** Description changed: + [Impact] + + * An opencryptoki symmetric key object, wrapped by an IBM CCA DES + master key, cannot be migrated from a previous master key stored + in the OLD register to a new master key stored in the CURRENT + register, if a token is used that has a higher index than the + number of tokens available. + + * The problem remains if the CCA token is indexed as token 0, + as well as if the ICA token is defined in addition + and the ICA token is token 0 and CCA is token 1. + + * Users who run configurations which do not have a token present + in all slots starting from 0 to slot <n> wont be able to do the + described migration. + + * The upstream accepted patch removes a faulty check which enforces + users to run configurations + with continuous slot ids for slots that have a token present, + hence it enables users running such configurations to do the + migration as described above flawlessly. + + [Test Plan] + + * An IBM Z or LinuxONE system is needed with a CryptoExpress 5S or newer + crypto adapter card in place and with at least one crypto domain online. + + * Install Ubuntu Server for s390x version <20.10|20.04|18.04|16.04> and + on top: + + * Verify that a crypto domain is available with 'lszcrypt -V'. + + * Install the proprietary IBM CCA Host Libraries and Tools package (csulcca_7.1.x-x_s390x.deb) + from https://www.ibm.com/security/cryptocards/pciecc4/lonzsoftware (as of today: csulcca_7.1.35-01_s390x.deb). + + * Prepare for setting an initial master key, for example with: + /opt/IBM/CCA/bin/panel.exe -mk-load=$(xxd -p -c 256 -l 32 /dev/random) --mktype=AES --mkpart=<PART> + whereas <PART> is FIRST, MIDDLE and LAST + + * And set the master key: + /opt/IBM/CCA/bin/panel.exe -mk-set --mktype=AES + + * Install opencryptoki: + sudo apt-get install opencryptoki + + * Add the acting user to the pkcs11 group: + sudo usermod -aG pkcs11 <userid> + Log out and in again with <userid> to make the pkcs11 group changes to take effect. + + * Configure opencryptoki to only show the CCA token (see /etc/opencryptoki/opencryptoki.conf) and restart pkcsslotd: + sudo cp -p /etc/opencryptoki/opencryptoki.conf{,_$(date +%Y-%m-%d_%H:%M:%S).backup} + sudo sed -i 's/^stdll = .*/stdll = libpkcs11_cca.so/' /etc/opencryptoki/opencryptoki.conf + sudo sed -i '/^confname = ep11tok.conf/d' /etc/opencryptoki/opencryptoki.conf + sudo systemctl restart pkcsslotd + + * Initialize the opencryptoki CCA token: + pkcsconf -I -c <n> # whereas <n> is the CCA slot + pkcsconf -P -c <n> + pkcsconf -u -c <n> + + * The token is expected to be in the initialized state, showing the flags value as below: + Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED) + pkcsconf -t -c <n> | grep Flags + + * Export PKCS11_USER_PIN=<your user PIN> from the token initialization. + + * Generate DES token objects wrapped by the secure master key stored in the current CCA DES register (sym category): + p11sak generate-key des --slot <n> --pin <your user PIN> --label des_test + (For older opencryptoki library versions than 3.14 use the GitHub opencryptoki misc_tests + tok_des test with C_DestroyObject() commented to keep the objects created during the test. https://github.com/opencryptoki/opencryptoki/tree/master/testcases/misc_tests) + + * Prepare for setting a new DES master key, for example with: + /opt/IBM/CCA/bin/panel.exe -mk-load=$(xxd -p -c 256 -l 32 /dev/random) --mktype=AES --mkpart=<PART> + whereas <PART> is FIRST, MIDDLE and LAST + + * Run: pkcscca -m keys -s 2 -k sym -d /var/lib/opencryptoki/ccatok -v + Without fix the message "usr/sb2 is not a valid slot ID" is printed. + With working solution, the messages printed are + "Enter the SO PIN: + Enter the USER PIN: + Successfully migrated: DES: 1." + + [Where problems could occur] + + * With the removal of the erroneous code, done by commit/patch: + caa4bbba "A slot ID has nothing to do with the number of slots" + the behavior of migrate_wrapped may change unexpectedly. + + * Especially since exit codes 3 and 4 got dropped. + + * Any checks for those exit codes would potentially have to be adapted, + but such error codes would have been caused by error situations anyway, even in case the bug is not fixed. + Invalid slot ids will cause an exit code of 5 now. + + * Issues could occur in case slot_count might still be used outside the scope of the patch, + but this is simple to check and a test build will indicate this anyway. + + [Other Info] + + * A successful test build of a patched package was made available + for further testing with this PPA: + https://launchpad.net/~fheimes/+archive/ubuntu/lp1915517 + + * Hirsute/21.04 is covered by the version bump to a new upstream release + 3.15.1 (+ add. patches) of LP: #1906369. + __________ + Details ======= An opencryptoki symmetric key object wrapped by the IBM CCA DES master key cannot be migrated from a previous master key stored in the OLD register to a newer master key stored in the CURRENT register, when a token with a higher index is used, than number of tokens are available. The problem remains when the CCA token is indexed as token 0, as well as when the ICA token is defined in addition and the ICA token is token 0 and CCA is token 1. Fix === The following commit has been verified to fix this issue: https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch "[PATCH] A slot ID has nothing to do with the number of slots" This git commit need to be applied to all version with opencrycpptoki >= 3.4 - xenial (16.04LTS) (utils): 3.4.1+dfsg-1ubuntu3 + xenial (16.04LTS) (utils): 3.4.1+dfsg-1ubuntu3 bionic (18.04LTS) (utils): 3.9.0+dfsg-0ubuntu1 focal (20.04LTS) (utils): 3.13.0+dfsg-0ubuntu5: groovy (20.10) (utils): 3.14.0+dfsg-0ubuntu3 hirsute (utils): 3.14.0+dfsg-0ubuntu3
** Description changed: [Impact] - * An opencryptoki symmetric key object, wrapped by an IBM CCA DES - master key, cannot be migrated from a previous master key stored - in the OLD register to a new master key stored in the CURRENT - register, if a token is used that has a higher index than the - number of tokens available. + * An opencryptoki symmetric key object, wrapped by an IBM CCA DES + master key, cannot be migrated from a previous master key stored + in the OLD register to a new master key stored in the CURRENT + register, if a token is used that has a higher index than the + number of tokens available. - * The problem remains if the CCA token is indexed as token 0, - as well as if the ICA token is defined in addition - and the ICA token is token 0 and CCA is token 1. + * The problem remains if the CCA token is indexed as token 0, + as well as if the ICA token is defined in addition + and the ICA token is token 0 and CCA is token 1. - * Users who run configurations which do not have a token present - in all slots starting from 0 to slot <n> wont be able to do the - described migration. + * Users who run configurations which do not have a token present + in all slots starting from 0 to slot <n> wont be able to do the + described migration. - * The upstream accepted patch removes a faulty check which enforces - users to run configurations - with continuous slot ids for slots that have a token present, - hence it enables users running such configurations to do the - migration as described above flawlessly. + * The upstream accepted patch removes a faulty check which enforces + users to run configurations + with continuous slot ids for slots that have a token present, + hence it enables users running such configurations to do the + migration as described above flawlessly. [Test Plan] - * An IBM Z or LinuxONE system is needed with a CryptoExpress 5S or newer - crypto adapter card in place and with at least one crypto domain online. + * An IBM Z or LinuxONE system is needed with a CryptoExpress 5S or newer + crypto adapter card in place and with at least one crypto domain online. - * Install Ubuntu Server for s390x version <20.10|20.04|18.04|16.04> and + * Install Ubuntu Server for s390x version <20.10|20.04|18.04|16.04> and on top: - * Verify that a crypto domain is available with 'lszcrypt -V'. + * Verify that a crypto domain is available with 'lszcrypt -V'. - * Install the proprietary IBM CCA Host Libraries and Tools package (csulcca_7.1.x-x_s390x.deb) - from https://www.ibm.com/security/cryptocards/pciecc4/lonzsoftware (as of today: csulcca_7.1.35-01_s390x.deb). + * Install the proprietary IBM CCA Host Libraries and Tools package (csulcca_7.1.x-x_s390x.deb) + from https://www.ibm.com/security/cryptocards/pciecc4/lonzsoftware (as of today: csulcca_7.1.35-01_s390x.deb). - * Prepare for setting an initial master key, for example with: - /opt/IBM/CCA/bin/panel.exe -mk-load=$(xxd -p -c 256 -l 32 /dev/random) --mktype=AES --mkpart=<PART> - whereas <PART> is FIRST, MIDDLE and LAST + * Prepare for setting an initial master key, for example with: + /opt/IBM/CCA/bin/panel.exe -mk-load=$(xxd -p -c 256 -l 32 /dev/random) --mktype=AES --mkpart=<PART> + whereas <PART> is FIRST, MIDDLE and LAST - * And set the master key: - /opt/IBM/CCA/bin/panel.exe -mk-set --mktype=AES + * And set the master key: + /opt/IBM/CCA/bin/panel.exe -mk-set --mktype=AES - * Install opencryptoki: - sudo apt-get install opencryptoki + * Install opencryptoki: + sudo apt-get install opencryptoki - * Add the acting user to the pkcs11 group: - sudo usermod -aG pkcs11 <userid> - Log out and in again with <userid> to make the pkcs11 group changes to take effect. + * Add the acting user to the pkcs11 group: + sudo usermod -aG pkcs11 <userid> + Log out and in again with <userid> to make the pkcs11 group changes to take effect. - * Configure opencryptoki to only show the CCA token (see /etc/opencryptoki/opencryptoki.conf) and restart pkcsslotd: - sudo cp -p /etc/opencryptoki/opencryptoki.conf{,_$(date +%Y-%m-%d_%H:%M:%S).backup} - sudo sed -i 's/^stdll = .*/stdll = libpkcs11_cca.so/' /etc/opencryptoki/opencryptoki.conf - sudo sed -i '/^confname = ep11tok.conf/d' /etc/opencryptoki/opencryptoki.conf - sudo systemctl restart pkcsslotd + * Configure opencryptoki to only show the CCA token (see /etc/opencryptoki/opencryptoki.conf) and restart pkcsslotd: + sudo cp -p /etc/opencryptoki/opencryptoki.conf{,_$(date +%Y-%m-%d_%H:%M:%S).backup} + sudo sed -i 's/^stdll = .*/stdll = libpkcs11_cca.so/' /etc/opencryptoki/opencryptoki.conf + sudo sed -i '/^confname = ep11tok.conf/d' /etc/opencryptoki/opencryptoki.conf + sudo systemctl restart pkcsslotd - * Initialize the opencryptoki CCA token: - pkcsconf -I -c <n> # whereas <n> is the CCA slot - pkcsconf -P -c <n> - pkcsconf -u -c <n> + * Initialize the opencryptoki CCA token: + pkcsconf -I -c <n> # whereas <n> is the CCA slot + pkcsconf -P -c <n> + pkcsconf -u -c <n> - * The token is expected to be in the initialized state, showing the flags value as below: - Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED) - pkcsconf -t -c <n> | grep Flags + * The token is expected to be in the initialized state, showing the flags value as below: + Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED) + pkcsconf -t -c <n> | grep Flags - * Export PKCS11_USER_PIN=<your user PIN> from the token initialization. + * Export PKCS11_USER_PIN=<your user PIN> from the token initialization. - * Generate DES token objects wrapped by the secure master key stored in the current CCA DES register (sym category): - p11sak generate-key des --slot <n> --pin <your user PIN> --label des_test - (For older opencryptoki library versions than 3.14 use the GitHub opencryptoki misc_tests - tok_des test with C_DestroyObject() commented to keep the objects created during the test. https://github.com/opencryptoki/opencryptoki/tree/master/testcases/misc_tests) + * Generate DES token objects wrapped by the secure master key stored in the current CCA DES register (sym category): + p11sak generate-key des --slot <n> --pin <your user PIN> --label des_test + (For older opencryptoki library versions than 3.14 use the GitHub opencryptoki misc_tests + tok_des test with C_DestroyObject() commented to keep the objects created during the test. https://github.com/opencryptoki/opencryptoki/tree/master/testcases/misc_tests) - * Prepare for setting a new DES master key, for example with: - /opt/IBM/CCA/bin/panel.exe -mk-load=$(xxd -p -c 256 -l 32 /dev/random) --mktype=AES --mkpart=<PART> - whereas <PART> is FIRST, MIDDLE and LAST + * Prepare for setting a new DES master key, for example with: + /opt/IBM/CCA/bin/panel.exe -mk-load=$(xxd -p -c 256 -l 32 /dev/random) --mktype=AES --mkpart=<PART> + whereas <PART> is FIRST, MIDDLE and LAST - * Run: pkcscca -m keys -s 2 -k sym -d /var/lib/opencryptoki/ccatok -v - Without fix the message "usr/sb2 is not a valid slot ID" is printed. - With working solution, the messages printed are - "Enter the SO PIN: - Enter the USER PIN: - Successfully migrated: DES: 1." + * Run: pkcscca -m keys -s 2 -k sym -d /var/lib/opencryptoki/ccatok -v debug + Without fix the message "usr/sb2 is not a valid slot ID" is printed. + With working solution, the messages printed are + "Enter the SO PIN: + Enter the USER PIN: + Successfully migrated: DES: 1." [Where problems could occur] - * With the removal of the erroneous code, done by commit/patch: - caa4bbba "A slot ID has nothing to do with the number of slots" - the behavior of migrate_wrapped may change unexpectedly. + * With the removal of the erroneous code, done by commit/patch: + caa4bbba "A slot ID has nothing to do with the number of slots" + the behavior of migrate_wrapped may change unexpectedly. - * Especially since exit codes 3 and 4 got dropped. + * Especially since exit codes 3 and 4 got dropped. - * Any checks for those exit codes would potentially have to be adapted, - but such error codes would have been caused by error situations anyway, even in case the bug is not fixed. - Invalid slot ids will cause an exit code of 5 now. + * Any checks for those exit codes would potentially have to be adapted, + but such error codes would have been caused by error situations anyway, even in case the bug is not fixed. + Invalid slot ids will cause an exit code of 5 now. - * Issues could occur in case slot_count might still be used outside the scope of the patch, - but this is simple to check and a test build will indicate this anyway. - + * Issues could occur in case slot_count might still be used outside the scope of the patch, + but this is simple to check and a test build will indicate this anyway. + [Other Info] - * A successful test build of a patched package was made available - for further testing with this PPA: - https://launchpad.net/~fheimes/+archive/ubuntu/lp1915517 + * A successful test build of a patched package was made available + for further testing with this PPA: + https://launchpad.net/~fheimes/+archive/ubuntu/lp1915517 - * Hirsute/21.04 is covered by the version bump to a new upstream release - 3.15.1 (+ add. patches) of LP: #1906369. + * Hirsute/21.04 is covered by the version bump to a new upstream release + 3.15.1 (+ add. patches) of LP: #1906369. __________ Details ======= An opencryptoki symmetric key object wrapped by the IBM CCA DES master key cannot be migrated from a previous master key stored in the OLD register to a newer master key stored in the CURRENT register, when a token with a higher index is used, than number of tokens are available. The problem remains when the CCA token is indexed as token 0, as well as when the ICA token is defined in addition and the ICA token is token 0 and CCA is token 1. Fix === The following commit has been verified to fix this issue: https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch "[PATCH] A slot ID has nothing to do with the number of slots" This git commit need to be applied to all version with opencrycpptoki >= 3.4 xenial (16.04LTS) (utils): 3.4.1+dfsg-1ubuntu3 bionic (18.04LTS) (utils): 3.9.0+dfsg-0ubuntu1 focal (20.04LTS) (utils): 3.13.0+dfsg-0ubuntu5: groovy (20.10) (utils): 3.14.0+dfsg-0ubuntu3 hirsute (utils): 3.14.0+dfsg-0ubuntu3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915517 Title: [UBUNTU 21.04] openCryptoki: pkcscca migration fails with usr/sb2 is not a valid slot ID To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1915517/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
