Public bug reported:
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing
configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc
directory.
Furhter, enabled the opencryptoki debug messages to display why the
tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then
running pkcsconf -t. A log file is written to the /var/log/opencryptoki
directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK Trace
level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO:
C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to open
/etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR: Policy
loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO:
C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API not
initialized
Contact Information = christian.r...@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023
s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704
A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.r...@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifran...@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for
policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by Ubuntu
to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but
not support for statistics was backported (you can check if 'pkcsstats'
is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files
required for enabling policies (strength.cong and policy.conf) are
intentionally not shipped and installed in /etc/opencryptoki, but it is
the user's responsibility to provide both of them when enabling
policies. Examples for both of these config files are provided in the
documentation directory of the package: strength-example.conf and
policy-example.conf.
With 3.18, statistics support was added, and with that, the
strength.conf file was changed to be shipped and installed in
/etc/opencryptoki, because the statistics support needs to know the
strength definitions as well, independent of policies being enabled or
not. So starting with 3.18, a user would only have to supply a
policy.conf file to enable policies, if the provided strength
configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf
and policy-example.conf file are intentionally just examples! A user
must adjust them to what its requirements on key strength and policy
settings are. For example, the provided policy example config file
'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a
policy that requires a key strength of 0 bits simply means that all keys
of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless it
turns out that the backport misses important things.
== Comment: <ifran...@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no strength.conf
file.
== Comment: <christian.r...@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into
the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish).
Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is
being installed into /etc/opencryptoki when doing 'make install'. Make sure
that you include this new file into your package so that it gets installed at
the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifran...@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode
of 0640.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39064 bugnameltc-202380 severity-medium
targetmilestone-inin---
** Tags added: architecture-s39064 bugnameltc-202380 severity-medium
targetmilestone-inin---
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => linux (Ubuntu)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2018911
Title:
[UBUNTU 22.04] opencryptoki 3.17.0 is missing the strength.conf
config file
Status in linux package in Ubuntu:
New
Bug description:
---Problem Description---
Summary
=======
IBM z16 system LPAR
OS: "Ubuntu 22.04.1 LTS (Jammy Jellyfish)" on 5.15.0-69-generic kernel
providing
opencryptoki 3.17.0+dfsg+20220202.b40982e-0ubuntu1.1 s390x
The opencryptoki package is missing the strength.conf file
Details
=======
When attempting to build up no opencryptoki token is displayed.
Further investigations revealed the problem is related to a missing
configuration file which is not shipped/included by the opencryptoki package.
Run : dpkg -L opencryptoki and check the list of files for the /etc
directory.
Furhter, enabled the opencryptoki debug messages to display why the
tokens are not built up by 'export OPENCRYPTOKI_TRACE_LEVEL=4', then
running pkcsconf -t. A log file is written to the
/var/log/opencryptoki directory. Mind to unset the trace var again.
Terminal output
===============
# cat /var/log/opencryptoki/trace.15928
04/27/2023 14:01:34 15928 [usr/lib/common/trace.c:210 api] INFO: **** OCK
Trace level 4 activated for OCK version 3.17.0 ****
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:2875 api] INFO:
C_Initialize
04/27/2023 14:01:34 15928 [usr/lib/api/policy.c:1666 api] ERROR: Failed to
open /etc/opencryptoki/strength.conf: No such file or directory
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:3092 api] ERROR:
Policy loading failed! rc=0x5
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1656 api] INFO:
C_Finalize
04/27/2023 14:01:34 15928 [usr/lib/api/api_interface.c:1658 api] ERROR: API
not initialized
Contact Information = christian.r...@de.ibm.com
---uname output---
Linux sytem 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:22:11 UTC 2023
s390x s390x s390x GNU/Linux
Machine Type = IBM Type: 3931 Model: 704
A01
---Debugger---
A debugger is not configured
---Steps to Reproduce---
1.) Install Ubuntu 22.04.1 onto your LPAR, VM guest or KVM guest
2.) Install opencryptoki via apt-get install -y opencryptoki
3.) run: pkcsconf -t
and watch the problem to occur
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
4.) export OPENCRYPTOKI_TRACE_LEVEL=4
5.) Run step 4 again
6.) ls -l /var/log/opencryptoki
The debug file contains the hit to the missing .conf file
Userspace tool common name: pkcsconf
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
Userspace tool obtained from project website: na
*Additional Instructions for christian.r...@de.ibm.com:
-Attach ltrace and strace of userspace application.
== Comment: <ifran...@de.ibm.com> - 2023-04-28 03:52:34 ==
That is somewhat strange. Opencryptoki 3.17 does NOT yet contain support for
policies, at least not the upstream version. Policy support came only with 3.18.
So I would not have expected that 3.17 has policy support at all.
However, I don't know if the policy support was backported for/by
Ubuntu to Ubuntu's opencryptoki 3.17?
If that's the case, then I would assume that only policy support, but
not support for statistics was backported (you can check if
'pkcsstats' is available with Ubuntu's 3.17).
With just policy support (but not statistics), the 2 config files
required for enabling policies (strength.cong and policy.conf) are
intentionally not shipped and installed in /etc/opencryptoki, but it
is the user's responsibility to provide both of them when enabling
policies. Examples for both of these config files are provided in the
documentation directory of the package: strength-example.conf and
policy-example.conf.
With 3.18, statistics support was added, and with that, the
strength.conf file was changed to be shipped and installed in
/etc/opencryptoki, because the statistics support needs to know the
strength definitions as well, independent of policies being enabled or
not. So starting with 3.18, a user would only have to supply a
policy.conf file to enable policies, if the provided strength
configuration matches its need.
Please keep in mind, the provided strength.conf/strength-example.conf
and policy-example.conf file are intentionally just examples! A user
must adjust them to what its requirements on key strength and policy
settings are. For example, the provided policy example config file
'policy-example.conf' contains the following:
# Do not require any specific strength.
# You probably do not want this!
strength = 0
So this is something that the user must adjust in any case. Having a
policy that requires a key strength of 0 bits simply means that all
keys of all strength are allowed.
Please also see 'man policy.conf' and 'man strength.conf' for details.
Given above, I would tent to consider this BZ as 'works as designed', unless
it turns out that the backport misses important things.
== Comment: <ifran...@de.ibm.com> - 2023-04-28 03:59:08 ==
It only fails if the user has supplied a policy.conf file, but no
strength.conf file.
== Comment: <christian.r...@de.ibm.com> - 2023-05-08 05:10:09 ==
Apparently the policy as well as statistics support shall be integrated into
the opencryptoki library release shipped with Ubuntu 22.04 (jammy jellyfish).
Please integrate a default strength.conf file.
Thanks.
Refer also to the comment in LaunchPad LP1959419 :
"Please note that with the patches on top of 3.17 a new strength.conf file is
being installed into /etc/opencryptoki when doing 'make install'. Make sure
that you include this new file into your package so that it gets installed at
the user systems. Without the strength.conf file opencryptoki won't work."
== Comment: <ifran...@de.ibm.com> - 2023-05-08 06:14:46 ==
Note that strength.conf must be owned by root:pkcs11 and MUST (!) have a mode
of 0640.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2018911/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
