[ima-evm-utils][PATCH 0/3] Enable and disable OpenSSL provider tests

[ima-evm-utils][PATCH 0/3] Enable and disable OpenSSL provider tests

[Stefan Berger]

From: Stefan Berger <stefanb@linux.ibm.com>

This series enables tests with OpenSSL providers on Ubuntu for testing with
pkcs11 and SoftHSM. At the same time it disables testing with OpenSSL
providers on AltLinux and Debian due to an issue that most likely stems
from a bug in a dependency (OpenSSL, libp11, SoftHSM, or others).

Regards,
   Stefan

Stefan Berger (3):
  Call OPENSSL_Cleanup before main exit to avoid crashes when engine was
    used
  CI/CD: Disable pkcs11 providers for Debian and AltLinux
  CI/CD: Also enable Ubuntu 24.04 (Noble) and run provider tests

 .github/workflows/ci.yml |  5 ++++
 .travis.yml              |  4 +++
 ci/alt.sh                |  2 +-
 ci/debian.sh             |  2 +-
 ci/ubuntu.sh             | 63 +++++++++++++++++++++++++++++++++++++++-
 src/evmctl.c             |  3 ++
 6 files changed, 76 insertions(+), 3 deletions(-)
 mode change 120000 => 100755 ci/ubuntu.sh

-- 
2.43.0

[ima-evm-utils][PATCH 1/3] Call OPENSSL_Cleanup before main exit to avoid crashes when engine was used

[Stefan Berger]

From: Stefan Berger <stefanb@linux.ibm.com>

When OPENSSL_Cleanup is called via destructor after main() was left then
evmctl crashes on Ubuntu 24.04 (Noble). This can be avoided by calling
OpenSSL_Cleanup explicitly before leaving main().

Link: https://bugs.launchpad.net/ubuntu/+source/softhsm2/+bug/2059340
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/evmctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/evmctl.c b/src/evmctl.c
index 3ebda6f..ad75853 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -3347,5 +3347,8 @@ error:
 	ERR_free_strings();
 	EVP_cleanup();
 	BIO_free(NULL);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+	OPENSSL_cleanup();
+#endif
 	return err;
 }
-- 
2.43.0

[ima-evm-utils][PATCH 2/3] CI/CD: Disable pkcs11 providers for Debian and AltLinux

[Stefan Berger]

From: Stefan Berger <stefanb@linux.ibm.com>

Disable testing provider support on Debian:latest and AltLinux:sisyphus
since both now get stuck while running OpenSSL provider-related tests.
This is most likely due to an update in a dependency (OpenSSL, libp11,
softhsm,  or others).

On AltLinux the issues is related to a pthread_mutex_lock() down the
C_Login -> C_OpenSession callpath that blocks forever.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ci/alt.sh    | 2 +-
 ci/debian.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ci/alt.sh b/ci/alt.sh
index f86dcec..f1eefbf 100755
--- a/ci/alt.sh
+++ b/ci/alt.sh
@@ -28,4 +28,4 @@ apt-get install -y \
 		xxd \
 	&& control openssl-gost enabled
 
-apt-get install -y pkcs11-provider || true
+# apt-get install -y pkcs11-provider || true
diff --git a/ci/debian.sh b/ci/debian.sh
index e1bae43..34125d4 100755
--- a/ci/debian.sh
+++ b/ci/debian.sh
@@ -59,4 +59,4 @@ $apt \
 $apt xxd || $apt vim-common
 $apt libengine-gost-openssl || true
 $apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
-$apt softhsm2 gnutls-bin pkcs11-provider || true
+# $apt softhsm2 gnutls-bin pkcs11-provider || true
-- 
2.43.0

Re: [ima-evm-utils][PATCH 2/3] CI/CD: Disable pkcs11 providers for Debian and AltLinux

[Jonathan McDowell]

On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> Disable testing provider support on Debian:latest and AltLinux:sisyphus
> since both now get stuck while running OpenSSL provider-related tests.
> This is most likely due to an update in a dependency (OpenSSL, libp11,
> softhsm,  or others).

This seems to disable it for both Debian stable + testing.  Is it
actually broken for both?

> On AltLinux the issues is related to a pthread_mutex_lock() down the
> C_Login -> C_OpenSession callpath that blocks forever.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  ci/alt.sh    | 2 +-
>  ci/debian.sh | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/ci/alt.sh b/ci/alt.sh
> index f86dcec..f1eefbf 100755
> --- a/ci/alt.sh
> +++ b/ci/alt.sh
> @@ -28,4 +28,4 @@ apt-get install -y \
>  		xxd \
>  	&& control openssl-gost enabled
>  
> -apt-get install -y pkcs11-provider || true
> +# apt-get install -y pkcs11-provider || true
> diff --git a/ci/debian.sh b/ci/debian.sh
> index e1bae43..34125d4 100755
> --- a/ci/debian.sh
> +++ b/ci/debian.sh
> @@ -59,4 +59,4 @@ $apt \
>  $apt xxd || $apt vim-common
>  $apt libengine-gost-openssl || true
>  $apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
> -$apt softhsm2 gnutls-bin pkcs11-provider || true
> +# $apt softhsm2 gnutls-bin pkcs11-provider || true
> -- 
> 2.43.0

J.

-- 
I have found the monster - the monster is us.

Re: [ima-evm-utils][PATCH 2/3] CI/CD: Disable pkcs11 providers for Debian and AltLinux

[Mimi Zohar]

On Fri, 2024-06-21 at 11:03 +0100, Jonathan McDowell wrote:
> On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> > From: Stefan Berger <stefanb@linux.ibm.com>
> > 
> > Disable testing provider support on Debian:latest and AltLinux:sisyphus
> > since both now get stuck while running OpenSSL provider-related tests.
> > This is most likely due to an update in a dependency (OpenSSL, libp11,
> > softhsm,  or others).
> 
> This seems to disable it for both Debian stable + testing.  Is it
> actually broken for both?

There is no pkcs11-provider package on stable, so the test is skipped.

> 
> > On AltLinux the issues is related to a pthread_mutex_lock() down the
> > C_Login -> C_OpenSession callpath that blocks forever.
> > 
> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > ---
> >  ci/alt.sh    | 2 +-
> >  ci/debian.sh | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/ci/alt.sh b/ci/alt.sh
> > index f86dcec..f1eefbf 100755
> > --- a/ci/alt.sh
> > +++ b/ci/alt.sh
> > @@ -28,4 +28,4 @@ apt-get install -y \
> >  		xxd \
> >  	&& control openssl-gost enabled
> >  
> > -apt-get install -y pkcs11-provider || true
> > +# apt-get install -y pkcs11-provider || true
> > diff --git a/ci/debian.sh b/ci/debian.sh
> > index e1bae43..34125d4 100755
> > --- a/ci/debian.sh
> > +++ b/ci/debian.sh
> > @@ -59,4 +59,4 @@ $apt \
> >  $apt xxd || $apt vim-common
> >  $apt libengine-gost-openssl || true
> >  $apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
> > -$apt softhsm2 gnutls-bin pkcs11-provider || true
> > +# $apt softhsm2 gnutls-bin pkcs11-provider || true
> > -- 
> > 2.43.0
> 
> J.
> 

Re: [ima-evm-utils][PATCH 2/3] CI/CD: Disable pkcs11 providers for Debian and AltLinux

[Jonathan McDowell]

On Fri, Jun 21, 2024 at 06:24:38AM -0400, Mimi Zohar wrote:
> On Fri, 2024-06-21 at 11:03 +0100, Jonathan McDowell wrote:
> > On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> > > From: Stefan Berger <stefanb@linux.ibm.com>
> > > 
> > > Disable testing provider support on Debian:latest and AltLinux:sisyphus
> > > since both now get stuck while running OpenSSL provider-related tests.
> > > This is most likely due to an update in a dependency (OpenSSL, libp11,
> > > softhsm,  or others).
> > 
> > This seems to disable it for both Debian stable + testing.  Is it
> > actually broken for both?
> 
> There is no pkcs11-provider package on stable, so the test is skipped.

Ah, right. I can't actually figure out what tree Stefan's patch is
against to try myself. https://git.code.sf.net/p/linux-ima/ima-evm-utils
does not have the commented out softhsm2 / pkcs11-provider apt line.
Where should I be looking?

J.

-- 
Web [   Synonym: word used when you can't spell the one you want   ]
site: https:// [                                          ]      Made by
www.earth.li/~noodles/  [                      ]         HuggieTag 0.0.24

Re: [ima-evm-utils][PATCH 2/3] CI/CD: Disable pkcs11 providers for Debian and AltLinux

[Mimi Zohar]

On Fri, 2024-06-21 at 12:44 +0100, Jonathan McDowell wrote:
> On Fri, Jun 21, 2024 at 06:24:38AM -0400, Mimi Zohar wrote:
> > On Fri, 2024-06-21 at 11:03 +0100, Jonathan McDowell wrote:
> > > On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> > > > From: Stefan Berger <stefanb@linux.ibm.com>
> > > > 
> > > > Disable testing provider support on Debian:latest and AltLinux:sisyphus
> > > > since both now get stuck while running OpenSSL provider-related tests.
> > > > This is most likely due to an update in a dependency (OpenSSL, libp11,
> > > > softhsm,  or others).
> > > 
> > > This seems to disable it for both Debian stable + testing.  Is it
> > > actually broken for both?
> > 
> > There is no pkcs11-provider package on stable, so the test is skipped.
> 
> Ah, right. I can't actually figure out what tree Stefan's patch is
> against to try myself. https://git.code.sf.net/p/linux-ima/ima-evm-utils
> does not have the commented out softhsm2 / pkcs11-provider apt line.
> Where should I be looking?

Upstream should be based on the next-testing branch of 
https://github.com/linux-integrity/ima-evm-utils.git.

Mimi

Re: [ima-evm-utils][PATCH 2/3] CI/CD: Disable pkcs11 providers for Debian and AltLinux

[Jonathan McDowell]

On Fri, Jun 21, 2024 at 04:34:33PM -0400, Mimi Zohar wrote:
> On Fri, 2024-06-21 at 12:44 +0100, Jonathan McDowell wrote:
> > On Fri, Jun 21, 2024 at 06:24:38AM -0400, Mimi Zohar wrote:
> > > On Fri, 2024-06-21 at 11:03 +0100, Jonathan McDowell wrote:
> > > > On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> > > > > From: Stefan Berger <stefanb@linux.ibm.com>
> > > > > 
> > > > > Disable testing provider support on Debian:latest and AltLinux:sisyphus
> > > > > since both now get stuck while running OpenSSL provider-related tests.
> > > > > This is most likely due to an update in a dependency (OpenSSL, libp11,
> > > > > softhsm,  or others).
> > > > 
> > > > This seems to disable it for both Debian stable + testing.  Is it
> > > > actually broken for both?
> > > 
> > > There is no pkcs11-provider package on stable, so the test is skipped.
> > 
> > Ah, right. I can't actually figure out what tree Stefan's patch is
> > against to try myself. https://git.code.sf.net/p/linux-ima/ima-evm-utils
> > does not have the commented out softhsm2 / pkcs11-provider apt line.
> > Where should I be looking?
> 
> Upstream should be based on the next-testing branch of 
> https://github.com/linux-integrity/ima-evm-utils.git.

Thanks, I was able to reproduce with that. There's some sort of deadlock
happening down in the softhsm2 / p11-kit-proxy layers that wasn't
immediately obvious to me. Backtrace at

https://the.earth.li/~noodles/evm-test-failure

in case it means something to someone else.

J.

-- 
Can't you see I want tenderness, you idiot?

Re: [ima-evm-utils][PATCH 2/3] CI/CD: Disable pkcs11 providers for Debian and AltLinux

[Mimi Zohar]

[Cc: Vitaly for AltLinux]

On Thu, 2024-06-20 at 20:59 -0400, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> Disable testing provider support on Debian:latest and AltLinux:sisyphus
> since both now get stuck while running OpenSSL provider-related tests.
> This is most likely due to an update in a dependency (OpenSSL, libp11,
> softhsm,  or others).
> 
> On AltLinux the issues is related to a pthread_mutex_lock() down the
> C_Login -> C_OpenSession callpath that blocks forever.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  ci/alt.sh    | 2 +-
>  ci/debian.sh | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/ci/alt.sh b/ci/alt.sh
> index f86dcec..f1eefbf 100755
> --- a/ci/alt.sh
> +++ b/ci/alt.sh
> @@ -28,4 +28,4 @@ apt-get install -y \
>  		xxd \
>  	&& control openssl-gost enabled
>  
> -apt-get install -y pkcs11-provider || true
> +# apt-get install -y pkcs11-provider || true
> diff --git a/ci/debian.sh b/ci/debian.sh
> index e1bae43..34125d4 100755
> --- a/ci/debian.sh
> +++ b/ci/debian.sh
> @@ -59,4 +59,4 @@ $apt \
>  $apt xxd || $apt vim-common
>  $apt libengine-gost-openssl || true
>  $apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
> -$apt softhsm2 gnutls-bin pkcs11-provider || true
> +# $apt softhsm2 gnutls-bin pkcs11-provider || true

[ima-evm-utils][PATCH 3/3] CI/CD: Also enable Ubuntu 24.04 (Noble) and run provider tests

[Stefan Berger]

From: Stefan Berger <stefanb@linux.ibm.com>

With provider support fixed for Ubuntu 24.04 (Noble), enable testing with
it. To test provider support on Ubuntu, make a copy of the debian.sh
install file and enable the installation of provider support there.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 .github/workflows/ci.yml |  5 ++++
 .travis.yml              |  4 +++
 ci/ubuntu.sh             | 63 +++++++++++++++++++++++++++++++++++++++-
 3 files changed, 71 insertions(+), 1 deletion(-)
 mode change 120000 => 100755 ci/ubuntu.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5d67c70..772eb34 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -143,6 +143,11 @@ jobs:
               CC: gcc
               TSS: ibmtss
 
+          - container: "ubuntu:noble"
+            env:
+              CC: gcc
+              TSS: ibmtss
+
           - container: "ubuntu:xenial"
             env:
               CC: clang
diff --git a/.travis.yml b/.travis.yml
index af82040..0c78958 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -43,6 +43,10 @@ matrix:
           env: DISTRO=ubuntu:mantic TSS=ibmtss
           compiler: gcc
 
+        - os: linux
+          env: DISTRO=ubuntu:noble TSS=ibmtss
+          compiler: gcc
+
         - os: linux
           env: DISTRO=ubuntu:jammy TSS=ibmtss COMPILE_SSL=openssl-3.0.5
           compiler: gcc
diff --git a/ci/ubuntu.sh b/ci/ubuntu.sh
deleted file mode 120000
index 0edcb8b..0000000
--- a/ci/ubuntu.sh
+++ /dev/null
@@ -1 +0,0 @@
-debian.sh
\ No newline at end of file
diff --git a/ci/ubuntu.sh b/ci/ubuntu.sh
new file mode 100755
index 0000000..e1bae43
--- /dev/null
+++ b/ci/ubuntu.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+# workaround for Ubuntu impish asking to interactively configure tzdata
+export DEBIAN_FRONTEND="noninteractive"
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+# debian.*.sh must be run first
+if [ "$ARCH" ]; then
+	ARCH=":$ARCH"
+	unset CC
+else
+	apt update
+fi
+
+# ibmswtpm2 requires gcc
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+case "$TSS" in
+ibmtss) TSS="libtss-dev";;
+tpm2-tss) TSS="libtss2-dev";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+apt="apt install -y --no-install-recommends"
+
+$apt \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	autoconf \
+	automake \
+	diffutils \
+	debianutils \
+	docbook-xml \
+	docbook-xsl \
+	e2fsprogs \
+	gzip \
+	libattr1-dev$ARCH \
+	libkeyutils-dev$ARCH \
+	libssl-dev$ARCH \
+	libtool \
+	make \
+	openssl \
+	pkg-config \
+	procps \
+	sudo \
+	util-linux \
+	wget \
+	xsltproc \
+	gawk
+
+$apt xxd || $apt vim-common
+$apt libengine-gost-openssl || true
+$apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
+$apt softhsm2 gnutls-bin pkcs11-provider || true
-- 
2.43.0

Re: [ima-evm-utils][PATCH 3/3] CI/CD: Also enable Ubuntu 24.04 (Noble) and run provider tests

[Mimi Zohar]

On Thu, 2024-06-20 at 20:59 -0400, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> With provider support fixed for Ubuntu 24.04 (Noble), enable testing with
> it. To test provider support on Ubuntu, make a copy of the debian.sh
> install file and enable the installation of provider support there.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  .github/workflows/ci.yml |  5 ++++
>  .travis.yml              |  4 +++
>  ci/ubuntu.sh             | 63 +++++++++++++++++++++++++++++++++++++++-
>  3 files changed, 71 insertions(+), 1 deletion(-)
>  mode change 120000 => 100755 ci/ubuntu.sh
> 
> diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
> index 5d67c70..772eb34 100644
> --- a/.github/workflows/ci.yml
> +++ b/.github/workflows/ci.yml
> @@ -143,6 +143,11 @@ jobs:
>                CC: gcc
>                TSS: ibmtss
>  
> +          - container: "ubuntu:noble"
> +            env:
> +              CC: gcc
> +              TSS: ibmtss
> +
>            - container: "ubuntu:xenial"
>              env:
>                CC: clang
> diff --git a/.travis.yml b/.travis.yml
> index af82040..0c78958 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -43,6 +43,10 @@ matrix:
>            env: DISTRO=ubuntu:mantic TSS=ibmtss
>            compiler: gcc
>  
> +        - os: linux
> +          env: DISTRO=ubuntu:noble TSS=ibmtss
> +          compiler: gcc
> +

There needs to be a balance between testing all releases and a good subset. 
There's already 3 Ubuntu releases - jammy, mantic, xenial.  Please don't add
another release, but roll them - noble, mantic, xenial (or bionic).

>          - os: linux
>            env: DISTRO=ubuntu:jammy TSS=ibmtss COMPILE_SSL=openssl-3.0.5
>            compiler: gcc
> diff --git a/ci/ubuntu.sh b/ci/ubuntu.sh
> deleted file mode 120000
> index 0edcb8b..0000000
> --- a/ci/ubuntu.sh
> +++ /dev/null
> @@ -1 +0,0 @@
> -debian.sh
> \ No newline at end of file
> diff --git a/ci/ubuntu.sh b/ci/ubuntu.sh
> new file mode 100755
> index 0000000..e1bae43
> --- /dev/null
> +++ b/ci/ubuntu.sh
> @@ -0,0 +1,62 @@
> +#!/bin/sh
> +# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
> +set -ex
> +
> +# workaround for Ubuntu impish asking to interactively configure tzdata
> +export DEBIAN_FRONTEND="noninteractive"
> +
> +if [ -z "$CC" ]; then
> +	echo "missing \$CC!" >&2
> +	exit 1
> +fi
> +
> +# debian.*.sh must be run first
> +if [ "$ARCH" ]; then
> +	ARCH=":$ARCH"
> +	unset CC
> +else
> +	apt update
> +fi
> +
> +# ibmswtpm2 requires gcc
> +[ "$CC" = "gcc" ] || CC="gcc $CC"
> +
> +case "$TSS" in
> +ibmtss) TSS="libtss-dev";;
> +tpm2-tss) TSS="libtss2-dev";;
> +'') echo "Missing TSS!" >&2; exit 1;;
> +*) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
> +esac
> +
> +apt="apt install -y --no-install-recommends"
> +
> +$apt \
> +	$CC $TSS \
> +	asciidoc \
> +	attr \
> +	autoconf \
> +	automake \
> +	diffutils \
> +	debianutils \
> +	docbook-xml \
> +	docbook-xsl \
> +	e2fsprogs \
> +	gzip \
> +	libattr1-dev$ARCH \
> +	libkeyutils-dev$ARCH \
> +	libssl-dev$ARCH \
> +	libtool \
> +	make \
> +	openssl \
> +	pkg-config \
> +	procps \
> +	sudo \
> +	util-linux \
> +	wget \
> +	xsltproc \
> +	gawk
> +
> +$apt xxd || $apt vim-common
> +$apt libengine-gost-openssl || true
> +$apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
> +$apt softhsm2 gnutls-bin pkcs11-provider || true