it seems like it was already installed on mantic but didn't cause startup problems. I think it gets pulled in by being in Recommends for ubuntu-desktop. I'm all for making it device specific instead. IMO there is no point in having it installed on non Qualcomm devices. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/2062667 Title: Fails on (and should be removed from) raspi desktop Status in protection-domain-mapper package in Ubuntu: Confirmed Status in qrtr package in Ubuntu: Confirmed Status in ubuntu-meta package in Ubuntu: Confirmed Bug description: The protection-domain-mapper package (and qrtr-tools) are both installed by default on the Ubuntu Desktop for Raspberry Pi images, thanks to their inclusion in the desktop-minimal seed for arm64. However, there's no hardware that they target on these platforms, and the result is a permanently failed service (pd-mapper.service). It appears these were added to support the X13s laptop [1]. I've attempted to work around the issue by excluding these packages in the desktop-raspi seed (experimentally in my no-pd-mapper branch [2]) but this does not work (the packages still appear in the built images). Ideally, these packages should be moved into a hardware-specific seed for the X13s (and/or whatever other laptops need these things). Alternatively, at a bare minimum, the package should have some conditional that causes the service not to attempt to start when it's not on Qualcomm hardware. [1]: https://git.launchpad.net/~ubuntu-core-dev/ubuntu- seeds/+git/ubuntu/commit/desktop- minimal?id=afe820cd49514896e96d02303298ed873d8d7f8a [2]: https://git.launchpad.net/~waveform/ubuntu- seeds/+git/ubuntu/commit/?id=875bddac19675f7e971f56d9c5d39a9912dc6e38 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protection-domain-mapper/+bug/2062667/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2054609] Re: package ntp Jammy 1:4.2.8p15+dfsg-1ubuntu2 failed to install/upgrade: installed ntp package post-installation script subprocess returned error exit status 1
The reason for the crash is that ntp uses an outdated OpenSSL API to use MD5 despite it normally being blocked in FIPS mode. This particular API has been deprecated with OpenSSL 3 which we ship in Jammy. This could be mitigated by switching to a newer OpenSSL API, but ntp also seems to be on life support, is only available via Universe and was removed for 24.04. I would recommend switching to another ntp implementation such as chrony which is in main. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/2054609 Title: package ntp Jammy 1:4.2.8p15+dfsg-1ubuntu2 failed to install/upgrade: installed ntp package post-installation script subprocess returned error exit status 1 Status in ntp package in Ubuntu: Confirmed Bug description: ntp postinstall attempts to perform a MD5 sum, which is a no-no with FIPS. I have not encountered this bug on previous LTS versions of Ubuntu with FIPS. Description: Ubuntu 22.04.4 LTS Release: 22.04 ntp: Installed: 1:4.2.8p15+dfsg-1ubuntu2 Candidate: 1:4.2.8p15+dfsg-1ubuntu2 Version table: *** 1:4.2.8p15+dfsg-1ubuntu2 500 500 file:/home... 100 /var/libdpkg/status [Actions performed] I attempted to install ntp onto jammy 22.04.4 LTS with FIPS. $ sudo pro attach key-goes-here $ sudo pro enable fips-updates $ reboot --after reboot-- $ sudo apt update $ sudo apt install ntp [What you expected to happen] ntp tool installs prior to personal configuration, does not report anything in red [What happened instead] Job for ntp.service failed because the control process exited with error code. [...] Feb 21 15:53:32 user ntpd[35638]: MD5 init failed Feb 21 15:53:32 user ntpd[35632]: daemon child exited with code 1 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2024-02-25 (0 days ago) InstallationMedia: Ubuntu 22.04.2 LTS "Jammy Jellyfish" - Release amd64+intel-iot (20230316.2) NtpStatus: ntpq: read: Connection refused Package: ntp 1:4.2.8p15+dfsg-1ubuntu2 PackageArchitecture: amd64 ProcCmdline: BOOT_IMAGE=/boot/vmlinuz-5.15.0-97-fips root=UUID=f8b9334a-bf79-4a19-8e05-461a4c1a2e4c ro quiet splash fips=1 vt.handoff=7 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcVersionSignature: Ubuntu 5.15.0-97.107+fips1-fips 5.15.136 Tags: wayland-session jammy third-party-packages Uname: Linux 5.15.0-97-fips x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo _MarkForUpload: True To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/2054609/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2057927] [NEW] lxd vga console throws "Operation not permitted" error
Public bug reported: Since I upgraded to Noble the lxd vga console doesn't work anymore. I am using the lxd latest/stable snap (5.20-f3dd836). When trying to attach a vga console to an lxd vm I get: unshare: write failed /proc/self/uid_map: Operation not permitted It seems to be related to apparmor, I can see a matching DENIAL message in dmesg: [ 4735.233989] audit: type=1400 audit(1710419600.517:300): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=13157 comm="unshare" capability=21 capname="sys_admin" ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Affects: lxd (Ubuntu) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2057927 Title: lxd vga console throws "Operation not permitted" error Status in apparmor package in Ubuntu: New Status in lxd package in Ubuntu: New Bug description: Since I upgraded to Noble the lxd vga console doesn't work anymore. I am using the lxd latest/stable snap (5.20-f3dd836). When trying to attach a vga console to an lxd vm I get: unshare: write failed /proc/self/uid_map: Operation not permitted It seems to be related to apparmor, I can see a matching DENIAL message in dmesg: [ 4735.233989] audit: type=1400 audit(1710419600.517:300): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=13157 comm="unshare" capability=21 capname="sys_admin" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2057927/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056593] Re: [FFE] FIPS compatibility patches
Adding a few more details as requested by Adrien. I used lxd to run the autopkgtest, in particular: # Build lxd image /usr/bin/autopkgtest-build-lxd ubuntu-daily:noble # Run autopkgtest -s --apt-pocket=proposed ./openssl_3.0.13-1ubuntu2.dsc -- lxd autopkgtest/ubuntu/noble/amd64 It is quite easy to verify OpenSSL doesn't accidentally enable FIPS mode on non fips_enabled machines. 1. openssl speed will skip non-compliant alorithms in FIPS mode, if it starts with md5 OpenSSL is not in FIPS mode. 2. Using OPENSSL_FORCE_FIPS_MODE=1 FIPS mode can be enforced resulting in an error if the FIPS provider is not installed. Similarly OPENSSL_FORCE_FIPS_MODE=0 can be used to force disable FIPS mode on a fips_enabled kernel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2056593 Title: [FFE] FIPS compatibility patches Status in openssl package in Ubuntu: New Bug description: We have an open MR with a handful of FIPS compatibilty changes we wore hoping to get into 24.04. The main purpose of the changes is to detect whether the kernel is running in FIPS mode and adjust the behavior of the library accordingly by loading the correct provider backend and using defaults that are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code paths and crashing. The proposed patches were taken from the OpenSSL version shipped in the FIPS archive at esm.ubuntu.com for 22.04. Having them in the regular archive will reduce the maintenance work significantly. None of the changes should have any impact on running OpenSSL in regular (non-fips) mode. Below is a detailed list of the changes: - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: This adds a new internal API to determine whether the kernel has been booted in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an alternative path for the fips_enabled file and is used in tests. The FIPS_MODULE switch can be used to enable build of the the FIPS provider module specific parts which are not needed in the OpenSSL library itself. - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch: This automatically configures all library contexts to use the FIPS provider when the kernel is booted in FIPS mode by: - Setting "fips=yes" as the default property for algorithm fetches - Loading and activating the FIPS provider as the fallback provider. If applications load providers via a configuration either because the default configuration is modified or they override the default configuration, this disables loading of the fallback providers. In this case, the configuration must load the FIPS provider when FIPS mode is enabled, else algorithm fetches will fail Applications can choose to use non-FIPS approved algorithms by specifying the "-fips" or "fips=no" property for algorithm fetches and loading the default provider. - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch: Omit unavailable algorithms in FIPS mode - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch The -propquery argument might be used to define a preference for which provider an algorithm is fetched from. Set the query properties for the library context DRBG fetches as well so that they are fetched with the same properties. - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch: This test uses 2 library contexts - one context for creating initial test keys, and then another context (or the default context) for running tests. There is an issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the created EVP_PKEYs, which are associated with the library context used to create the keys. This means that encoding tests run with the wrong library context, which always uses the default provider. The link for the MR is at https://code.launchpad.net/~tobhe/ubuntu/+source/openssl/+git/openssl/+merge/460953 Since OpenSSL just received another big update to 3.0.13 we had to rebase our changes and will have to rerun our install/upgrade tests. A test build is also available at https://launchpad.net/~tobhe/+archive/ubuntu/openssl-test/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056593] Re: [FFE] FIPS compatibility patches
As promised, here are some more details on how I tested: - been running autopkgtest locally and made sure they pass (log attached) - installed it on my local development machine to see if anything breaks - tested the upgrade in a lxd container, made sure openssl speed works and does the right thing - built and installer a FIPS provider for 24.04 and made sure everything still works when forcing FIPS mode ** Attachment added: "autopkgtest log" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593/+attachment/5755541/+files/log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2056593 Title: [FFE] FIPS compatibility patches Status in openssl package in Ubuntu: New Bug description: We have an open MR with a handful of FIPS compatibilty changes we wore hoping to get into 24.04. The main purpose of the changes is to detect whether the kernel is running in FIPS mode and adjust the behavior of the library accordingly by loading the correct provider backend and using defaults that are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code paths and crashing. The proposed patches were taken from the OpenSSL version shipped in the FIPS archive at esm.ubuntu.com for 22.04. Having them in the regular archive will reduce the maintenance work significantly. None of the changes should have any impact on running OpenSSL in regular (non-fips) mode. Below is a detailed list of the changes: - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: This adds a new internal API to determine whether the kernel has been booted in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an alternative path for the fips_enabled file and is used in tests. The FIPS_MODULE switch can be used to enable build of the the FIPS provider module specific parts which are not needed in the OpenSSL library itself. - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch: This automatically configures all library contexts to use the FIPS provider when the kernel is booted in FIPS mode by: - Setting "fips=yes" as the default property for algorithm fetches - Loading and activating the FIPS provider as the fallback provider. If applications load providers via a configuration either because the default configuration is modified or they override the default configuration, this disables loading of the fallback providers. In this case, the configuration must load the FIPS provider when FIPS mode is enabled, else algorithm fetches will fail Applications can choose to use non-FIPS approved algorithms by specifying the "-fips" or "fips=no" property for algorithm fetches and loading the default provider. - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch: Omit unavailable algorithms in FIPS mode - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch The -propquery argument might be used to define a preference for which provider an algorithm is fetched from. Set the query properties for the library context DRBG fetches as well so that they are fetched with the same properties. - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch: This test uses 2 library contexts - one context for creating initial test keys, and then another context (or the default context) for running tests. There is an issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the created EVP_PKEYs, which are associated with the library context used to create the keys. This means that encoding tests run with the wrong library context, which always uses the default provider. The link for the MR is at https://code.launchpad.net/~tobhe/ubuntu/+source/openssl/+git/openssl/+merge/460953 Since OpenSSL just received another big update to 3.0.13 we had to rebase our changes and will have to rerun our install/upgrade tests. A test build is also available at https://launchpad.net/~tobhe/+archive/ubuntu/openssl-test/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056593] Re: [FFE] FIPS compatibility patches
** Attachment added: "apt install log from fresh noble lxd container" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593/+attachment/5754146/+files/openssl_3.0.13-1ubuntu2_install.log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2056593 Title: [FFE] FIPS compatibility patches Status in openssl package in Ubuntu: New Bug description: We have an open MR with a handful of FIPS compatibilty changes we wore hoping to get into 24.04. The main purpose of the changes is to detect whether the kernel is running in FIPS mode and adjust the behavior of the library accordingly by loading the correct provider backend and using defaults that are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code paths and crashing. The proposed patches were taken from the OpenSSL version shipped in the FIPS archive at esm.ubuntu.com for 22.04. Having them in the regular archive will reduce the maintenance work significantly. None of the changes should have any impact on running OpenSSL in regular (non-fips) mode. Below is a detailed list of the changes: - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: This adds a new internal API to determine whether the kernel has been booted in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an alternative path for the fips_enabled file and is used in tests. The FIPS_MODULE switch can be used to enable build of the the FIPS provider module specific parts which are not needed in the OpenSSL library itself. - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch: This automatically configures all library contexts to use the FIPS provider when the kernel is booted in FIPS mode by: - Setting "fips=yes" as the default property for algorithm fetches - Loading and activating the FIPS provider as the fallback provider. If applications load providers via a configuration either because the default configuration is modified or they override the default configuration, this disables loading of the fallback providers. In this case, the configuration must load the FIPS provider when FIPS mode is enabled, else algorithm fetches will fail Applications can choose to use non-FIPS approved algorithms by specifying the "-fips" or "fips=no" property for algorithm fetches and loading the default provider. - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch: Omit unavailable algorithms in FIPS mode - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch The -propquery argument might be used to define a preference for which provider an algorithm is fetched from. Set the query properties for the library context DRBG fetches as well so that they are fetched with the same properties. - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch: This test uses 2 library contexts - one context for creating initial test keys, and then another context (or the default context) for running tests. There is an issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the created EVP_PKEYs, which are associated with the library context used to create the keys. This means that encoding tests run with the wrong library context, which always uses the default provider. The link for the MR is at https://code.launchpad.net/~tobhe/ubuntu/+source/openssl/+git/openssl/+merge/460953 Since OpenSSL just received another big update to 3.0.13 we had to rebase our changes and will have to rerun our install/upgrade tests. A test build is also available at https://launchpad.net/~tobhe/+archive/ubuntu/openssl-test/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056593] [NEW] [FFE] FIPS compatibility patches
Public bug reported: We have an open MR with a handful of FIPS compatibilty changes we wore hoping to get into 24.04. The main purpose of the changes is to detect whether the kernel is running in FIPS mode and adjust the behavior of the library accordingly by loading the correct provider backend and using defaults that are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code paths and crashing. The proposed patches were taken from the OpenSSL version shipped in the FIPS archive at esm.ubuntu.com for 22.04. Having them in the regular archive will reduce the maintenance work significantly. None of the changes should have any impact on running OpenSSL in regular (non-fips) mode. Below is a detailed list of the changes: - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: This adds a new internal API to determine whether the kernel has been booted in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an alternative path for the fips_enabled file and is used in tests. The FIPS_MODULE switch can be used to enable build of the the FIPS provider module specific parts which are not needed in the OpenSSL library itself. - d/p/fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch: This automatically configures all library contexts to use the FIPS provider when the kernel is booted in FIPS mode by: - Setting "fips=yes" as the default property for algorithm fetches - Loading and activating the FIPS provider as the fallback provider. If applications load providers via a configuration either because the default configuration is modified or they override the default configuration, this disables loading of the fallback providers. In this case, the configuration must load the FIPS provider when FIPS mode is enabled, else algorithm fetches will fail Applications can choose to use non-FIPS approved algorithms by specifying the "-fips" or "fips=no" property for algorithm fetches and loading the default provider. - d/p/fips/apps-speed-Omit-unavailable-algorithms-in-FIPS-mode.patch: Omit unavailable algorithms in FIPS mode - d/p/fips/apps-pass-propquery-arg-to-the-libctx-DRBG-fetches.patch The -propquery argument might be used to define a preference for which provider an algorithm is fetched from. Set the query properties for the library context DRBG fetches as well so that they are fetched with the same properties. - d/p/fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch: This test uses 2 library contexts - one context for creating initial test keys, and then another context (or the default context) for running tests. There is an issue that during the encoding tests, the OSSL_ENCODER_CTX is created from the created EVP_PKEYs, which are associated with the library context used to create the keys. This means that encoding tests run with the wrong library context, which always uses the default provider. The link for the MR is at https://code.launchpad.net/~tobhe/ubuntu/+source/openssl/+git/openssl/+merge/460953 Since OpenSSL just received another big update to 3.0.13 we had to rebase our changes and will have to rerun our install/upgrade tests. A test build is also available at https://launchpad.net/~tobhe/+archive/ubuntu/openssl-test/ ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2056593 Title: [FFE] FIPS compatibility patches Status in openssl package in Ubuntu: New Bug description: We have an open MR with a handful of FIPS compatibilty changes we wore hoping to get into 24.04. The main purpose of the changes is to detect whether the kernel is running in FIPS mode and adjust the behavior of the library accordingly by loading the correct provider backend and using defaults that are FIPS compliant (no md5, DES etc) instead trying to use non-compliant code paths and crashing. The proposed patches were taken from the OpenSSL version shipped in the FIPS archive at esm.ubuntu.com for 22.04. Having them in the regular archive will reduce the maintenance work significantly. None of the changes should have any impact on running OpenSSL in regular (non-fips) mode. Below is a detailed list of the changes: - d/p/fips/crypto-Add-kernel-FIPS-mode-detection.patch: This adds a new internal API to determine whether the kernel has been booted in FIPS mode. This can be overridden with the OPENSSL_FORCE_FIPS_MODE environment variable. OPENSSL_FIPS_MODE_SWITCH_PATH can be used to specify an alternative path for the fips_enabled file and is used in tests. The FIPS_MODULE switch can be used to enable build of the the FIPS provider module specific parts which are not needed i
[Touch-packages] [Bug 2004039] Re: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes
The detected regression looks like a false-positive caused by another dependency. The reported error is `/bin/sh: 1: python: not found` which does not seem to be caused by the changes in libunwind. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libunwind in Ubuntu. https://bugs.launchpad.net/bugs/2004039 Title: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes Status in libunwind package in Ubuntu: Fix Released Status in libunwind source package in Kinetic: Fix Committed Bug description: [ Impact ] * On kernels with page size > 4K Xorg (and presumably other applications relying on libunwind) crashes on startup. This affects anyone running the official arm64 generic-64k kernel or custom non 4k kernels (as used by e.g. apple silicon). The exact error I am seeing in the logs is: Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) 0: /usr/lib/xorg/Xorg (OsLookupColor+0x188) [0xaaab456ca998] Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) unw_get_proc_info failed: no unwind info found [-10] Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Segmentation fault at address 0x0 Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Fatal server error: Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Caught signal 11 (Segmentation fault). Server aborting Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Please consult the The X.Org Foundation support Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: at http://wiki.x.org Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: for help. Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) I have not found a workaround other than using wayland (which has other limitations). To reproduce use a kernel configured with a page size of 16K (CONFIG_ARM64_16K_PAGES=y or CONFIG_ARM64_64K_PAGES=y or) and try to start "Ubuntu on Xorg" in gdm. [ Test Plan ] * Make sure Xorg doesn't crash on 4K, 16K and 64K kernels. [ Where problems could occur ] * We will have to make sure the fixed version still works with 4k kernels. The patch is already widely in use so the risk seems low if we test properly. [ Other Info ] * The lunar version ships the bug fix synced from debian * Debian bug: https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1026217 * Upstream fix: https://github.com/libunwind/libunwind/commit/e85b65cec757ef589f28957d0c6c21c498a03bdf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libunwind/+bug/2004039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004039] Re: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes
I have installed libunwind=1.6.2-0ubuntu1.1 on my 16K page arm machine and verified that the xorg crash is indeed fixed with this version. To make sure it also does not negatively affect other hardware configurations I also tested on my amd64 desktop and found that everything still works without regressions after the update. To test the functionality of the library I installed libunwind-dev=1.6.2-0ubuntu1.1 and ran the libunwind examples from https://github.com/daniel-thompson/libunwind-examples The results look good: $USER:~/libunwind-examples$ ./unwind-local 0x55d35d0d644c: (cmp+0xe) 0x7f927ac3d33c: (bsearch+0x5c) 0x55d35d0d61fc: (main+0x5c) 0x7f927ac23510: (__libc_init_first+0x90) 0x7f927ac235c9: (__libc_start_main+0x89) 0x55d35d0d6245: (_start+0x25) ** Tags removed: verification-needed-kinetic ** Tags added: verification-done-kinetic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libunwind in Ubuntu. https://bugs.launchpad.net/bugs/2004039 Title: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes Status in libunwind package in Ubuntu: Fix Released Status in libunwind source package in Kinetic: Fix Committed Bug description: [ Impact ] * On kernels with page size > 4K Xorg (and presumably other applications relying on libunwind) crashes on startup. This affects anyone running the official arm64 generic-64k kernel or custom non 4k kernels (as used by e.g. apple silicon). The exact error I am seeing in the logs is: Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) 0: /usr/lib/xorg/Xorg (OsLookupColor+0x188) [0xaaab456ca998] Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) unw_get_proc_info failed: no unwind info found [-10] Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Segmentation fault at address 0x0 Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Fatal server error: Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Caught signal 11 (Segmentation fault). Server aborting Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Please consult the The X.Org Foundation support Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: at http://wiki.x.org Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: for help. Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) I have not found a workaround other than using wayland (which has other limitations). To reproduce use a kernel configured with a page size of 16K (CONFIG_ARM64_16K_PAGES=y or CONFIG_ARM64_64K_PAGES=y or) and try to start "Ubuntu on Xorg" in gdm. [ Test Plan ] * Make sure Xorg doesn't crash on 4K, 16K and 64K kernels. [ Where problems could occur ] * We will have to make sure the fixed version still works with 4k kernels. The patch is already widely in use so the risk seems low if we test properly. [ Other Info ] * The lunar version ships the bug fix synced from debian * Debian bug: https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1026217 * Upstream fix: https://github.com/libunwind/libunwind/commit/e85b65cec757ef589f28957d0c6c21c498a03bdf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libunwind/+bug/2004039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004039] Re: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes
New diff as requested by @tsimonq2. I changed the version to 1.6.2-0ubuntu1.1 and added a DEP-3 header instead of taking the unmodified patch from lunar as I did previously. ** Patch removed: "kinetic-fix" https://bugs.launchpad.net/ubuntu/kinetic/+source/libunwind/+bug/2004039/+attachment/5643674/+files/libunwind_1.6.2-0ubuntu2.debdiff ** Patch added: "libunwind_1.6.2-0ubuntu1.1.debdiff" https://bugs.launchpad.net/ubuntu/kinetic/+source/libunwind/+bug/2004039/+attachment/5643965/+files/libunwind_1.6.2-0ubuntu1.1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libunwind in Ubuntu. https://bugs.launchpad.net/bugs/2004039 Title: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes Status in libunwind package in Ubuntu: New Status in libunwind source package in Kinetic: New Bug description: [ Impact ] * On kernels with page size > 4K Xorg (and presumably other applications relying on libunwind) crashes on startup. This affects anyone running the official arm64 generic-64k kernel or custom non 4k kernels (as used by e.g. apple silicon). The exact error I am seeing in the logs is: Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) 0: /usr/lib/xorg/Xorg (OsLookupColor+0x188) [0xaaab456ca998] Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) unw_get_proc_info failed: no unwind info found [-10] Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Segmentation fault at address 0x0 Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Fatal server error: Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Caught signal 11 (Segmentation fault). Server aborting Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Please consult the The X.Org Foundation support Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: at http://wiki.x.org Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: for help. Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) I have not found a workaround other than using wayland (which has other limitations). To reproduce use a kernel configured with a page size of 16K (CONFIG_ARM64_16K_PAGES=y or CONFIG_ARM64_64K_PAGES=y or) and try to start "Ubuntu on Xorg" in gdm. [ Test Plan ] * Make sure Xorg doesn't crash on 4K, 16K and 64K kernels. [ Where problems could occur ] * We will have to make sure the fixed version still works with 4k kernels. The patch is already widely in use so the risk seems low if we test properly. [ Other Info ] * The lunar version ships the bug fix synced from debian * Debian bug: https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1026217 * Upstream fix: https://github.com/libunwind/libunwind/commit/e85b65cec757ef589f28957d0c6c21c498a03bdf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libunwind/+bug/2004039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004039] Re: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes
** Description changed: [ Impact ] - * On kernels with page size > 4K xorg (and presumably other applications -relying on libunwind) crashes on startup. This affects anyone -running the official arm64 generic-64k kernel or custom non 4k kernels -(as used by e.g. apple silicon). + * On kernels with page size > 4K Xorg (and presumably other applications + relying on libunwind) crashes on startup. This affects anyone + running the official arm64 generic-64k kernel or custom non 4k kernels + (as used by e.g. apple silicon). + +The exact error I am seeing in the logs is: + + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) 0: /usr/lib/xorg/Xorg (OsLookupColor+0x188) [0xaaab456ca998] + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) unw_get_proc_info failed: no unwind info found [-10] + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Segmentation fault at address 0x0 + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Fatal server error: + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Caught signal 11 (Segmentation fault). Server aborting + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Please consult the The X.Org Foundation support + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: at http://wiki.x.org + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: for help. + Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) + + I have not found a workaround other than using wayland (which has other + limitations). To reproduce use a kernel configured with a page size of + 16K (CONFIG_ARM64_16K_PAGES=y or CONFIG_ARM64_64K_PAGES=y or) and try + to start "Ubuntu on Xorg" in gdm. [ Test Plan ] - * Make sure Xorg works on a variety of different archs and kernels with -different page sizes. + * Make sure Xorg doesn't crash on 4K, 16K and 64K kernels. [ Where problems could occur ] - * We will have to make sure the fixed version still works with 4k -kernels. The patch is already widely in use so the risk seems low if -we test properly. + * We will have to make sure the fixed version still works with 4k + kernels. The patch is already widely in use so the risk seems low if + we test properly. [ Other Info ] - - * The lunar version ships the bug fix synced from debian - - * Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 - * Upstream fix: + * The lunar version ships the bug fix synced from debian + + * Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 + + * Upstream fix: https://github.com/libunwind/libunwind/commit/e85b65cec757ef589f28957d0c6c21c498a03bdf -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libunwind in Ubuntu. https://bugs.launchpad.net/bugs/2004039 Title: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes Status in libunwind package in Ubuntu: New Status in libunwind source package in Kinetic: New Bug description: [ Impact ] * On kernels with page size > 4K Xorg (and presumably other applications relying on libunwind) crashes on startup. This affects anyone running the official arm64 generic-64k kernel or custom non 4k kernels (as used by e.g. apple silicon). The exact error I am seeing in the logs is: Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) 0: /usr/lib/xorg/Xorg (OsLookupColor+0x188) [0xaaab456ca998] Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) unw_get_proc_info failed: no unwind info found [-10] Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Segmentation fault at address 0x0 Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Fatal server error: Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Caught signal 11 (Segmentation fault). Server aborting Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: Please consult the The X.Org Foundation support Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: at http://wiki.x.org Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: for help. Jan 30 11:16:20 ubuntu /usr/libexec/gdm-x-session[3199]: (EE) I have not found a workaround other than using wayland (which has other limitations). To reproduce use a kernel configured with a page siz
[Touch-packages] [Bug 2004039] Re: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes
** Description changed: - The libunwind version we ship in kinetic crahes on arm64 platforms with page sizes > 4k. - This was fixed in libunwind upstream. The fix made it into the debian version synced to lunar. + [ Impact ] - Debian bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 - Upstream commit: https://github.com/libunwind/libunwind/commit/2d004eafc77f3c6a4bd9a44b1c35735273fd4e97 + * On kernels with page size > 4K xorg (and presumably other applications +relying on libunwind) crashes on startup. This affects anyone +running the official arm64 generic-64k kernel or custom non 4k kernels +(as used by e.g. apple silicon). + + [ Test Plan ] + + * Make sure Xorg works on a variety of different archs and kernels with +different page sizes. + + [ Where problems could occur ] + + * We will have to make sure the fixed version still works with 4k +kernels. The patch is already widely in use so the risk seems low if +we test properly. + + [ Other Info ] + + * The lunar version ships the bug fix synced from debian + + * Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 + + * Upstream fix: + https://github.com/libunwind/libunwind/commit/e85b65cec757ef589f28957d0c6c21c498a03bdf -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libunwind in Ubuntu. https://bugs.launchpad.net/bugs/2004039 Title: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes Status in libunwind package in Ubuntu: New Status in libunwind source package in Kinetic: New Bug description: [ Impact ] * On kernels with page size > 4K xorg (and presumably other applications relying on libunwind) crashes on startup. This affects anyone running the official arm64 generic-64k kernel or custom non 4k kernels (as used by e.g. apple silicon). [ Test Plan ] * Make sure Xorg works on a variety of different archs and kernels with different page sizes. [ Where problems could occur ] * We will have to make sure the fixed version still works with 4k kernels. The patch is already widely in use so the risk seems low if we test properly. [ Other Info ] * The lunar version ships the bug fix synced from debian * Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 * Upstream fix: https://github.com/libunwind/libunwind/commit/e85b65cec757ef589f28957d0c6c21c498a03bdf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libunwind/+bug/2004039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004039] Re: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes
Attached is a debdiff with the backported fix from lunar ** Patch added: "kinetic-fix" https://bugs.launchpad.net/ubuntu/+source/libunwind/+bug/2004039/+attachment/5643674/+files/libunwind_1.6.2-0ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libunwind in Ubuntu. https://bugs.launchpad.net/bugs/2004039 Title: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes Status in libunwind package in Ubuntu: New Status in libunwind source package in Kinetic: New Bug description: The libunwind version we ship in kinetic crahes on arm64 platforms with page sizes > 4k. This was fixed in libunwind upstream. The fix made it into the debian version synced to lunar. Debian bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 Upstream commit: https://github.com/libunwind/libunwind/commit/2d004eafc77f3c6a4bd9a44b1c35735273fd4e97 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libunwind/+bug/2004039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004039] Re: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes
** Also affects: libunwind (Ubuntu Jammy) Importance: Undecided Status: New ** No longer affects: libunwind (Ubuntu Jammy) ** Also affects: libunwind (Ubuntu Kinetic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libunwind in Ubuntu. https://bugs.launchpad.net/bugs/2004039 Title: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes Status in libunwind package in Ubuntu: New Status in libunwind source package in Kinetic: New Bug description: The libunwind version we ship in kinetic crahes on arm64 platforms with page sizes > 4k. This was fixed in libunwind upstream. The fix made it into the debian version synced to lunar. Debian bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 Upstream commit: https://github.com/libunwind/libunwind/commit/2d004eafc77f3c6a4bd9a44b1c35735273fd4e97 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libunwind/+bug/2004039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2004039] [NEW] libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes
Public bug reported: The libunwind version we ship in kinetic crahes on arm64 platforms with page sizes > 4k. This was fixed in libunwind upstream. The fix made it into the debian version synced to lunar. Debian bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 Upstream commit: https://github.com/libunwind/libunwind/commit/2d004eafc77f3c6a4bd9a44b1c35735273fd4e97 ** Affects: libunwind (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libunwind in Ubuntu. https://bugs.launchpad.net/bugs/2004039 Title: libunwind 1.6.2-0 assumes 4k page sizes and crashes on systems with bigger page sizes Status in libunwind package in Ubuntu: New Bug description: The libunwind version we ship in kinetic crahes on arm64 platforms with page sizes > 4k. This was fixed in libunwind upstream. The fix made it into the debian version synced to lunar. Debian bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026217 Upstream commit: https://github.com/libunwind/libunwind/commit/2d004eafc77f3c6a4bd9a44b1c35735273fd4e97 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libunwind/+bug/2004039/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973642] Re: [REGRESSION] Unable to connect to EAP-TLS networks
** Changed in: network-manager (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1973642 Title: [REGRESSION] Unable to connect to EAP-TLS networks Status in network-manager package in Ubuntu: Confirmed Bug description: Fresh install of Xubuntu 22.04, currently with network-manager 1.36.4-2ubuntu1 Attempting to connect to an EAP-TLS network fails with: NetworkManager[703]: [1652732829.9142] device (wlp0s12f0): Activation: (wifi) connection 'AP' has security, and secrets exist. No new secrets needed. NetworkManager[703]: [1652732829.9143] Config: added 'ssid' value 'AP' NetworkManager[703]: [1652732829.9143] Config: added 'scan_ssid' value '1' NetworkManager[703]: [1652732829.9144] Config: added 'bgscan' value 'simple:30:-65:300' NetworkManager[703]: [1652732829.9144] Config: added 'key_mgmt' value 'WPA-EAP FT-EAP FT-EAP-SHA384 WPA-EAP-SHA256' NetworkManager[703]: [1652732829.9144] Config: added 'eap' value 'TLS' NetworkManager[703]: [1652732829.9144] Config: added 'fragment_size' value '1266' NetworkManager[703]: [1652732829.9144] Config: added 'ca_cert' value '' NetworkManager[703]: [1652732829.9144] Config: added 'domain_suffix_match' value '' NetworkManager[703]: [1652732829.9145] Config: added 'private_key' value '.key' NetworkManager[703]: [1652732829.9145] Config: added 'private_key_passwd' value '' NetworkManager[703]: [1652732829.9145] Config: added 'client_cert' value '.crt' NetworkManager[703]: [1652732829.9145] Config: added 'identity' value '' NetworkManager[703]: [1652732829.9146] Config: added 'proactive_key_caching' value '1' NetworkManager[703]: [1652732829.9178] sup-iface[c392e32eb812390f,0,wlp0s12f0]: assoc[473f0d33ad3574e9]: failure to add network: invalid message format NetworkManager[703]: [1652732829.9179] device (wlp0s12f0): state change: config -> failed (reason 'supplicant-failed', sys-iface-state: 'managed') Caused by NM providing an empty domain_suffix_match option Upstream commit fixing this (also attached): https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/8df79f60d616e183257ae1a2c2b48beaf29e5eec Upstream bug report: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/973 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1973642/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1966886] Re: ssh-copy-id and Dropbear Server
I don't know much about dropbear but from your explanation it does indeed sound like this is an upstream OpenSSH bug that should be reported at https://bugzilla.mindrot.org/. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1966886 Title: ssh-copy-id and Dropbear Server Status in openssh package in Ubuntu: New Bug description: on Dropbear SSH Servers ssh-copy-id installs the key in /etc/dropbear/authorized_keys only the openwrt dropbear server uses that path https://github.com/openwrt/openwrt/blob/2211ee0037764e1c6b1576fe7a0975722cd4acdc/package/network/services/dropbear/patches/100-pubkey_path.patch the upstream dropbear server uses the normal path ~/.ssh/authorized_keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1966886/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971992] Re: openssl rmd160 digest broken
** Changed in: openssl (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1971992 Title: openssl rmd160 digest broken Status in openssl package in Ubuntu: Won't Fix Bug description: Using 3.0.2-0ubuntu1.1 on Ubuntu 22.04 (AMD64) I get ``` openssl rmd160 < some-file Error setting digest 405755EFCF7F:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RIPEMD160 : 99), Properties () 405755EFCF7F:error:0386:digital envelope routines:evp_md_init_internal:initialization error:../crypto/evp/digest.c:252: ``` Other digest types work fine. Using what is (according to `openssl version`) the same version of openssl from Macports on a Mac M1 works fine. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1971992/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971992] Re: openssl rmd160 digest broken
Hey Jan, thanks for the report. This has been discussed upstream at https://github.com/openssl/openssl/issues/16994. OpenSSL 3 has deprecated RIPEMD160 and thus moved them to the legacy provider according to the official openssl migration guide at https://www.openssl.org/docs/manmaster/man7/migration_guide.html. It looks like it can be worked around for now by adding -provider legacy as in: openssl rmd160 -provider legacy < some-file or by modifying your openssl.cnf to always load the legacy provider. ** Bug watch added: github.com/openssl/openssl/issues #16994 https://github.com/openssl/openssl/issues/16994 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1971992 Title: openssl rmd160 digest broken Status in openssl package in Ubuntu: Confirmed Bug description: Using 3.0.2-0ubuntu1.1 on Ubuntu 22.04 (AMD64) I get ``` openssl rmd160 < some-file Error setting digest 405755EFCF7F:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RIPEMD160 : 99), Properties () 405755EFCF7F:error:0386:digital envelope routines:evp_md_init_internal:initialization error:../crypto/evp/digest.c:252: ``` Other digest types work fine. Using what is (according to `openssl version`) the same version of openssl from Macports on a Mac M1 works fine. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1971992/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971992] Re: openssl rmd160 digest broken
** Changed in: openssl (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1971992 Title: openssl rmd160 digest broken Status in openssl package in Ubuntu: Confirmed Bug description: Using 3.0.2-0ubuntu1.1 on Ubuntu 22.04 (AMD64) I get ``` openssl rmd160 < some-file Error setting digest 405755EFCF7F:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RIPEMD160 : 99), Properties () 405755EFCF7F:error:0386:digital envelope routines:evp_md_init_internal:initialization error:../crypto/evp/digest.c:252: ``` Other digest types work fine. Using what is (according to `openssl version`) the same version of openssl from Macports on a Mac M1 works fine. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1971992/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
