On Mon, 16 Jan 2017 12:47:21 +0100
"Patrick Steuer" <patrick.ste...@de.ibm.com> wrote:
>
> Hi,
>
> When libica is running in fips mode (see icastats), /dev/hwrng
> or /dev/prandom must be available.
yes, that's what I got from reading the sources too. Currently I've
added a check to the spec file [1] and asked the mock guys to
install /dev/{hwrng,prandom} in the chroots [2].
[1]
http://pkgs.fedoraproject.org/cgit/rpms/libica.git/commit/?id=2d708aec776cc071cb81079a70c3efcaffe835c8
[2] https://github.com/rpm-software-management/mock/issues/33
Dan
> Best regards
> -- Patrick Steuer
>
> Crypto for Linux on z Systems
> Phone: +49-7031-16-1600
> IBM Deutschland Research & Development GmbH
>
>
>
> From: Harald Freudenberger <fre...@linux.vnet.ibm.com>
> To: Dan Horák <d...@danny.cz>
> Cc: opencryptoki-tech@lists.sourceforge.net, Patrick
> Steuer/Germany/IBM@IBMDE
> Date: 16.01.2017 12:41
> Subject: Re: [Opencryptoki-tech] [libica PATCH] make suite.out
> user-friendly
>
>
>
>
>
> On 01/13/2017 07:35 PM, Dan Horák wrote:
> > On Fri, 13 Jan 2017 16:01:34 +0100
> > Harald Freudenberger <fre...@linux.vnet.ibm.com> wrote:
> >
> >> On 01/13/2017 02:27 PM, Dan Horák wrote:
> >>> On Fri, 13 Jan 2017 13:52:19 +0100
> >>> Dan Horák <d...@danny.cz> wrote:
> >>>
> >>>> On Fri, 13 Jan 2017 11:17:47 +0100
> >>>> Dan Horák <d...@danny.cz> wrote:
> >>>>
> >>>>> Put some separators to the test cases outputs so suite.out
> >>>>> is more readable.
> >>>> you can see the result in the build.log at
> >>>> https://s390.koji.fedoraproject.org/koji/taskinfo?taskID=2446194
> >>>>
> >>>> Hm, the tests all passed when building the rpm locally.
> >>> it's missing /dev/prandom in the builder's chroot
> >> Hi Dan
> >> Why should opencryptoki have an dependency to /dev/prandom ?
> >> Libica and thus on top the ica token would attempt to
> >> open /dev/prandom during shared library initialization but if this
> >> node is not available the fallback is to use /dev/urandom instead.
> > that's what strace told me, libica is built with FIPS support
> > enabled
> >
> > running LD_LIBRARY_PATH=../.libs PATH=..:$PATH
> > strace ./icastats_test in Fedora Rawhide (to-be Fedora 26) gives
> > ...
> > set_tid_address(0x3ff876767d0) = 45248
> > set_robust_list(0x3ff876767e0, 24) = 0
> > rt_sigaction(SIGRTMIN, {0x3ff87206000, [], SA_SIGINFO}, NULL, 8) = 0
> > rt_sigaction(SIGRT_1, {0x3ff872060c0, [], SA_RESTART|SA_SIGINFO},
> > NULL,
> 8) = 0
> > rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
> > prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024,
> rlim_max=RLIM64_INFINITY}) = 0
> > rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP RTMIN RT_1], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff873c3f98, ~[ILL TRAP RTMIN RT_1], 0},
> {SIG_DFL, [], 0}, 8) = 0
> > rt_sigprocmask(SIG_BLOCK, NULL, ~[ILL TRAP KILL STOP RTMIN RT_1],
> > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > access("/etc/system-fips", F_OK) = -1 ENOENT (No such file or
> directory)
> > geteuid() = 0
> > statfs("/dev/shm/", {f_type=TMPFS_MAGIC, f_bsize=4096,
> > f_blocks=238325,
> f_bfree=238324, f_bavail=238324, f_files=238325, f_ffree=238323,
> f_fsid={0, 0}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|
> ST_RELATIME}) = 0
> > futex(0x3ff87222370, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > open("/dev/shm/icastats_0", O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC,
> > 0600) =
> 3
> > ftruncate(3, 464) = 0
> > mmap(NULL, 464, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) =
> > 0x3ff87500000 rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff87596690, [], 0}, {SIG_DFL, [], 0}, 8) =
> > 0 futex(0x3ff875ad838, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > brk(NULL) = 0x8536d000
> > brk(0x8538e000) = 0x8538e000
> > rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0},
> > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0},
> > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > rt_sigprocmask(SIG_UNBLOCK, [ILL], [], 8) = 0
> > rt_sigaction(SIGILL, {0x3ff87596690, [HUP], 0}, {SIG_DFL, [], 0},
> > 8) = 0 rt_sigaction(SIGILL, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> > fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> > read(4, "0\n", 1024) = 2
> > close(4) = 0
> > open("/dev/hwrng", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> > open("/dev/prandom", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> > open("/dev/hwrng", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> > open("/dev/prandom", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> > open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
> > fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
> > fstat(4, {st_mode=S_IFREG|0644, st_size=2102, ...}) = 0
> > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0
> > \0"...,
> 4096) = 2102
> > lseek(4, -1337, SEEK_CUR) = 765
> > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0
> > \0"...,
> 4096) = 1337
> > close(4) = 0
> > socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
> > connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1
> > ENOENT (No
> such file or directory)
> > close(4) = 0
> > futex(0x3ff874a6490, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > futex(0x3ff874a659c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > open("/udev/z90crypt", O_RDWR) = -1 ENOENT (No such file or
> directory)
> > open("/dev/z90crypt", O_RDWR) = -1 ENOENT (No such file or
> directory)
> > open("/dev/zcrypt", O_RDWR) = -1 ENOENT (No such file or
> directory)
> > open("/sys/devices/ap/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)
> > = -1
> ENOENT (No such file or directory)
> > rt_sigaction(SIGINT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
> > rt_sigaction(SIGQUIT, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
> > rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
> > clone(child_stack=NULL, flags=CLONE_PARENT_SETTID|SIGCHLD,
> parent_tidptr=0x3ffe37fe87c) = 45249
> > wait4(45249, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) =
> > 45249 rt_sigaction(SIGINT, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigaction(SIGQUIT, {SIG_DFL, [], 0}, NULL, 8) = 0
> > rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> > --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=45249,
> si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
> > fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> > geteuid() = 0
> > munmap(0x3ff87500000, 464) = 0
> > close(3) = 0
> > write(1, "Error in ica_random_number_gener"..., 37Error in
> ica_random_number_generate: ) = 37
> > exit_group(13) = ?
> > +++ exited with 13 +++
> >
> >
> > Dan
> >
>
> looks like you are running an fips enabled kernel. Well then libica
> (if build with FIPS support)
> is also running in fips mode. Not sure if libica initialization will
> refuse if there is no
> /dev/hwrng and /dev/prandom available. @Patrick can you answer this ?
>
> regards H.Freudenberger
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
