Ubuntu
opencryptoki package

[UBUNTU 21.04] openCryptoki: pkcscca migration fails with usr/sb2 is not a valid slot ID

Bug #1915517 reported by bugproxy on 2021-02-12

This bug affects 1 person

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	Fix Released	High	Skipper Bug Screeners
opencryptoki (Ubuntu)	Fix Released	High	Brian Murray
Xenial	Fix Released	High	Frank Heimes
Bionic	Fix Released	High	Frank Heimes
Focal	Fix Released	High	Frank Heimes
Groovy	Fix Released	High	Frank Heimes
Hirsute	Fix Released	High	Brian Murray

Bug Description

[Impact]

* An opencryptoki symmetric key object, wrapped by an IBM CCA DES
   master key, cannot be migrated from a previous master key stored
   in the OLD register to a new master key stored in the CURRENT
   register, if a token is used that has a higher index than the
   number of tokens available.

* The problem remains if the CCA token is indexed as token 0,
as well as if the ICA token is defined in addition
and the ICA token is token 0 and CCA is token 1.

* Users who run configurations which do not have a token present
in all slots starting from 0 to slot <n> wont be able to do the
described migration.

* The upstream accepted patch removes a faulty check which enforces
   users to run configurations
   with continuous slot ids for slots that have a token present,
   hence it enables users running such configurations to do the
   migration as described above flawlessly.

[Test Plan]

* An IBM Z or LinuxONE system is needed with a CryptoExpress 5S or newer
crypto adapter card in place and with at least one crypto domain online.

* Install Ubuntu Server for s390x version <20.10|20.04|18.04|16.04> and on top:

* Verify that a crypto domain is available with 'lszcrypt -V'.

* Install the proprietary IBM CCA Host Libraries and Tools package (csulcca_7.1.x-x_s390x.deb)
from https://www.ibm.com/security/cryptocards/pciecc4/lonzsoftware (as of today: csulcca_7.1.35-01_s390x.deb).

* Prepare for setting an initial master key, for example with:
   panel.exe --mk-load=<48 byte DES key incl. odd parity> --mktype=SYM --mkpart=<PART>
   whereas <PART> is FIRST, MIDDLE and LAST
   (to generate a proper TEST and SAMPLE key incl. parity bits see:
    https://limbenjamin.com/articles/des-key-parity-bit-calculator.html)
   Alternatively use: 'panel.exe --mk-load-interactive'

* And set the master key:
panel.exe -mk-set --mktype=SYM

* Install opencryptoki:
sudo apt-get install opencryptoki

* Add the acting user to the pkcs11 group:
   sudo usermod -aG pkcs11 <userid>
   and add the cca_* groups:
   for g in $(grep cca_ /etc/group | awk -F':' '{ print $1 }'); do sudo usermod -a -G $g $USER; done
   Log out and in again with <userid> to make the group changes take effect.

* Configure opencryptoki to only show the CCA token (see /etc/opencryptoki/opencryptoki.conf) and restart pkcsslotd:
   sudo cp -p /etc/opencryptoki/opencryptoki.conf{,_$(date +%Y-%m-%d_%H:%M:%S).backup}
   sudo sed -i 's/^stdll = .*/stdll = libpkcs11_cca.so/' /etc/opencryptoki/opencryptoki.conf
   sudo sed -i '/^confname = ep11tok.conf/d' /etc/opencryptoki/opencryptoki.conf
   sudo systemctl restart pkcsslotd

* Initialize the opencryptoki CCA token:
   pkcsconf -I -c <n> # whereas <n> is the CCA slot, e.g. 1
   pkcsconf -P -c <n>
   pkcsconf -u -c <n>

* export PKCS11_USER_PIN=<your user PIN> from the token initialization.

* Generate DES token objects wrapped by the secure master key stored in the current CCA DES register (sym category):
   p11sak generate-key des --slot <n> --pin <your user PIN> --label des_test
   Since p11sak need to be separately compiled, the LD_LIBRARY_PATH might need to be adjusted, like:
   LD_LIBRARY_PATH=/usr/lib/s390x-linux-gnu/pkcs11:/usr/lib
   (For older opencryptoki library versions than 3.14 use the GitHub opencryptoki misc_tests
    tok_des test with C_DestroyObject() commented to keep the objects created during the test. https://github.com/opencryptoki/opencryptoki/tree/master/testcases/misc_tests)

* Prepare for setting a new DES master key, for example with:
   panel.exe --mk-load=<48 byte DES key incl. odd parity> --mktype=SYM --mkpart=<PART>
   whereas <PART> is FIRST, MIDDLE and LAST
   (to generate a proper TEST and SAMPLE key incl. parity bits see:
    https://limbenjamin.com/articles/des-key-parity-bit-calculator.html)
   Alternatively use: 'panel.exe --mk-load-interactive'

* Run: pkcscca -m keys -s 2 -k sym -d /var/lib/opencryptoki/ccatok -v debug
   Without fix the message "usr/sb2 is not a valid slot ID" is printed.
   With working solution, the messages printed are
   "Enter the SO PIN:
    Enter the USER PIN:
    Successfully migrated: DES: 1."

[Where problems could occur]

* With the removal of the erroneous code, done by commit/patch:
caa4bbba "A slot ID has nothing to do with the number of slots"
the behavior of migrate_wrapped may change unexpectedly.

* Especially since exit codes 3 and 4 got dropped.

* Any checks for those exit codes would potentially have to be adapted,
but such error codes would have been caused by error situations anyway, even in case the bug is not fixed.
Invalid slot ids will cause an exit code of 5 now.

* Issues could occur in case slot_count might still be used outside the scope of the patch,
but this is simple to check and a test build will indicate this anyway.

[Other Info]

* A successful test build of a patched package was made available
for further testing with this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1915517

* Hirsute/21.04 is covered by the version bump to a new upstream release
3.15.1 (+ add. patches) of LP: #1906369.
__________

Details
=======
An opencryptoki symmetric key object wrapped by the IBM CCA DES master key cannot be migrated from a previous master key stored in the OLD register to a newer master key stored in the CURRENT register, when a token with a higher index is used, than number of tokens are available. The problem remains when the CCA token is indexed as token 0, as well as when the ICA token is defined in addition and the ICA token is token 0 and CCA is token 1.

Fix
===
The following commit has been verified to fix this issue:

https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
"[PATCH] A slot ID has nothing to do with the number of slots"

This git commit need to be applied to all version with opencrycpptoki >= 3.4
xenial (16.04LTS) (utils): 3.4.1+dfsg-1ubuntu3
bionic (18.04LTS) (utils): 3.9.0+dfsg-0ubuntu1
focal (20.04LTS) (utils): 3.13.0+dfsg-0ubuntu5:
groovy (20.10) (utils): 3.14.0+dfsg-0ubuntu3
hirsute (utils): 3.14.0+dfsg-0ubuntu3

See original description

Tags:

Related branches

~fheimes/ubuntu/+source/opencryptoki:opencryptoki-sru-lp1915517-xenial

Ready for review for merging into ubuntu/+source/opencryptoki:ubuntu/xenial-devel

Canonical Foundations Team: Pending requested 2021-03-03

~fheimes/ubuntu/+source/opencryptoki:opencryptoki-sru-lp1915517-bionic

Ready for review for merging into ubuntu/+source/opencryptoki:ubuntu/bionic-devel

Canonical Foundations Team: Pending requested 2021-03-02

~fheimes/ubuntu/+source/opencryptoki:opencryptoki-sru-lp1915517-focal

Ready for review for merging into ubuntu/+source/opencryptoki:ubuntu/focal-devel

Canonical Foundations Team: Pending requested 2021-03-02

~fheimes/ubuntu/+source/opencryptoki:opencryptoki-sru-lp1915517-groovy

Ready for review for merging into ubuntu/+source/opencryptoki:ubuntu/groovy-devel

Canonical Foundations Team: Pending requested 2021-03-01

bugproxy (bugproxy) on 2021-02-12

tags:	added: architecture-s39064 bugnameltc-191527 severity-high targetmilestone-inin2104
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → opencryptoki (Ubuntu)

Frank Heimes (fheimes) on 2021-02-15

Changed in ubuntu-z-systems:
importance:	Undecided → High
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)

Frank Heimes (fheimes) on 2021-02-15

Changed in ubuntu-z-systems:
status:	New → Triaged

Steve Langasek (vorlon) on 2021-02-15

tags:

added: fr-1140

Revision history for this message

Frank Heimes (fheimes) wrote on 2021-02-18:

The hirsute part could and should be done as part of LP 1906369.

Brian Murray (brian-murray) on 2021-02-23

Changed in opencryptoki (Ubuntu Hirsute):
status:	New → In Progress
assignee:	Skipper Bug Screeners (skipper-screen-team) → Brian Murray (brian-murray)
importance:	Undecided → High

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-02-23:

This bug was fixed in the package opencryptoki - 3.15.1+dfsg-0ubuntu1

---------------
opencryptoki (3.15.1+dfsg-0ubuntu1) hirsute; urgency=medium

  * New upstream release LP: #1906369.
  * Add patch f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43 fixing migration of a
    master key from OLD register to CURRENT register (LP: #1915517).
  * Add patch 2d16f003911ceee50967546f4b3c7cac2db9ba86 fixing compiling with
    c++.
  * Add patch 821bc7ab4635e189d31bc3c808c626b9fcda5d02 with error message
    handling for p11sak remove-key command.
  * Add patch 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890 fixing a problem with
    C_Get/SetOperationState and digest contexts.

-- Brian Murray <email address hidden> Mon, 22 Feb 2021 16:48:12 -0800

Changed in opencryptoki (Ubuntu Hirsute):
status:	In Progress → Fix Released

Frank Heimes (fheimes) on 2021-02-23

Changed in ubuntu-z-systems:
status:	Triaged → In Progress

Frank Heimes (fheimes) on 2021-02-26

Changed in opencryptoki (Ubuntu Groovy):
status:	New → In Progress
assignee:	nobody → Frank Heimes (fheimes)
importance:	Undecided → High

Revision history for this message

Frank Heimes (fheimes) wrote on 2021-03-01:

slightly updated debdiff Edit (3.2 KiB, text/plain)

Revision history for this message

bugproxy (bugproxy) wrote on 2021-03-01: debdiff_groovy.diff

debdiff_groovy.diff Edit (3.1 KiB, application/octet-stream)

Default Comment by Bridge

Revision history for this message

Frank Heimes (fheimes) wrote on 2021-03-02:

debdiff_focal.diff Edit (3.1 KiB, text/plain)

Changed in opencryptoki (Ubuntu Focal):
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Frank Heimes (fheimes)

Revision history for this message

Frank Heimes (fheimes) wrote on 2021-03-02:

debdiff_bionic.diff Edit (2.7 KiB, text/plain)

Changed in opencryptoki (Ubuntu Bionic):
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Frank Heimes (fheimes)

Revision history for this message

Frank Heimes (fheimes) wrote on 2021-03-03:

debdiff_xenial.diff Edit (2.8 KiB, text/plain)

Changed in opencryptoki (Ubuntu Xenial):
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Frank Heimes (fheimes)

Frank Heimes (fheimes) on 2021-03-03

description:	updated
description:	updated

Frank Heimes (fheimes) on 2021-03-04

description:

updated

Revision history for this message

Brian Murray (brian-murray) wrote on 2021-03-04:

I've sponsored the groovy debdiff and will do the others today.

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2021-03-05: Please test proposed package

#10

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.14.0+dfsg-0ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in opencryptoki (Ubuntu Groovy):
status:	In Progress → Fix Committed
tags:	added: verification-needed verification-needed-groovy
Changed in opencryptoki (Ubuntu Focal):
status:	In Progress → Fix Committed
tags:	added: verification-needed-focal

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2021-03-05:

#11

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.13.0+dfsg-0ubuntu5.1 in a few hours, and then in the -proposed repository.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in opencryptoki (Ubuntu Bionic):
status:	In Progress → Fix Committed
tags:	added: verification-needed-bionic

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2021-03-05:

#12

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.9.0+dfsg-0ubuntu1.4 in a few hours, and then in the -proposed repository.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in opencryptoki (Ubuntu Xenial):
status:	In Progress → Fix Committed
tags:	added: verification-needed-xenial

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2021-03-05:

#13

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.4.1+dfsg-1ubuntu4.1 in a few hours, and then in the -proposed repository.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Frank Heimes (fheimes) on 2021-03-05

Changed in ubuntu-z-systems:
status:	In Progress → Fix Committed

Frank Heimes (fheimes) on 2021-03-09

description:

updated

Revision history for this message

Frank Heimes (fheimes) wrote on 2021-03-09:

#14

Verified on focal with additionally compiled tok_des based on upstream release for testing:
$ /home/ubuntu/opencryptoki-upstream_compiled_on_s390x/testcases/misc_tests/tok_des
Using slot #0...
So I didn't got the "usr/sb2 is not a valid slot ID" message anymore using:
$ apt-cache policy opencryptoki
opencryptoki:
  Installed: 3.13.0+dfsg-0ubuntu5.1
  Candidate: 3.13.0+dfsg-0ubuntu5.1
  Version table:
*** 3.13.0+dfsg-0ubuntu5.1 500
        500 http://us.ports.ubuntu.com/ubuntu-ports focal-proposed/universe s390x Packages
        100 /var/lib/dpkg/status
     3.13.0+dfsg-0ubuntu5 500
        500 http://ports.ubuntu.com/ubuntu-ports focal/universe s390x Packages
Same for groovy after upgrading the system and using:
3.14.0+dfsg-0ubuntu3.1
Hence updating tags got focal and groovy.

tags:

added: verification-done-focal verification-done-groovy
removed: verification-needed-focal verification-needed-groovy

Revision history for this message

Frank Heimes (fheimes) wrote on 2021-03-11:

#15

I now installed a xenial system (LPAR) from scratch and tested/verified with 3.4.1+dfsg-1ubuntu4.1 from proposed and other than I had to use a slightly different (legacy) syntax in the tools I had the same results.

Afterwards I dist-upgraded that system to bionic and did the verification one again there with 3.9.0+dfsg-0ubuntu1.4 (proposed). With another slight adjustment in the syntax it worked, too.

(looks like the tool syntax is stable with 3.1x, but not necessarily before)

I'm adjusting the tags accordingly ...

tags:

added: verification-done verification-done-bionic verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-03-18:

#16

This bug was fixed in the package opencryptoki - 3.14.0+dfsg-0ubuntu3.1

---------------
opencryptoki (3.14.0+dfsg-0ubuntu3.1) groovy; urgency=medium

  * Added patch caa4bbba51cf470986944820ea773163084da0b7 (from > 3.15.1)
    for fixing migration of master key from OLD register to CURRENT register.
    (LP: #1915517)

-- Frank Heimes <email address hidden> Fri, 26 Feb 2021 19:17:13 +0100

Changed in opencryptoki (Ubuntu Groovy):
status:	Fix Committed → Fix Released

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2021-03-18: Update Released

#17

The verification of the Stable Release Update for opencryptoki has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-03-18:

#18

This bug was fixed in the package opencryptoki - 3.13.0+dfsg-0ubuntu5.1

---------------
opencryptoki (3.13.0+dfsg-0ubuntu5.1) focal; urgency=medium

  * debian/patches/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
    fixing migration of master key from OLD register to CURRENT register (from > 3.15.1)
    Thanks to Patrick Steuer (LP: #1915517)

-- Frank Heimes <email address hidden> Tue, 02 Mar 2021 14:09:59 +0100

Changed in opencryptoki (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-03-18:

#19

This bug was fixed in the package opencryptoki - 3.9.0+dfsg-0ubuntu1.4

---------------
opencryptoki (3.9.0+dfsg-0ubuntu1.4) bionic; urgency=medium

  * debian/patches/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
    fixing migration of master key from OLD register to CURRENT register (from > 3.15.1)
    Thanks to Patrick Steuer (LP: #1915517)

-- Frank Heimes <email address hidden> Tue, 02 Mar 2021 18:26:14 +0100

Changed in opencryptoki (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-03-18:

#20

This bug was fixed in the package opencryptoki - 3.4.1+dfsg-1ubuntu4.1

---------------
opencryptoki (3.4.1+dfsg-1ubuntu4.1) xenial; urgency=medium

  * debian/patches/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
    fixing migration of master key from OLD register to CURRENT register
    (from > 3.15.1)
    Thanks to Patrick Steuer (LP: #1915517)

-- Frank Heimes <email address hidden> Wed, 03 Mar 2021 12:35:05 +0100

Changed in opencryptoki (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2021-03-18

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2021-03-19: Comment bridged from LTC Bugzilla

#21

------- Comment From <email address hidden> 2021-03-19 03:37 EDT-------
IBM bugzilla status->closed, Fix Released for all requested distros

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Bug attachments

debdiff_groovy.diff Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuopencryptoki package

[UBUNTU 21.04] openCryptoki: pkcscca migration fails with usr/sb2 is not a valid slot ID

Bug Description

Related branches

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
opencryptoki package