Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

icastats_test appears to fail in a chroot, running as root #22

Open
xnox opened this issue Jun 14, 2018 · 6 comments
Open

icastats_test appears to fail in a chroot, running as root #22

xnox opened this issue Jun 14, 2018 · 6 comments

Comments

@xnox
Copy link
Contributor

xnox commented Jun 14, 2018

I'm in a chroot running the test suite as root.

It appears that running icastats_test causes RSA-ME to be used and thus fail the test... or something like that, no?

(cosmic-s390x)root@clound01:/build/libica-eDoBqM/libica-3.3.3/test# LD_LIBRARY_PATH=../src/.libs/ PATH=../src/:$PATH LIBICA_TESTDATA=./testdata/ ../src/icastats -R       
(cosmic-s390x)root@clound01:/build/libica-eDoBqM/libica-3.3.3/test# LD_LIBRARY_PATH=../src/.libs/ PATH=../src/:$PATH LIBICA_TESTDATA=./testdata/ ../src/icastats   
 function     |           hardware       |            software
--------------+--------------------------+-------------------------
              |      ENC    CRYPT   DEC  |      ENC    CRYPT   DEC 
--------------+--------------------------+-------------------------
        SHA-1 |               0          |                0
      SHA-224 |               0          |                0
      SHA-256 |               0          |                0
      SHA-384 |               0          |                0
      SHA-512 |               0          |                0
     SHA3-224 |               0          |                0
     SHA3-256 |               0          |                0
     SHA3-384 |               0          |                0
     SHA3-512 |               0          |                0
    SHAKE-128 |               0          |                0
    SHAKE-256 |               0          |                0
        GHASH |               0          |                0
        P_RNG |               0          |                0
 DRBG-SHA-512 |               0          |                0
         ECDH |               0          |                0
   ECDSA Sign |               0          |                0
 ECDSA Verify |               0          |                0
       ECKGEN |               0          |                0
       RSA-ME |               0          |                0
      RSA-CRT |               0          |                0
      DES ECB |         0              0 |         0             0
      DES CBC |         0              0 |         0             0
      DES OFB |         0              0 |         0             0
      DES CFB |         0              0 |         0             0
      DES CTR |         0              0 |         0             0
     DES CMAC |         0              0 |         0             0
     3DES ECB |         0              0 |         0             0
     3DES CBC |         0              0 |         0             0
     3DES OFB |         0              0 |         0             0
     3DES CFB |         0              0 |         0             0
     3DES CTR |         0              0 |         0             0
    3DES CMAC |         0              0 |         0             0
      AES ECB |         0              0 |         0             0
      AES CBC |         0              0 |         0             0
      AES OFB |         0              0 |         0             0
      AES CFB |         0              0 |         0             0
      AES CTR |         0              0 |         0             0
     AES CMAC |         0              0 |         0             0
      AES XTS |         0              0 |         0             0
      AES GCM |         0              0 |         0             0
(cosmic-s390x)root@clound01:/build/libica-eDoBqM/libica-3.3.3/test# LD_LIBRARY_PATH=../src/.libs/ PATH=../src/:$PATH LIBICA_TESTDATA=./testdata/ ./icastats_test --verbose
Test DRBG-SHA-512 SUCCESS.
Test DES ECB SUCCESS.
Test DES CBC SUCCESS.
Test DES CFB SUCCESS.
Test DES CMAC SUCCESS.
Test DES CTR SUCCESS.
Test DES OFB SUCCESS.
Test 3DES ECB SUCCESS.
Test 3DES CBC SUCCESS.
Test 3DES CFB SUCCESS.
Test 3DES CMAC SUCCESS.
Test 3DES CTR SUCCESS.
Test 3DES OFB SUCCESS.
Test SHA-1 SUCCESS.
Test SHA-224 SUCCESS.
Test SHA-256 SUCCESS.
Test SHA-384 SUCCESS.
Test SHA-512 SUCCESS.
icastats RSA-ME test FAILED!
icastats line for RSA-ME was '       RSA-ME |               0          |                1'

I think original / first failure was .... 90' but can't remember now for sure, logs lost.

@xnox
Copy link
Contributor Author

xnox commented Jun 14, 2018

This is a chroot, on a z/VM guest, z13.

@p-steuer
Copy link
Contributor

Hi,

hw support for public key crypto ops is available via the cex crypto adapters. If no crypto adapter is available, there is a sw fallback (libcrypto).

In your scenario, the rsa op was performed in sw (1 in sw column). However, the test case should still pass for its only purpose is to check if the counting is working. There seems to be an inconsistency i.e., the testcase detects hw is available and expects hw counter increasing, but the rsa op is done in sw.

(1) Is /sys/ available in the chroot environment ?
(2) Is /dev/z90crypt available in the chroot environment ? (If so, which cards/domains are enabled?).

Im asking, because the test parses /sys/ to check if hw is available. The check seems to be positive, so hw counter is expected to increase. The rsa op is later done in sw, indicating that no adapter could be opened.

@xnox
Copy link
Contributor Author

xnox commented Jun 15, 2018

Both /sys and /dev are available in the chroot. However, neither are bind mounts, but new mounts, thus /dev is quite empty:

# ls -l /dev/
total 0
lrwxrwxrwx 1 root root   13 May 18 06:49 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 May 18 06:49 full
crw-rw-rw- 1 root root 1, 3 May 18 06:49 null
crw-rw-rw- 1 root root 5, 2 May 18 06:49 ptmx
drwxr-xr-x 2 root root    0 Jun 13 01:54 pts
crw-rw-rw- 1 root root 1, 8 May 18 06:49 random
drwxrwxrwt 2 root root   60 Jun 15 11:04 shm
lrwxrwxrwx 1 root root   15 May 18 06:49 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root   15 May 18 06:49 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root   15 May 18 06:49 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 May 18 06:49 tty
crw-rw-rw- 1 root root 1, 9 May 18 06:49 urandom
crw-rw-rw- 1 root root 1, 5 May 18 06:49 zero

And does not have /dev/z90crypt. Maybe the checks should be improved to check for existence of /dev/z90crypt too?

@p-steuer
Copy link
Contributor

Yes, i agree (i leave this issue open until this is fexed).

Do you know if your kernel has the ap device driver still as a module or is it built-in ?

@xnox
Copy link
Contributor Author

xnox commented Jun 19, 2018

No idea, but if you tell me the config key to check, I can trivially check all ubuntu supported configs for that. That test was done on a v4.15 kernel i believe.

@p-steuer
Copy link
Contributor

v4.15 kernel ap dd is not buildable as a module anymore, its built -in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants