Ubuntu
opencryptoki package

[22.04 FEAT] Upgrade openCryptoki to latest version (>= 3.17)

Bug #1959419 reported by bugproxy
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
opencryptoki (Ubuntu)
Fix Released
High
Simon Chopin

Bug Description

Upgrade openCryptoki to latest version

Description

Update openCryptoki to latest version (>= 3.17).

Available from
https://github.com/opencryptoki/opencryptoki

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-196187 severity-high targetmilestone-inin2204
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
Frank Heimes (fheimes) wrote :

curent package in jammy is 3.16.0+dfsg-0ubuntu2

affects: linux (Ubuntu) → opencryptoki (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in opencryptoki (Ubuntu):
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → High
Changed in opencryptoki (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → Canonical Foundations Team (canonical-foundations)
Revision history for this message
Frank Heimes (fheimes) wrote :

From other tickets that I've noticed I think it's best to wait for opencryptoki >3.17 (probably 3.18) to avoid having to do two version bumps within the jammy development cycle.
@IBM Please can you confirm?

Revision history for this message
Frank Heimes (fheimes) wrote (last edit ):

The suggestion here is to pick v3.17 plus all commits on top that are currently on master,
since a 3.18 will not be available in time for the jammy FF.

There are currently 62 commits that are on top of v3.17 - I'm a bit unsure if this is feasible ...

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-02-09 11:34 EDT-------
Please note that with the patches on top of 3.17 a new strength.conf file is being installed into /etc/opencryptoki when doing 'make install'. Make sure that you include this new file into your package so that it gets installed at the user systems. Without the strength.conf file opencryptoki won't work.

Matthieu Clemenceau (mclemenceau)
tags: added: fr-2037
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-02-11 03:02 EDT-------
I you decide to not pick these 62 patches, then please make sure that you at least pick the following 7 patches on top of 3.17.0, since they are required to support newer EP11 firmware versions:

https://github.com/opencryptoki/opencryptoki/commit/e1a8131394c459232f95ea89509b097a7ec483a7
https://github.com/opencryptoki/opencryptoki/commit/598934934f1d3c8a8ce2c958f136cf7cea36f9e1
https://github.com/opencryptoki/opencryptoki/commit/b08b0ba91b6642fd1c45b6bb5b25c673227e6319
https://github.com/opencryptoki/opencryptoki/commit/8308d008c88cd28bd996152bd730033f55d2f748
https://github.com/opencryptoki/opencryptoki/commit/a38a5bc2e1dc1903fc93eaceb78c65b3d86ba15d
https://github.com/opencryptoki/opencryptoki/commit/442551a2b429c0da842361d8c4e1182ff97ea6bf
https://github.com/opencryptoki/opencryptoki/commit/b40982e19e27b22ef724c7431a1a475f1858e199

Revision history for this message
Frank Heimes (fheimes) wrote :

So let me suggest the following:
1) let's go with the 3.17 plus the above selected 7 commits
2) prepare a FFe in parallel, but for this a defined release date for the 3.18 is needed

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-02-14 09:10 EDT-------
OK from my side.

3.18 is planned for end of April, at latest first week of May (as always plans are subject to change, but I am quite confident that it will be this date).

Revision history for this message
Frank Heimes (fheimes) wrote :

Well, I'm sorry to say that end of April will be to late.
Please notice that the GA date for 22.04 will be on April the 21st:
https://discourse.ubuntu.com/t/jammy-jellyfish-release-schedule
Even a FFe is something that can practically only be done prior to beta (< March 28th).
Hence we cannot follow this approach and need to go with a 3.17+.

Just tried applying the selected list of patches on top of 3.17,
but for:
442551a2 TESTCASES: AB: Deriving a key of size 0 is not valid
there is a re-reqs missing, since it complains about a missing file:
testcases/crypto/abfunc.c

Looks like it's created by c6ecbde6c818a4da6404a7cb1e75a9504c787d65.
The part to create testcases/crypto/abfunc.c is needed (but the modification of testcases/crypto/crypto.mk needs to be dropped, since it's already in).

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2022-02-15 09:08 EDT-------
> Just tried applying the selected list of patches on top of 3.17,
 ...
> Looks like it's created by c6ecbde6c818a4da6404a7cb1e75a9504c787d65.

But this commit is already part of 3.16.0, so it should also be in 3.17.0.
Are you sure your base really is 3.17.0 ?

Revision history for this message
Frank Heimes (fheimes) wrote :

A test build of an opencryptoki version "3.17.0+dfsg+20220202.b40982e" completed successfully here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1959419

Revision history for this message
Frank Heimes (fheimes) wrote :

debdiff from 3.16.0+dfsg-0ubuntu3 to 3.17.0+dfsg+20220202.b40982e-0ubuntu1

Changed in ubuntu-z-systems:
status: New → In Progress
Changed in opencryptoki (Ubuntu):
status: New → In Progress
Simon Chopin (schopin)
Changed in opencryptoki (Ubuntu):
assignee: Canonical Foundations Team (canonical-foundations) → Simon Chopin (schopin)
Frank Heimes (fheimes)
information type: Private → Public
Revision history for this message
Simon Chopin (schopin) wrote :

Uploaded, thanks!

Changed in opencryptoki (Ubuntu):
status: In Progress → Fix Committed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.17.0+dfsg+20220202.b40982e-0ubuntu1

---------------
opencryptoki (3.17.0+dfsg+20220202.b40982e-0ubuntu1) jammy; urgency=medium

  * New upstream release LP: #1959419
    based on 3.17 + master (b40982e) at date 20220202
    - Update d/p/01-disable-testcases.patch
    - Refresh d/p/03-dlopen-soname.patch
    - Update and Refresh d/p/04-pkcsslotd-cmdline-args.patch
    - Drop lp1928780-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
    - Add libudev-dev to d/control Build-Depends
    - Remove 'BSD' entry for usr/lib/pkcs11/aep_stdll/* from d/copyright,
      since this (sub-)folder got removed
    - Update relevant IBM license years in d/copyright
    - Remove testcases/crypto/abfunc.c from Files-Excluded in d/copyright,
      since it's clearly under IBM copyright, that is listed further down
    - Upstream 'doc' folder is now required and cannot be excluded anymore,
      hence changed Files-Excluded from doc to more specific doc/README.*
    - New version expands key management tool p11sak functionality,
      hence solves LP: #1959577

 -- Frank Heimes <email address hidden> Tue, 15 Feb 2022 09:30:48 +0100

Changed in opencryptoki (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.