bugzilla-daemon at bugzilla.mindrot.org
2017-Jul-28 19:59 UTC
[Bug 2752] New: Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug ID: 2752 Summary: Allow syscalls for openssl engines on s390x Product: Portable OpenSSH Version: 7.5p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: ebarretto at linux.vnet.ibm.com Created attachment 3025 --> https://bugzilla.mindrot.org/attachment.cgi?id=3025&action=edit tarball containing the 3 patches This patchset allow syscalls (flock, ipc, getuid, geteuid and ioctl), so openssl engines, e.g. OpenSSL-ibmca and OpenSSL-ibmpkcs11, can work and communicate with the crypto cards during ssh login and scp. 1. The flock and ipc are allowed only for s390 architecture. They are needed for openCryptoki project (PKCS#11 implementation), as the ibmpkcs11 engine makes use of openCryptoki. For more information, please check here: https://github.com/opencryptoki/opencryptoki 2. getuid and geteuid are allowed to any architecture as this is also needed by the distros. libica and other crypto libraries use those syscalls. 3. The ioctl is allowed when an specific argument is passed. This argument is from EP11 crypto card on s390 architecture. For more information check here: http://elixir.free-electrons.com/linux/latest/source/arch/s390/include/uapi/asm/zcrypt.h#L259 The patches were sent to the mailing list as well: https://www.spinics.net/lists/openssh-unix-dev/msg04133.html -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-21 23:29 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3025|0 |1 is obsolete| | CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Created attachment 3055 --> https://bugzilla.mindrot.org/attachment.cgi?id=3055&action=edit Allow-flock-and-ipc-syscall-for-s390-architecture -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-21 23:30 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #2 from Damien Miller <djm at mindrot.org> --- Created attachment 3056 --> https://bugzilla.mindrot.org/attachment.cgi?id=3056&action=edit Allow-getuid-and-geteuid-calls -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-21 23:30 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Created attachment 3057 --> https://bugzilla.mindrot.org/attachment.cgi?id=3057&action=edit Enable-specific-ioctl-call-for-EP11-crypto-card-s390 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-21 23:43 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Attachment #3056| |ok+ Flags| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-21 23:45 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #4 from Darren Tucker <dtucker at zip.com.au> --- Comment on attachment 3055 --> https://bugzilla.mindrot.org/attachment.cgi?id=3055 Allow-flock-and-ipc-syscall-for-s390-architecture sysV IPC seems like a big increase in attack surface even when this hardware is not in use? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 00:02 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #5 from Damien Miller <djm at mindrot.org> --- Yeah, I agree. Would it be feasible to skip using the engines in the pre-auth phase entirely? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 12:46 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #6 from ebarretto at linux.vnet.ibm.com --- (In reply to Damien Miller from comment #5)> Yeah, I agree. Would it be feasible to skip using the engines in the > pre-auth phase entirely?Hi Damien, We have on S390 two OpenSSL Engines, one more specific (is specific for one crypto card) and one more generic that works with different crypto card/devices. The first is openssl-ibmca and the last one openssl-ibmpkcs11. We already did some changes on the seccomp filter (openssh-7.5) for the ibmca engine, but the getuid and geteuid was missing as it was enabled on some distro's openssh package but not on others. Can we get the getuid and geteuid patch integrated for now? The other engine, ibmpkcs11, which needs the sysv ipc is not yet released and we can work on an alternative based on your feedback. This works for you? Thanks, Eduardo -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-May-25 03:56 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #7 from Damien Miller <djm at mindrot.org> --- I've committed the getuid patch. wrt the remaining patches: There isn't much point in permitting flock() - the process is in a chroot environment and all fs operations should fail here. Could we SC_DENY it with ENOENT or EACCESS instead? The ipc(2) syscall is much too broad to allow in a sandbox - it includes a number of capabilities that could be used for sandbox escape. Is there a safe subset that could be enabled? Is there any documentation on the ZSENDEP11CPRB ioctl? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-03 13:56 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #8 from Jakub Jelen <jjelen at redhat.com> --- Eduardo, are these changes still needed? I am interested mostly in the ZSENDEP11CPRB, which is carried in most of the distros (suse, ubuntu, fedora), but not yet merged because of unanswered question in the last comment. My searches on the interned did not uncover anything interesting, but mostly kernel drivers source code and examples [1]. Damien, would it be possible to merge this as there are already many others ioctls for s390 in, from commits b3a77b25e, e3ea335ab and 5f1596e11 ? [1] https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lkdd/lkdd_r_zcryptctl_cmd.html -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-05 08:31 UTC
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Blocks| |2988 Resolution|--- |FIXED --- Comment #9 from Damien Miller <djm at mindrot.org> --- Applied and will be in OpenSSH 8.1 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2988 [Bug 2988] Tracking bug for 8.1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.