Project

General

Profile

Actions

action #124251

open

[qe-core]Implement userspace livepatching tests for openssl

Added by vsvecova over 1 year ago. Updated 6 months ago.

Status:
Workable
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2023-02-09
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

  • Adapt existing openssl tests for livepatching
  • Bot has to be updated to schedule SLE-Module-Live-Patching:15-SP4
  • It needs to run tests with "older openssl" packages
  • LD_PRELOAD=libpulp.so needs to injected into the tested packages, otherwise livepatching does not get active
  • tests/kernel/ulp_openposix.pm has quite some wrapper baseline code already for glibc, but similar can be done for openssl

Related ticket: https://progress.opensuse.org/issues/112004 (ULP tests implemented by mdoucha for glibc-livepatches and libpulp0)


Related issues 1 (1 open0 closed)

Copied to openQA Tests - action #159456: [qe-core] implement a test 'report live patching state for openssl'Feedbackzluo

Actions
Actions #1

Updated by msmeissn over 1 year ago

sample long running openssl users:

apache2
openssh (daemon)
postfix

you would need to inject the LD_PRELOAD=libpulp.so howevert in their systemd config scripts via:

[Service]
Environment="LD_PRELOAD=libpulp.so.0"

Actions #2

Updated by msmeissn over 1 year ago

Sample manual testprocedure:

  • install all updates
  • configure apache2 for SSL support
  • configure apache2 for livepatch support, add in the [Service] section:

Environment="LD_PRELOAD=libpulp.so.0"

  • start apache2 and verify SSL access works.
  • verify libpulp.so is loaded in httpd using "lsof" lsof |grep http.*pulp

Then we need to test all variants that get livepatched:

LOOP over all released openssl-1_1 versions (GA, 1st Update, 2nd Update, ... last update)

  • install the selected libopenssl1_1 version
  • restart apache2 to use this version
  • test https access to the apache2 server
  • apply the openssl-livepatches RPM. it SHOULD report something like:

ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22685): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22691): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22692): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22693): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22694): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22695): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: Processes patched: 0, Skipped: 6, Failed: 0.
(output is weird ... not sure if this is 100% ok)

  • test https access to the apache2 server again , if not FAIL
  • test if lp is really loaded ( it loads the shared module from the package), if not FAIL lsof |grep http.*livepatches httpd-pre 22685 root mem REG 253,2 6760 242393 /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
Actions #3

Updated by pluskalm over 1 year ago

My understanding is that in future qam-kernel/qam-sle groups are not to be assigned for such updates

Actions #4

Updated by dzedro over 1 year ago

  • Tags set to qe-core-february-sprint
  • Status changed from New to In Progress
  • Assignee set to dzedro
  • Target version set to QE-Core: Ready
Actions #5

Updated by pluskalm over 1 year ago

  • Assignee deleted (dzedro)
  • Target version deleted (QE-Core: Ready)
Actions #6

Updated by szarate over 1 year ago

  • Sprint set to QE-Core: February Sprint (Feb 08 - Mar 08)
  • Category set to New test
  • Assignee set to dzedro
  • Target version set to QE-Core: Ready
Actions #7

Updated by szarate over 1 year ago

  • Sprint changed from QE-Core: February Sprint (Feb 08 - Mar 08) to QE-Core: March Sprint (Mar 08 - Apr 05)
Actions #8

Updated by szarate over 1 year ago

  • Sprint changed from QE-Core: March Sprint (Mar 08 - Apr 05) to QE-Core: April Sprint 23 (Apr 05 - May 03)
Actions #9

Updated by szarate over 1 year ago

  • Sprint changed from QE-Core: April Sprint 23 (Apr 05 - May 03) to QE-Core: May Sprint 23 (May 10 - May 31)
Actions #10

Updated by fgerling over 1 year ago

  • Status changed from In Progress to Workable
  • Assignee deleted (dzedro)
Actions #11

Updated by szarate over 1 year ago

  • Sprint changed from QE-Core: May Sprint 23 (May 10 - May 31) to QE-Core: June Sprint 23 (Jun 14 - Jun 28)
Actions #12

Updated by szarate over 1 year ago

  • Sprint changed from QE-Core: June Sprint 23 (Jun 14 - Jun 28) to QE-Core: July Sprint 23 (Jul 05 - Jul 26)
Actions #13

Updated by szarate over 1 year ago

  • Category changed from New test to Spike/Research

Perhaps we just need to split this further

Actions #14

Updated by szarate about 1 year ago

  • Sprint changed from QE-Core: July Sprint 23 (Jul 05 - Jul 26) to QE-Core: August Sprint 23 (Aug 09 - Sep 04)
Actions #15

Updated by szarate about 1 year ago

  • Sprint changed from QE-Core: August Sprint 23 (Aug 09 - Sep 04) to QE-Core: September Sprint 23 (Sep 06 - Oct 04)
Actions #16

Updated by szarate about 1 year ago

  • Sprint deleted (QE-Core: September Sprint 23 (Sep 06 - Oct 04))
  • Tags deleted (qe-core-february-sprint, qe-core-march-sprint)
  • Subject changed from [qe-core] Implement userspace livepatching tests for openssl to [qe-security] Implement userspace livepatching tests for openssl
Actions #17

Updated by szarate about 1 year ago

The more I look at this task, the more it feels that it is a qe-security task, cc @tjyrinki_suse

Actions #18

Updated by tjyrinki_suse about 1 year ago

From the former QE Security we inherited certain specific security related features (STIG, SCAP, apparmor, TPM, ...), and testing libraries like openssl under FIPS.I'd like to keep the current status quo even though it's all lines in sand, mostly because there starts to be more and more security focus in ALP and I'd like to try distinct between security-by-default features (security for everyone) and more special security features.

For example for Full Disk Encryption we discussed at one point that QE Core or YaM would test the default FDE, and we would test the TPM part.

For this specific case, it's security all over but it's also a general feature like live patching combined with one of the most common libraries around, so all in all it's not very special.

For openssl we concentrate on fixed openssl versions that do not usually see updates, even live updates.

Does this make sense?

Actions #19

Updated by tjyrinki_suse about 1 year ago

  • Subject changed from [qe-security] Implement userspace livepatching tests for openssl to [qe-core] Implement userspace livepatching tests for openssl
Actions #20

Updated by pluskalm 10 months ago

See also updated testing https://qam.suse.de/reports/SUSE:Maintenance:31520:313169/log due to some packaging changes (livepatches now pull in fixed version of library so that manual downgrade to vulnerable version is necessary)

Actions #21

Updated by hrommel1 10 months ago

We had received the 2nd wave of openssl-*-livepatches, this time for both 15-SP4 and 15-SP5 (S:M:31520:313169 + S:M:31521:313460). To meet the deadlines, tests had to be executed manually.

As the number of products supporting these kind of updates is going to grow steady, please reconsider raising the priority of this task and make it part of the next sprints.

Actions #22

Updated by szarate 6 months ago

  • Project changed from openQA Tests to 247
  • Subject changed from [qe-core] Implement userspace livepatching tests for openssl to Implement userspace livepatching tests for openssl
  • Category deleted (Spike/Research)
  • Target version deleted (QE-Core: Ready)

Bouncing to Security, as PED-7092

Actions #23

Updated by jstehlik 6 months ago

  • Project changed from 247 to openQA Tests
  • Subject changed from Implement userspace livepatching tests for openssl to [qe-core]Implement userspace livepatching tests for openssl

After discussing with Timo, this is for now out of QESecurity scope. Assigning back to QECore with note, that after SP6 we should review team scopes and adapt team member allocations.

Actions #24

Updated by zluo 6 months ago

  • Copied to action #159456: [qe-core] implement a test 'report live patching state for openssl' added
Actions

Also available in: Atom PDF