[Bug 1722313] Re: Enable auditing in util-linux.
verified successfully in amd64 VM for zesty. $ cat /etc/os-release NAME="Ubuntu" VERSION="17.04 (Zesty Zapus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 17.04" VERSION_ID="17.04" HOME_URL="https://www.ubuntu.com/"; SUPPORT_URL="https://help.ubuntu.com/"; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"; VERSION_CODENAME=zesty UBUNTU_CODENAME=zesty $ dpkg -l | grep util-linux ii util-linux 2.29-1ubuntu2.2 amd64miscellaneous system utilities $ uname -a Linux zestyguest 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux message logged after altering hardware clock, type=USYS_CONFIG msg=audit(1512158548.257:24): pid=3081 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/0 res=success' ** Tags added: verification-done-zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
Verified on xenial on a P8 and a z13 zlpar. >From P8: $ cat /etc/os-release NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.3 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/"; SUPPORT_URL="http://help.ubuntu.com/"; BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"; VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial $ uname -a Linux 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:53:44 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux $ dpkg -l | grep util-linux ii util-linux 2.27.1-6ubuntu3.4 ppc64el miscellaneous system utilities resulting log message, after altering system clock, type=USYS_CONFIG msg=audit(1512153890.632:29): pid=26156 uid=0 auid=1000 ses=998 msg='changing system time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/0 res=success' Test on z-13 zlpar, $ cat /etc/os-release NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.3 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/"; SUPPORT_URL="http://help.ubuntu.com/"; BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"; VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial uname -a Linux 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:35:14 UTC 2017 s390x s390x s390x GNU/Linux ubuntu@s1lp12:~$ dpkg -l | grep util-linux ii util-linux 2.27.1-6ubuntu3.4 s390xmiscellaneous system utilities $ /usr/bin/sudo hwclock --set --date "1/1/2000 00:00:00" hwclock: Cannot access the Hardware Clock via any known method. hwclock: Use the --debug option to see the details of our search for an access method. This is correct behaviour since zlpar cannot access the hw clock and is consistent with prior versions. message logged indicates the failure, type=USYS_CONFIG msg=audit(1512154473.517:12321): pid=84471 uid=0 auid=1000 ses=1134 msg='changing system time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/1 res=failed' ** Tags added: verification-done-xenial ** Description changed: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. - - Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. + + Only the hwclock and the login commands within util-linux package have + source code for auditing. But that source code is disabled by default + and requires the config option, --with-audit to enable it. The login + command is not built nor shipped in util-linux. Ubuntu uses the login + command from shadow instead. Thus, only hwclock command would be + affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware - clock. This message will only get logged if auditd daemon is running. - Otherwise, nothing gets logged. + clock. This message will only get logged to /var/log/audit/audit.log, if + auditd daemon is running. Otherwise, if the auditd is not running, like + most log messages, it will get logged to /var/log/kern.log and|or + /var/log/syslog if these services are enabled. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
** Tags added: verification-done-artful -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
version of package verified on artful, ubuntu@artfulguest:~$ dpkg -l | grep util-linux ii util-linux 2.30.1-0ubuntu4.1 amd64miscellaneous system utilities -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
Sorry, comment #13 had a cut-and-paste issue. log message is, type=USYS_CONFIG msg=audit(1511898182.500:184): pid=3305 uid=0 auid=1000 ses=2 msg='op=change-system-time exe="/sbin/hwclock" hostname=artfulguest addr=? terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
Generated an artful VM and verified that this is fixed in artful. ubuntu@artfulguest:~$ cat /etc/os-release NAME="Ubuntu" VERSION="17.10 (Artful Aardvark)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 17.10" VERSION_ID="17.10" HOME_URL="https://www.ubuntu.com/"; SUPPORT_URL="https://help.ubuntu.com/"; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"; VERSION_CODENAME=artful UBUNTU_CODENAME=artful altered the hwclock via "sudo hwclock --set --date "1/1/2000 00:00:00" received following audit log message in appropriate log files when applicable. type=USER_CMD msg=audit(1511896792.291:29): pid=3008 uid=1000 auid=1000 ses=2 msg='cwd="/home/ubuntu" cmd="hwclock" terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
** Summary changed: - [SRU][xenial] Enable auditing in util-linux. + Enable auditing in util-linux. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
I have also submitted a patch against recent debian version of this package to Debian. Just in case, I also noted in the debian bug thread the following: - util-linux package is Priority: required and the libaudit1 package is Priority: optional. Possibly this is no longer a problem in reference to a change in Version 4.0.1 listed here, https://www.debian.org/doc/packaging-manuals/upgrading-checklist.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment added: "debdiff.bionic" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006681/+files/debdiff.bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Changed in: util-linux (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
Build logs and test runs can be found in PPA at, https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+packages Please note, the versioning of the packages are incorrect in PPA, my apologies. I did them correctly in the debdiff for each release that I have attached. Comment #3 just contains the testcase I use to verify that the audit entry is created when the config option is enabled. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment added: "debdiff.xenial" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006617/+files/debdiff.xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment added: "debdiff.artful" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006620/+files/debdiff.artful -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment added: "debdiff.zesty" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006619/+files/debdiff.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment removed: "debdiff of version 3.3 and 3.4~joyppa2" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/4966026/+files/debdiff.out -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
I meant to add in #8 that this affects the addition of fips in the ubuntu-advantage on xenial in https://bugs.launchpad.net/ubuntu/+source /ubuntu-advantage-tools/+bug/1719671 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700611] Re: sources.list file created for ESM is world-readable, leaks subscriber token to all local users
This affects the fips addition too. Since we add an entry as well to /etc/apt/sources.list.d/ directory. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700611 Title: sources.list file created for ESM is world-readable, leaks subscriber token to all local users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-advantage-script/+bug/1700611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Description changed: [IMPACT] Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial Note: FIPS certified modules are only available for xenial. On other releases the tool will not install and configure fips. when "ubuntu-advantage enable-fips " is issued from commandline, - configure the private PPA where the FIPS modules are located - install the FIPS modules from this PPA to the local machine from where the script is run - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. [FIX] Add enable-fips to advantage script. See debdiff below. [TEST] A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures. [REGRESSION POTENTIAL] The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered. + + [FIPS TESTCASES] + These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. + + XENIAL + + 1. Collect status before enabling fips + + type on commandline, + ubuntu-advantage status + + expect, + livepatch: disabled + + esm: disabled (not available) + + fips: disabled + + 2. Enable fips + Note: This will require a token or credentials to fips Private PPA, in + the form xxx:xxx + + type on commandline, + sudo ubuntu-advantage enable-fips xxx:xxx + + expect, + [sudo] password for ubuntu: + Running apt-get update... OK + Ubuntu FIPS PPA repository enabled. + Installing FIPS packages (this may take a while)... OK + Configuring FIPS... + Updating grub to enable fips... OK + Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement. + + type on commandline, + sudo reboot + + 3. Log back into system after reboot + + type on commandline, + ubuntu-advantage status + + expect, + livepatch: disabled + + esm: disabled (not available) + + fips: enabled + + + 4. verify fips kernel "4.4.0-1002-fips" has been installed + + type on commandline, + uname -a + + expect, + Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux + + + ZESTY + (Note that FIPS is not supported on zesty.) + + 1. Collect status before enabling fips + + type on commandline, + ubuntu-advantage status + + expect, + livepatch: disabled (not available) + + esm: disabled (not available) + + fips: disabled (not available) + + 2. Ensure that fips cannot be enabled on Zesty. + Note: This will require a token or credentials to fips Private PPA, in + the form xxx:xxx + + type on commandline, + sudo ubuntu-advantage enable-fips xxx:xxx + + expect, + Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty + + 3. Check that kernel is not fips kernel (4.4.0-1002-fips) + + type on commandline, + uname -a + + expect: + Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
@nacc: I have "re-done" things and have included data for both xenial and zesty. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
Note that binary files (the key rings) are not represented in the debdiffs above. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973837/+files/ubuntu-advantage-tools_10~ubuntu0.17.04.1.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
Travis CI test results for v10 https://travis-ci.org/CanonicalLtd/ubuntu-advantage-script/builds/277507150 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "tox.results.zesty" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973836/+files/tox.results.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "git-log-v2upload3..v10.zesty" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973835/+files/git-log-v2upload3..v10.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Patch added: "v2v10-zesty.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973833/+files/v2v10-zesty.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "git-log-v2upload3..v10.xenial" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973810/+files/git-log-v2upload3..v10.xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "install.log.zesty shows before installing v10, install steps, and afterwards" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973832/+files/install.log.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "build.log.zesty" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973828/+files/build.log.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973827/+files/ubuntu-advantage-tools_10~ubuntu0.16.04.1.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "Install log shows before installing v10 on xenial, install steps, and afterwards" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973797/+files/install.log.xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Patch added: "v2v10.xenial.debdiff" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973809/+files/v2v10-xenial.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "tox.results.xenial" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973811/+files/tox.results.xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
** Attachment added: "build log for xenial" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4973778/+files/build.log.xenial ** Attachment removed: "tox test results on zesty" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969139/+files/tox.results.amd64.zesty ** Attachment removed: "Install log for zesty. Note FIPS is not supported on zesty." https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969144/+files/install.log.amd64.zesty ** Attachment removed: "install log: shows output of running ubuntu-advantage script before and after installing v11." https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966733/+files/install.log.amd64 ** Attachment removed: "build log for zesty" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969155/+files/build.log.amd64.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
Hopefully it is ok that I deleted prior attachments so that there is no confusion. This bug will be to add support for v10 (which includes fips support) of ubuntu-advantage-tool to xenial and zesty. ** Patch removed: "debdiff between v2 (curently in xenial) and v11" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966092/+files/v2v11.debdiff ** Attachment removed: "git log diff between version v2-upload3 and v11" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966079/+files/git-log-v2-upload3..v11 ** Attachment removed: "Build log for amd64." https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966093/+files/build.log.amd64 ** Attachment removed: "tox results on xenial amd64" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966094/+files/tox.results.amd64 ** Attachment removed: "ubuntu-advantage-tools_11.tar.xz" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966095/+files/ubuntu-advantage-tools_11.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include recent version containing fips
After chatting on IRC, realized new version of tool is being worked on for #1721272 (artful). Will wait for this to complete and use this bug to SRU the changes which include enabling fips. Will also redo the data for this SRU. ** Description changed: [IMPACT] + Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial + + Note: FIPS certified modules are only available for xenial. On other + releases the tool will not install and configure fips. + when "ubuntu-advantage enable-fips " is issued from commandline, - configure the private PPA where the FIPS modules are located - install the FIPS modules from this PPA to the local machine from where the script is run - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. [FIX] Add enable-fips to advantage script. See debdiff below. [TEST] - A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures. + A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures. [REGRESSION POTENTIAL] The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include new version
** Summary changed: - [SRU][xenial] include fips enablement into ubuntu-advantage + [SRU][xenial] include new version ** Summary changed: - [SRU][xenial] include new version + [SRU][xenial] include recent version containing fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
** Attachment added: "Install log for zesty. Note FIPS is not supported on zesty." https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969144/+files/install.log.amd64.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
** Attachment added: "tox test results on zesty" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969139/+files/tox.results.amd64.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
** Attachment added: "build log for zesty" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4969155/+files/build.log.amd64.zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Description changed: [IMPACT] - There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. + Enable auditing in util-linux. The config option, --with-audit enables auditing. + + Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. - Only the hwclock and the login commands within util-linux package use - this --with-audit config option to enable auditing. However, it appears - the login command is not built nor shipped in util-linux. Ubuntu uses - the login command from shadow instead. Thus, only hwclock command would - be affected by this change. The change would enable (1) call to - audit_open to create a netlink socket descritor. (2) generate an audit - entry when system hardware clock altered. The entry will be logged into - the /var/log/audit/audit.log IF auditd is installed and running. + The change would enable the hwclock command to generate an audit log + message to /var/log/audit/audit.log whenever it changes the hardware + clock. This message will only get logged if auditd daemon is running. + Otherwise, nothing gets logged. + + That the hwclock generates an audit message when hardware clock is + changed is a requirement for Common Criteria EAL2 certification for + Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Summary changed: - [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. + [SRU][xenial] Enable auditing in util-linux. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
** Bug watch added: Debian Bug tracker #745771 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745771 ** Also affects: util-linux (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745771 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
My apologies, still kinda new at this. But yes, the debdiff is a patch. So I put the patch flag back. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
** Attachment added: "install log: shows output of running ubuntu-advantage script before and after installing v11." https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966733/+files/install.log.amd64 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
Sorry, the attachment is a debdiff. I removed the patch flag. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
Will attach install.log shortly... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
If build log is required for P8 and s390x, please let me know and I will attach them. ** Attachment added: "Build log for amd64." https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966093/+files/build.log.amd64 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
** Attachment added: "ubuntu-advantage-tools_11.tar.xz" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966095/+files/ubuntu-advantage-tools_11.tar.xz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
PPA with daily builds for ubuntu-advantage-tools https://code.launchpad.net/~ahasenack/+recipe/ubuntu-advantage-script-daily -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
Please note in the debdiff that the ubuntu-advantage script has been renamed to advantage. Links are created for backward compatibility. ** Patch added: "debdiff between v2 (curently in xenial) and v11" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966092/+files/v2v11.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
Travis CI test results https://travis-ci.org/CanonicalLtd/ubuntu-advantage-script/builds/283705244 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
** Attachment added: "tox results on xenial amd64" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966094/+files/tox.results.amd64 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] Re: [SRU][xenial] include fips enablement into ubuntu-advantage
** Description changed: [IMPACT] when "ubuntu-advantage enable-fips " is issued from commandline, - - configure the private PPA where the FIPS modules are located - - install the FIPS modules from this PPA to the local machine from where the script is run - - configure the bootloader to enable fips + - configure the private PPA where the FIPS modules are located + - install the FIPS modules from this PPA to the local machine from where the script is run + - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. [FIX] + Add enable-fips to advantage script. See debdiff below. [TEST] - A test package is available in the following PPA: and it was tested by me on S390, PPC64EL and AMD64 architectures. - - -- Test results before the patch -- - -- Test results after the patch -- + A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures. [REGRESSION POTENTIAL] - The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. No regression risks. + The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered. ** Attachment added: "git log diff between version v2-upload3 and v11" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+attachment/4966079/+files/git-log-v2-upload3..v11 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
Comment #3 Should have read "Common Criteria EAL2 hwclock testcase". ** Description changed: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. - Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. - + Only the hwclock and the login commands within util-linux package use + this --with-audit config option to enable auditing. However, it appears + the login command is not built nor shipped in util-linux. Ubuntu uses + the login command from shadow instead. Thus, only hwclock command would + be affected by this change. The change would enable (1) call to + audit_open to create a netlink socket descritor. (2) generate an audit + entry when system hardware clock altered. The entry will be logged into + the /var/log/audit/audit.log IF auditd is installed and running. + [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the - triggered audit records would fail. + triggered audit records would fail. Attached the Common Criteria + testcase below. + + Also, the util-linux package has testcases that get run during the + build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
** Attachment added: "EAL hwclock testcase" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+attachment/4966040/+files/test_hwclock.bash -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
build log and tests run https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/13375821 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
** Description changed: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. - Only the hwclock and the login commands within util-linux package use - this --with-audit config option to enable auditing. However, it appears - the login command is not built nor shipped in util-linux. Ubuntu uses - the login command from shadow instead. Thus, only hwclock command would - be affected by this change. The change would enable (1) call to - audit_open to create a netlink socket descritor. (2) generate an audit - entry when system hardware clock altered. The entry will be logged into - the /var/log/audit/audit.log IF auditd is installed and running. - - [FIX] - + Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. + [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. ** Attachment added: "debdiff of version 3.3 and 3.4~joyppa2" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+attachment/4966026/+files/debdiff.out -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] [NEW] [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
Public bug reported: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [FIX] [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. ** Affects: util-linux (Ubuntu) Importance: Undecided Status: New ** Summary changed: - Add "--with-audit" config option so that the hwclock command creates audit records when it is used to alter the hardware clock. + [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719671] [NEW] [SRU][xenial] include fips enablement into ubuntu-advantage
Public bug reported: [IMPACT] when "ubuntu-advantage enable-fips " is issued from commandline, - configure the private PPA where the FIPS modules are located - install the FIPS modules from this PPA to the local machine from where the script is run - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. [FIX] [TEST] A test package is available in the following PPA: and it was tested by me on S390, PPC64EL and AMD64 architectures. -- Test results before the patch -- -- Test results after the patch -- [REGRESSION POTENTIAL] The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. No regression risks. ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: High Status: New ** Tags: fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include fips enablement into ubuntu-advantage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] Re: [FFe]: Include FIPS into the ubuntu-advantage tool
Just a note that the build.log mentioned in comment #6 above, has both the output of "debuild -S -uc -us" and the output of "dpkg-buildpackage -uc -us". My apologies for not providing better demarcation between the two outputs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] Re: [FFe]: Include FIPS into the ubuntu-advantage tool
install v9 and upgrade to v10 on artful P8 VM and run script to enable fips ** Attachment added: "install.log" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+attachment/4953244/+files/install.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] Re: [FFe]: Include FIPS into the ubuntu-advantage tool
tox results on artful P8 VM ** Attachment added: "tox.results" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+attachment/4953245/+files/tox.results -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] Re: [FFe]: Include FIPS into the ubuntu-advantage tool
Travis CI test results https://travis-ci.org/CanonicalLtd/ubuntu-advantage-script/builds/277507150 ** Description changed: This is a request for a feature freeze exception to include FIPS into the ubuntu-advantage-tool package. This will allow UA customers to use the ubuntu-advantage script to do the following when "ubuntu-advantage enable-fips " is issued from commandline, - configure the private PPA where the FIPS modules are located - install the FIPS modules from this PPA to the local machine from where the script is run - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. The following fips packages are installed: linux-fips, fips-initramfs (fips kernel) openssl, libssl1.0.0, libssl1.0.0-hmac openssh-server, openssh-server-hmac openssh-client, openssh-client-hmac strongswan, strongswan-hmac - The enable-fips component of the script will only work/run on xenial. - FIPS modules are currently certified for xenial only. - The patchset to include fips into ubuntu-advantage-tools includes - additional code to script to support "enable-fips" option/flag - additional code to script to support "is-fips-enabled" which reports if fips is enabled or not - additional code to support "status" for fips - addition to man page - additional testcases for fips - the fips private ppa keyring + + **NOTE: The enable-fips component of the script will only work/run on + xenial. FIPS modules are currently certified for xenial only. The + intention is to upload to artful (althought doesn't enable fips on + artful) in preparation for a xenial SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] Re: [FFe]: Include FIPS into the ubuntu-advantage tool
Build log from artful P8 VM ** Attachment added: "build.log" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+attachment/4953243/+files/build.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] Re: [FFe]: Include FIPS into the ubuntu-advantage tool
** Attachment added: "git log v9..v10" https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+attachment/4953233/+files/git-log-v9..v10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] Re: [FFe]: Include FIPS into the ubuntu-advantage tool
** Description changed: This is a request for a feature freeze exception to include FIPS into the ubuntu-advantage-tool package. This will allow UA customers to use the ubuntu-advantage script to do the following - when "ubuntu-advantage enable-fips " is issued from commandline, + when "ubuntu-advantage enable-fips " is issued from commandline, - - configure the private PPA where the FIPS modules are located - - install the FIPS modules from this PPA to the local machine from where the script is run - - configure the bootloader to enable fips + - configure the private PPA where the FIPS modules are located + - install the FIPS modules from this PPA to the local machine from where the script is run + - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot - the machine to complete the fips enablement process. + the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. The following fips packages are installed: linux-fips, fips-initramfs (fips kernel) openssl, libssl1.0.0, libssl1.0.0-hmac openssh-server, openssh-server-hmac openssh-client, openssh-client-hmac strongswan, strongswan-hmac The enable-fips component of the script will only work/run on xenial. FIPS modules are currently certified for xenial only. The patchset to include fips into ubuntu-advantage-tools includes - - additional code to script to support "enable-fips" option/flag - - additional code to script to support "is-fips-enabled" which reports if fips is - enabled or not - - additional code to support "status" for fips - - addition to man page - - additional testcases for fips - - the fips private ppa keyring + - additional code to script to support "enable-fips" option/flag + - additional code to script to support "is-fips-enabled" which reports if fips is + enabled or not + - additional code to support "status" for fips + - addition to man page + - additional testcases for fips + - the fips private ppa keyring -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] Re: [FFe]: Include FIPS into the ubuntu-advantage tool
changelog diff: https://github.com/CanonicalLtd/ubuntu-advantage-script/pull/65/commits/3a4ca12cef796d930aebc7f6570783cb1f6e6fb1 PPA with daily builds: A PPA setup with daily builds from a github mirror using a launchpad recipe: https://code.launchpad.net/~ahasenack/+recipe/ubuntu-advantage-script-daily -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1718291] [NEW] [FFe]: Include FIPS into the ubuntu-advantage tool
Public bug reported: This is a request for a feature freeze exception to include FIPS into the ubuntu-advantage-tool package. This will allow UA customers to use the ubuntu-advantage script to do the following when "ubuntu-advantage enable-fips " is issued from commandline, - configure the private PPA where the FIPS modules are located - install the FIPS modules from this PPA to the local machine from where the script is run - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. The following fips packages are installed: linux-fips, fips-initramfs (fips kernel) openssl, libssl1.0.0, libssl1.0.0-hmac openssh-server, openssh-server-hmac openssh-client, openssh-client-hmac strongswan, strongswan-hmac The enable-fips component of the script will only work/run on xenial. FIPS modules are currently certified for xenial only. The patchset to include fips into ubuntu-advantage-tools includes - additional code to script to support "enable-fips" option/flag - additional code to script to support "is-fips-enabled" which reports if fips is enabled or not - additional code to support "status" for fips - addition to man page - additional testcases for fips - the fips private ppa keyring ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1718291 Title: [FFe]: Include FIPS into the ubuntu-advantage tool To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1718291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1715010] Re: Fix XTS encryption with FIPS enabled kernels
Hi, I installed the proposed cryptsetup and ran the common criteria testcases for cryptsetup, that before had failed. My environment includes the fips-supported kernel and modules. With the new cryptsetup, all the common criteria cryptsetup testcases passed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1715010 Title: Fix XTS encryption with FIPS enabled kernels To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1715010/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
I tested version 1.0.2g-1ubuntu4.3 with the death.c program from the upstream openssl bug ticket 4559 and confirmed this problem is now resolved. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1588524] Re: FIPS_mode_set reports incorrect error message
I tested this on 1.0.2g-1ubuntu4.3 using the openssl_fips_test.c that was attached. And all worked as expected and I received the expected error message. Thus verifying this issue has been resolved in 1.0.2g- 1ubuntu4.3, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1588524 Title: FIPS_mode_set reports incorrect error message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1613658] Re: OPENSSL_init_library () crash in conjunction with faketime
I forgot to add, we will file a bug with Debian to pick up this commit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1613658 Title: OPENSSL_init_library () crash in conjunction with faketime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1613658] Re: OPENSSL_init_library () crash in conjunction with faketime
Marcelo and I took a look at this... o_init.c in openssl has following constructor, introduced for fips. void __attribute__ ((constructor)) OPENSSL_init_library(void) OPENSSL_init_library() when OPENSSL_FIPS is defined, calls RAND_init_fips() which eventually calls RAND_poll() which calls time(NULL). This can get called before libfaketime has initialized. Thus the core dump. We noticed following commit in libfaketime that takes care of the constructor situation, https://github.com/wolfcw/libfaketime/commit/0bde083556e243e87bddaaf94e68f2ef85dad769 This commit will allow libfaketime to call its init routine if it has not yet been called. This commit is not in the current version of libfaketime in xenial. I compiled libfaketime in github and tried my testcase and it worked. I used the testcase that was referenced above at https://github.com/wolfcw/libfaketime/issues/93 So we need above commit for libfaketime. ** Bug watch added: github.com/wolfcw/libfaketime/issues #93 https://github.com/wolfcw/libfaketime/issues/93 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1613658 Title: OPENSSL_init_library () crash in conjunction with faketime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1614210] [NEW] Remove incomplete fips in openssl in xenial.
Public bug reported:
Package: openssl-1.0.2g-1ubuntu4.1
Distro: xenial
The openssl contains incomplete fips patches. In light that the fips is
incomplete and will not be completed in the main archive and they are
impacting customers, they should be withdrawn. See lp bugs 1593953,
1591797, 1594748, 1588524, 1613658. Removal of these fips patches will
remove these fips-related issues.
[Test case]
1. Problem in 1594748
Note: this problem was reported in upstream openssl and testcase posted there
also.
https://rt.openssl.org/Ticket/Display.html?id=4559
CRYPTO_set_mem_functions() always returns 0 because library
initialization within fips code already calls CRYPTO_malloc() and
disables it.
This testcase should cause openssl to abort, but instead it returns a
context.
#include
#include
#include
void * my_alloc(size_t n) { abort(); }
void my_free(void *p) { abort(); }
void * my_realloc(void *p, size_t n) { abort(); }
int main(int argc, const char **argv)
{
const SSL_METHOD *method;
SSL_CTX *ctx;
CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
SSL_library_init();
method = SSLv23_client_method();
ctx = SSL_CTX_new(method);
printf("Got ctx %p\n", ctx);
return 0;
}
2. Problem in 1593953
EC key generation allows user to generate keys using EC curves that the EC sign
and verify
do not support when OPENSSL_FIPS is defined.
Testcase taken from lp #1593953
openssl ecparam -genkey -name Oakley-EC2N-4
will fail when OPENSSL_FIPS is defined since it causes a fips key-pair
consistency check to be done.
Otherwise, without OPENSSL_FIPS defined, the check is not done.
3. Problem reported in 1588524
Error code being skipped...
Testcase taken from lp #1588524
#include
#include
int main() {
int rc;
unsigned long fips_err;
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
rc = FIPS_mode_set(1);
fips_err = ERR_peek_last_error();
// FIPS_mode_set will return 0 on failure, which is expected if
// the FIPS module is not compiled. In this case, we should then
// be able to get the error code
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065)
// https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
printf("%d %lu\n", rc, fips_err);
ERR_print_errors_fp(stdout);
ERR_free_strings();
return 0;
}
Should report an error message.
[ Regression potential ]
Removing the fips patches should decrease regression potential of openssl in
the main archive.
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
+ openssl-1.0.2g-1ubuntu4.1 in xenial.
+
The openssl contains incomplete fips patches. In light that the fips is
incomplete and will not be completed in the main archive and they are
impacting customers, they should be withdrawn. See lp bugs 1593953,
1591797, 1594748, 1588524, 1613658. Removal of these fips patches will
remove these fips-related issues.
[Test case]
- 1. Problem in 1594748
+ 1. Problem in 1594748
Note: this problem was reported in upstream openssl and testcase posted there
also.
https://rt.openssl.org/Ticket/Display.html?id=4559
CRYPTO_set_mem_functions() always returns 0 because library
initialization within fips code already calls CRYPTO_malloc() and
disables it.
This testcase should cause openssl to abort, but instead it returns a
context.
#include
#include
#include
void * my_alloc(size_t n) { abort(); }
void my_free(void *p) { abort(); }
void * my_realloc(void *p, size_t n) { abort(); }
int main(int argc, const char **argv)
{
- const SSL_METHOD *method;
- SSL_CTX *ctx;
- CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
- SSL_library_init();
- method = SSLv23_client_method();
- ctx = SSL_CTX_new(method);
- printf("Got ctx %p\n", ctx);
- return 0;
+ const SSL_METHOD *method;
+ SSL_CTX *ctx;
+ CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
+ SSL_library_init();
+ method = SSLv23_client_method();
+ ctx = SSL_CTX_new(method);
+ printf("Got ctx %p\n", ctx);
+ return 0;
}
2. Problem in 1593953
EC key generation allows user to generate keys using EC curves that the EC
sign and verify
do not support when OPENSSL_FIPS is defined.
Testcase taken from lp #1593953
openssl ecparam -genkey -name Oakley-EC2N-4
will fail when OPENSSL_FIPS is defined since it causes a fips key-pair
consistency check to be done.
Otherwise, without OPENSSL_FIPS defined, the check is not done.
3. Problem reported in 1588524
Error code being skipped...
Testcase taken from lp #1588524
#include
#include
int main() {
- int rc;
- unsigned long fips_err;
- SSL_library_init();
- SSL_load_error_strings();
- ERR_load_crypto_strings();
- OpenSSL_add_all_algorithms();
- rc = FIPS_mode_set(1);
- fips_err = ERR_peek_last_error();
+ int rc;
+ unsigned long fips_err;
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Investigating. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Just as a note, the fips mode is not enabled in 1.0.2g-1ubuntu4.1. But OPENSSL_FIPS is defined and its codes compiled in. Thus in OPENSSL_init_library(), the RAND_init_fips() is included in. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Waiting to see upstream commit/fix for this since this is an issue in the upstream openssl code when OPENSSL_FIPS is defined. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
** Also affects: openssl via http://rt.openssl.org/Ticket/Display.html?id=4559 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Ok, this is also "broken" or an issue in upstream openssl 1.0.2 when OPENSSL_FIPS is defined. See, https://rt.openssl.org/Ticket/Display.html?id=4559#txn-68189 or http://rt.openssl.org/Ticket/Display.html?id=4559 ** Bug watch added: OpenSSL RT #4559 http://rt.openssl.org/Ticket/Display.html?id=4559 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Looking into this... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1593953] Re: EC_KEY_generate_key() causes FIPS self-test failure
Looking into this... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1593953 Title: EC_KEY_generate_key() causes FIPS self-test failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1593953/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled
This is a FIPS 140-2 requirement. The FIPS_mode_set(1) in init_fips_mode() called from OPENSSL_init_library is to satisfy the FIPS 140-2, Section 4.9 requirement that power-up selftest be run when the module is powered-up. This must be done regardless of whether the module is to be run in FIPS mode or not. Reading /proc entry only indicates whether to run the module in FIPS mode. Note: The FIPS code in openssl in Xenial is a work-in-progress and is not complete. All effort is made to optimize the power-up selftest as mush as possible. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1591797 Title: Only run FIPS self tests when FIPS is enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1588524] Re: FIPS_mode_set reports incorrect error message
Will definitely remove clearing the error as we continue completing the code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1588524 Title: FIPS_mode_set reports incorrect error message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1588524] Re: FIPS_mode_set reports incorrect error message
I purposely cleared this error message from the queue so that no one would be distracted or thwarted by the addition of the fips code while it is a work in progress and not complete. FIPS_module_mode_set() at this point will always fail and return an error code. But yes, I see in your test program that you also want to print the error message if you get an error code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1588524 Title: FIPS_mode_set reports incorrect error message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
I have subscribed to openssl bug reports. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, I have a newbie question, what else should I do for this feature freeze? Thanks! :-) regards, Joy On Fri, Apr 15, 2016 at 12:14 AM, Martin Pitt wrote: > Thanks! There's still an awful amount of patch noise, but indeed some of > it is unavoidable as you say. But this is incrementally better than > before, thanks for the cleanup! > > I uploaded this now: https://launchpad.net/ubuntu/+source/openssl/1.0 > .2g-1ubuntu4 > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1553309 > > Title: > [FFe]: Include FIPS 140-2 into openssl package > > Status in openssl package in Ubuntu: > Fix Released > > Bug description: > This is a request for a Feature Freeze Exception to include FIPS 140-2 > selftest into the openssl package in preparation for the FIPS 140-2 > compliance for 16.0.4. > This patchset will : >- add ability to config, compile, run with fips option enabled >- add the selftest files to crypto/fips directory. >- minor changes to several algorithms in crypto directory to ensure the > selftest compile successfully when fips is enabled. > > The selftest will be initiated externally at this point and not > internally. > Hope to have a test package ready early next week. > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Also, ran same testing on latest ppa version (ppa7) and they all passed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, I also ran an interdiff when I re-factored to ensure alignment with original fedora patches. 2 or 3 of them did not apply cleanly, for various reasons, so I had to make very small changes. I also named each patch in debian/patches to be same as in fedora. For interdiff of openssl-1.0.2g-fips.patch, for some reason "Configure" shows up in diff yet I did not make any changes to patch. Visually compared to make sure code is the same and no regression. openssl-1.0.2a-fips-ec.patch, we do not ship a "version.map" file, so when applying patch it prompts for location of file... so I removed it. So will show up in diff. openssl-1.0.2a-fips-ctor.patch failed to apply altogether, because it is looking for a line of code that contains "secure_getenv" and not "getenv". upstream has "getenv" for that line of code, but fedora must have other patches applied before this one that changes it to "secure_getenv". So I corrected and this will show up in interdiff. Corrected Origin in all the patches from fedora. Hope this is all ok. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, my ppa has a debdiff that is against my prior version. You may find this more useful than the ppa I just attached above. here is a pointer, https://launchpadlibrarian.net/253756858/openssl_1.0.2g- 1ubuntu3~ppa6_1.0.2g-1ubuntu3~ppa7.diff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
New debdiff with fixed Origin and cleaner fedora patches. ** Attachment added: "New debdiff against openssl-1.0.2g-1ubuntu2" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4636880/+files/debdiff-openssl_1.0.2g-1ubuntu3~ppa7 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Ok, I will get to work on these changes now. I will keep the first 5 patches original to fedora. And then in my cleanup patch do the stuff to get rid of undefined symbols, etc... And that way I can point my Origin to the git.fedora. Thanks!! regards, Joy On Wed, Apr 13, 2016 at 3:32 PM, Martin Pitt wrote: > Joy Latten [2016-04-13 18:08 -]: > > Started looking into those patch diffs... > > for the openssl-1.0.2a-fips-ec.patch one, I had a bunch of undefined > > symbols and so cleaned these up, causing my diff to be slightly off... my > > bad. > > Ah, that makes sense. > > > Oh, and also, that patch installed "fips/cavs/fips_ecdhvs.c and > > fips/cavs/fips_ecdsavs.c which are testcases I did not want to include. I > > ignored them, but should have just removed them in my cleanup patch. > > Is that really necessary? Adding two .c files seems rather harmless if > nothing refers to it, i. e. removing them from the Makefile only (in > the ubuntu patch) should suffice? > > > Do you agree that I should move these things into my cleanup patch? > > That would be good indeed, as it avoids confusion for the next person > who looks at this why the patches are different. > > Please also update the Origin:, preferablyto the git.fedora ones as > then they are one click away from comparing/for updating. > > Thank you! > > Martin > -- > Martin Pitt| http://www.piware.de > Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1553309 > > Title: > [FFe]: Include FIPS 140-2 into openssl package > > Status in openssl package in Ubuntu: > In Progress > > Bug description: > This is a request for a Feature Freeze Exception to include FIPS 140-2 > selftest into the openssl package in preparation for the FIPS 140-2 > compliance for 16.0.4. > This patchset will : >- add ability to config, compile, run with fips option enabled >- add the selftest files to crypto/fips directory. >- minor changes to several algorithms in crypto directory to ensure the > selftest compile successfully when fips is enabled. > > The selftest will be initiated externally at this point and not > internally. > Hope to have a test package ready early next week. > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, Cool! Started looking into those patch diffs... for the openssl-1.0.2a-fips-ec.patch one, I had a bunch of undefined symbols and so cleaned these up, causing my diff to be slightly off... my bad. Should have saved that for the last patch that was for my cleanup... sorry, I hated not being able to get a clean compile in between patches. :-) So let me move those changes into my cleanup patch. Oh, and also, that patch installed "fips/cavs/fips_ecdhvs.c and fips/cavs/fips_ecdsavs.c which are testcases I did not want to include. I ignored them, but should have just removed them in my cleanup patch. Do you agree that I should move these things into my cleanup patch? Let me know and I will get it done today. This probably follows for the others too. I am in my team sprint, but this is a priority. regards, Joy On Wed, Apr 13, 2016 at 11:40 AM, Martin Pitt wrote: > For the record: http://people.canonical.com/~ubuntu-archive/proposed- > migration/update_excuses.html#openssl looks good (linux/armhf still > running, but that should not be relevant), but I blocked this to > -proposed for now. I'll let this into xenial later tonight for testing, > but we still need a followup upload with cleaning up the patch diffs and > patch origins. Thanks! > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1553309 > > Title: > [FFe]: Include FIPS 140-2 into openssl package > > Status in openssl package in Ubuntu: > In Progress > > Bug description: > This is a request for a Feature Freeze Exception to include FIPS 140-2 > selftest into the openssl package in preparation for the FIPS 140-2 > compliance for 16.0.4. > This patchset will : >- add ability to config, compile, run with fips option enabled >- add the selftest files to crypto/fips directory. >- minor changes to several algorithms in crypto directory to ensure the > selftest compile successfully when fips is enabled. > > The selftest will be initiated externally at this point and not > internally. > Hope to have a test package ready early next week. > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, I will fix the Origin today. I was not sure of the naming convention for the patches, so I kept the same name as in fedora but used the version of openssl that we were patching. If you prefer, I can instead use exact same name as fedora. I actually pulled my patches from Fedora Rawhide's source tree, https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/source/tree/Packages/o/ directory. I downloaded openssl source rpm and the fips patches were in the SOURCES directory. The SRPM is openssl-1.0.2g-3.fc25.src.rpm. I used this because it seem to be the most recent at the time. I just did a diff with my ctor patch and the one in fedora's SRPM I used and is pretty much the same. Please advice if I should indicate above URL in Origin for DEP3 header and use the exact same patch names. Also, thanks so much Martin for helping me with all this!! :-) On Wed, Apr 13, 2016 at 1:48 AM, Martin Pitt wrote: > > Dividing up the patch proved to be a challenge but was the right thing > to do. > > Many thanks for doing this! > > Can you please fix the "Origin: > http://dl.fedoraproject.org/pub/fedora/linux/development"; fields still? > They should point to a particular patch in a place like > http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/, but that does > not have "openssl-1.0.2g-fips-ctor.patch", only "openssl-1.0.2a-fips- > ctor.patch". Although the patch there is almost identical, except for > some patch header noise. So I suppose pointing to those is fine (bonus > points if you just add the DEP-3 patch header but otherwise leave the > patch intact, but that's not a biggie). > > But e. g. your openssl-1.0.2g-fips-ec.patch has quite a lot of changes > compared to > http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0 > .2a-fips-ec.patch (Note, Ubuntu modifications should go into openssl-1.0 > .2g-ubuntu-fips-cleanup.patch). Same for > http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0 > .2f-new-fips-reqs.patch. > > Current Fedora rawhide's package is openssl1.0.2g as well, just like > our's, so these patches ought to be identical? > > Maybe you took them from a different branch, but the Fedora 24 version > http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/plain/openssl-1.0 > .2f-new-fips-reqs.patch?h=f24 is also different than your's. > > > Weird, but the fedora patches were not independent of each other. > > That's quite normal, and it would actually be a surprise if patches that > are this big were independent. > > I'll upload this now so that we can see the autopkgtests against this > version, and we have at least a few days of testing this in the wild > before the final release. But please still clean up the patches as above > (Origin: and patches differing from Fedora) with a follow-up upload. > > Thanks for bearing with me! > > ** Changed in: openssl (Ubuntu) >Status: Incomplete => In Progress > > ** Changed in: openssl (Ubuntu) > Assignee: (unassigned) => Joy Latten (j-latten) > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1553309 > > Title: > [FFe]: Include FIPS 140-2 into openssl package > > Status in openssl package in Ubuntu: > In Progress > > Bug description: > This is a request for a Feature Freeze Exception to include FIPS 140-2 > selftest into the openssl package in preparation for the FIPS 140-2 > compliance for 16.0.4. > This patchset will : >- add ability to config, compile, run with fips option enabled >- add the selftest files to crypto/fips directory. >- minor changes to several algorithms in crypto directory to ensure the > selftest compile successfully when fips is enabled. > > The selftest will be initiated externally at this point and not > internally. > Hope to have a test package ready early next week. > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
New test package and debdiff. All the same testing completed successfully. New test package, https://launchpad.net/~j-latten/+archive/ubuntu/myppa ** Attachment added: "debdiff: latest patch series (6 patches) to add fips support to openssl" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4634783/+files/debdiff.openssl_1.0.2g-1ubuntu3~ppa6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, Dividing up the patch proved to be a challenge but was the right thing to do. I divided it up into a patch series of 6, with the first 5 patches being those from fedora. The 6th patch was all my corrections and updates. I ran all the prior testcases successfully. Weird, but the fedora patches were not independent of each other. Each patch relied on of the others to fulfill missing symbols and compile successfully. I usually like patches to be independent in that they compile successfully, even in a patch series. Thanks and let me know what else is needed. regards, Joy On Fri, Apr 8, 2016 at 9:04 AM, Joy Latten wrote: > Hi Martin, > > I will get to work on all the resolutions we mentioned. Thanks! > I will send you email when completed and list them. > > regards, > Joy > > On Fri, Apr 8, 2016 at 2:07 AM, Martin Pitt > wrote: > >> Joy Latten [2016-04-08 5:07 -]: >> > > -# define SHA1_Init private_SHA1_Init >> > Those defines are within an OPENSSL_FIPS so were never used in regular >> > openssl. >> >> Ah, I see that this doesn't actually get shipped in libssl-dev, so >> sorry for the noise. >> >> > > The changes in crypto/evp/p_sign.c and crypto/evp/p_verify.c don't >> look >> > > FIPS related, change the default behaviour, and should probably be >> split >> > > out into a separate patch with justification/origin and at least >> > > proposed upstream. >> > > >> > > >> > I did not think these change the default behaviour. They are adding PSS >> or >> > X931 padding to rsa >> > if requested via a flag. >> >> Right, and both flags are already exported in >> usr/include/openssl/evp.h in the current (unpatched) libssl. So, while >> this code looks correct, it looks like a backported patch from >> upstream which is unrelated to the FIPS changes. >> >> Again, I just noticed that during review. If that's part of the >> original RedHat/SUSE patch etc., then by all means keep it (taking >> unmodified patches from known, reliable, and declared origins trumps >> pretty much everything else). But if that was one of the changes from >> Ubuntu/you, it should be split out and sent upstream (or say which >> upstream commit it was). >> >> > > It also concerns me that crypto/fips/ seems to reimplement RNG, >> > > HMAC, and RSA algorithms which should already be in openssl >> > > itself. [...] The reimplemented RNG (crypto/fips/fips_rand.c) has >> > > no author information at all. >> > >> > Openssl community implements a lot of the fips approved algorithms into >> the >> > openssl-fips module, rather than into regular openssl. >> > This means for us to acquire some of these fips approved algorithms, we >> > must take them from the openssl-fips module source. >> >> Ah, so that's where they are coming from? I seems a bit dubious that >> fips_rand.c is one of the very few files which does *not* have an >> author information. So I guess this is another case of "as a reviewer >> of this big patch I have not the slightest idea where this came from" >> (cf. "split and declare patches by origin" again) >> >> > fips_utl.h is from the upstream openssl-fips module. It is a local >> header >> > file that is not exported into /usr/include/openssl. >> > But if you prefer I can move the routines into fips_test_suite.c where >> they >> > are being used. Let me know if you feel strongly about this and I will >> move >> > them. >> >> No, I don't feel strongly about it, it just jumped my eye as a >> potential trap. Again, if that's in the Ubuntu modified portion it'd >> be nice to clean up, but do prefer unmodified patches over cleanup >> like this. >> >> > > crypto/o_init.c disables checking for $OPENSSL_FORCE_FIPS_MODE. What's >> > > the rationale for this? >> > > >> > > >> > Oh wow! Yeah, that is very odd... carried over from the fedora patch. I >> > will remove that. >> >> Just FTR, this would be a good example of keeping the fedora patch >> as-is, and putting back the env check would then go into the Ubuntu >> followup patch. >> >> Thanks! >> >> -- >> You received this bug notification because you are subscribed to the bug >> report. >> https://bugs.launchpad.net/bugs/1553309 >> >> Title: >> [FFe]: Include FIPS 140-2 into openssl package >> >> Status in openssl package
[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Code Review Resolutions: 1. Original one patch divided up into a patch-series of 6 patches. The first 5 patches are the original patches from fedora. The 6th patch authored by me to fix compiler warnings and use updated fips compliant algorithms and tests from upstream openssl and openssl fips module. 2. Restored error codes to those from openssl upstream and any news ones associated with fips were given a value of 200+ to avoid collisions with openssl upstream updates. 3. Restored defines that had been changed in evp/evp.h 4. Removed fips-prng references in fips-rand.c since no longer allowed in fips mode and was specifically added for fips. New test package in https://launchpad.net/~j-latten/+archive/ubuntu/myppa All testcases were run and succeeded. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
** Attachment added: "debdiff: latest patch series (6 patches) to add fips support to openssl" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4634739/+files/debdiff.openssl_1.0.2g-1ubuntu3~ppa5 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, I will get to work on all the resolutions we mentioned. Thanks! I will send you email when completed and list them. regards, Joy On Fri, Apr 8, 2016 at 2:07 AM, Martin Pitt wrote: > Joy Latten [2016-04-08 5:07 -]: > > > -# define SHA1_Init private_SHA1_Init > > Those defines are within an OPENSSL_FIPS so were never used in regular > > openssl. > > Ah, I see that this doesn't actually get shipped in libssl-dev, so > sorry for the noise. > > > > The changes in crypto/evp/p_sign.c and crypto/evp/p_verify.c don't look > > > FIPS related, change the default behaviour, and should probably be > split > > > out into a separate patch with justification/origin and at least > > > proposed upstream. > > > > > > > > I did not think these change the default behaviour. They are adding PSS > or > > X931 padding to rsa > > if requested via a flag. > > Right, and both flags are already exported in > usr/include/openssl/evp.h in the current (unpatched) libssl. So, while > this code looks correct, it looks like a backported patch from > upstream which is unrelated to the FIPS changes. > > Again, I just noticed that during review. If that's part of the > original RedHat/SUSE patch etc., then by all means keep it (taking > unmodified patches from known, reliable, and declared origins trumps > pretty much everything else). But if that was one of the changes from > Ubuntu/you, it should be split out and sent upstream (or say which > upstream commit it was). > > > > It also concerns me that crypto/fips/ seems to reimplement RNG, > > > HMAC, and RSA algorithms which should already be in openssl > > > itself. [...] The reimplemented RNG (crypto/fips/fips_rand.c) has > > > no author information at all. > > > > Openssl community implements a lot of the fips approved algorithms into > the > > openssl-fips module, rather than into regular openssl. > > This means for us to acquire some of these fips approved algorithms, we > > must take them from the openssl-fips module source. > > Ah, so that's where they are coming from? I seems a bit dubious that > fips_rand.c is one of the very few files which does *not* have an > author information. So I guess this is another case of "as a reviewer > of this big patch I have not the slightest idea where this came from" > (cf. "split and declare patches by origin" again) > > > fips_utl.h is from the upstream openssl-fips module. It is a local header > > file that is not exported into /usr/include/openssl. > > But if you prefer I can move the routines into fips_test_suite.c where > they > > are being used. Let me know if you feel strongly about this and I will > move > > them. > > No, I don't feel strongly about it, it just jumped my eye as a > potential trap. Again, if that's in the Ubuntu modified portion it'd > be nice to clean up, but do prefer unmodified patches over cleanup > like this. > > > > crypto/o_init.c disables checking for $OPENSSL_FORCE_FIPS_MODE. What's > > > the rationale for this? > > > > > > > > Oh wow! Yeah, that is very odd... carried over from the fedora patch. I > > will remove that. > > Just FTR, this would be a good example of keeping the fedora patch > as-is, and putting back the env check would then go into the Ubuntu > followup patch. > > Thanks! > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1553309 > > Title: > [FFe]: Include FIPS 140-2 into openssl package > > Status in openssl package in Ubuntu: > Incomplete > > Bug description: > This is a request for a Feature Freeze Exception to include FIPS 140-2 > selftest into the openssl package in preparation for the FIPS 140-2 > compliance for 16.0.4. > This patchset will : >- add ability to config, compile, run with fips option enabled >- add the selftest files to crypto/fips directory. >- minor changes to several algorithms in crypto directory to ensure the > selftest compile successfully when fips is enabled. > > The selftest will be initiated externally at this point and not > internally. > Hope to have a test package ready early next week. > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, Responses below. Thanks! regards, Joy On Thu, Apr 7, 2016 at 5:27 AM, Martin Pitt wrote: > Hello Joy, > > thanks for your answers. I'll cut out the ones that are resolved now > from my POV. > > Joy Latten [2016-04-06 19:48 -]: > > crypto in regular openssl when in fips mode. The openssl-fips module is > not > > only bigger than this patch, but is separate and a bit more complex. > > Since it is separate, it would almost be akin to maintaining 2 versions > of > > openssl. One advantage though is that it is maintained upstream. :-) > > Again before I got here, Canonical consulted with external security > > consultants who recommended we pursue the method that redhat and suse > did. > > Yeah, that's a shame, though I realize this decision is not up to you > or me. If we have funding for maintaining this patch both in Xenial > (which should be fairly easy as we'll only backport security fixes) > and, more importantly, in newer releases which will get newer upstream > openssl releases and thus require heavy porting and testing, then so > be it. > > > > crypto/dsa/dsa.h: > > > # define DSA_F_DSAPARAMS_PRINT_FP 101 > > > +# define DSA_F_DSA_BUILTIN_KEYGEN 127 > > > +# define DSA_F_DSA_BUILTIN_PARAMGEN 128 > > > # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 > > > > > > Patches like this are utterly dangerous. As soon as a new upstream > > > version defines their own new constant further down, the FIPS patch > will > > > most likely still apply, but silently introduce a conflict as two > > > different constants now have the same value. > > > > > > > Yes! What you have stated is true in general. Fortunately in the case > you > > pointed to above, this should not be a problem. Those are error codes. > When > > adding new error codes in openssl, is standard practice that you run > "make > > errors" which in turn creates all those defines for errors. That is how > the > > above happened. > > This doesn't help at all, though. If upstream does a new release and > calls "make errors", then releases a tarball with that, our patch just > gets statically applied on top of that and thus will *not* adjust the > error codes for potential conflicts again. So with that you'd get two > constants with the same value. > > OTOH, if our package build would call "make errors" again, this would > mean that (1) we'd have an ABI break (as existing reverse dependencies > that use these error codes all need to be rebuilt for the new value, > as it's a macro in a public header file), and (2) the patch should not > contain this autogenerated part in the first place. > > Ok, let me investigate a bit further and get back to you. > > > There is some pointless whitespace change in e. g. crypto/evp/c_alld.c > > > which further blow up the patch. > > > > > > Sorry about that, I thought I had caught all the whitespaces. I can > > correct that. > > Just for avoidance of doubt: Please only clean this up if it's in the > Canonical-modified portion of the patch. If that comes from > RedHat/SUSE patches, it's magnitudes better and easier for long-term > maintenance to import them unmodified (as much as possible) and accept > some pointless noise, rather than heavily editing those. That's why > I deem it very important to (1) clearly document where these patches > originate, and (2) split them up into "taken as-is from > https://opensuse.org/whereever"; and a separate "canonical > modifications to the FIPS patch". > > > Please see above. I can break into smaller patches for easier > > reviewing and bundle with some logic. But in terms of maintenance, > > I honestly don't know if it will matter. It is just messy to me, > > regardless. Sorry, I have spent some time thinking about it. I can > > separate out such that everything under crypto/fips is in one patch, > > and all else in another. But they won't be independent of each other > > in regards to successfully applying and building. > > No no, please don't break them apart in arbitrary ways like this. The > point is to break them apart by origin, e. g. "taken from the upstream > FIPS branch", "taken from RedHat", "Canonical origin". This will make > it tremendously easier to review (as the patches which have existed > for 10 years in other distros only need a shallow review), maintain > (as it's much simpler to update those pa
Re: [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, My responses below. Thanks! regards, Joy On Thu, Apr 7, 2016 at 6:29 AM, Martin Pitt wrote: > I reviewed the remainder of the patch: > > crypto/evp/evp_locl.h > -# define SHA1_Init private_SHA1_Init > -# define SHA224_Init private_SHA224_Init > -# define SHA256_Init private_SHA256_Init > -# define SHA384_Init private_SHA384_Init > -# define SHA512_Init private_SHA512_Init > -# define DES_set_key_unchecked private_DES_set_key_unchecked > > This looks like an API break. E. g. SHA1_Init is being used by tons of > stuff in https://codesearch.debian.net/results/SHA1_Init . > Those defines are within an OPENSSL_FIPS so were never used in regular openssl. The SHA ones were removed because the private_* routines above do not exist. And the private_DES_set_key_unchecked was removed so doesn't exist either. So, this should be ok. > > The changes in crypto/evp/p_sign.c and crypto/evp/p_verify.c don't look > FIPS related, change the default behaviour, and should probably be split > out into a separate patch with justification/origin and at least > proposed upstream. > > I did not think these change the default behaviour. They are adding PSS or X931 padding to rsa if requested via a flag. Let me investigate further as to why it was not upstreamed. My original guess was because the upstream openssl-fips module offers new FIPS_rsa_* routines that do this padding. crypto/fips/fips.c, verify_checksums() : This dynamically swaps out a > dlopen()ed libssl.so to libcrypto.so. This smells like a portion of the > upstream OpenSSL approach with using a plugin? As this patch patches the > original library source code, is that still actually needed? > > Yes, this is needed. This is part of the integrity check that is required by fips. We dlopen libcrypto.so and dlsym FIPS_mode_set. I interpreted this as a check to ensure we are running a fips capable libcrypto.so. We get the path to the file and then dlclose. We then compute the hmac of path/libcrypto.so and compare the results against the hmac we ship to verify this is our binary. Same thing is done for libssl.so. We do not yet include the hmac file to check against, so the integrity check fails and prevents running in fips mode. The openssl-fips module does this hmac integrity check of itself and libcrypto.so differently. > Note: I mostly skipped over the fips/*_selftest.c bits, they are both > structurally rather simple and also not verifiable at all for non- > experts in the algorithms. The same goes for crypto/fips/fips_drbg_ctr.c > and similar algorithms. There is some rather fiddly pointer arithmetic > and assumptions about buffer sizes there -- has there been some vetting > of this with running the tests both in FIPS and in normal mode through > valgrind? > No, at least not yet, but is a good idea. > It also concerns me that crypto/fips/ seems to reimplement RNG, HMAC, > and RSA algorithms which should already be in openssl itself. Yes, there > might be politics involved, but have there been any attemps to at least > consolidate this parts and work with upstream to unify the algorithms? > It's certainly fine if some of them get disabled in FIPS mode, or > augmented with extra runtime tests, but a complete reimplementation > seems dubious -- it wouldn't be the first time that an US government > promoted/approved RNG turned out to be a complete fraud, so some > references about the origin of this to lower the scepticism would be > appreciated. If that was really written by Steven Henson there should be > little doubts about his credentials -- but again, it's not at all clear > where these patches originate from. But particularly the reimplemented > RNG (crypto/fips/fips_rand.c) has no author information at all. > Openssl community implements a lot of the fips approved algorithms into the openssl-fips module, rather than into regular openssl. This means for us to acquire some of these fips approved algorithms, we must take them from the openssl-fips module source. The fips_rand* and fips_drbg_* are from the upstream openssl-fips module. They are fips compliant RNGs not offered in regular openssl. When running in non-fips mode can still use regular openssl RNGs. However, when running in fips mode, you must use the fips approved RNGs only. hmmm... latest fips specification update (Jan 2016), only allows DRBG for random number generators now. The PRNGs are no longer allowed in fips mode. So perhaps I should remove fips_rand.c now and not later. So I will remove. crypto/fips does not change hmac, but rather offers an hmac based DRBG. As for RSA, if you are referring to fips_rsa_x931g.c, it is from the upstream openssl-fips module. It provides rsa x931 key generation which is not offered in regular openssl. > crypto/fips/fips_utl.h contains the full definition of functions. This > is rather unclean, and could lead to linker errors or at least > duplicated symbols. It's only being included by two tests, but this is a > poten
