action #124251
open[qe-core]Implement userspace livepatching tests for openssl
0%
Description
- Adapt existing
openssltests for livepatching - Bot has to be updated to schedule
SLE-Module-Live-Patching:15-SP4 - It needs to run tests with "older openssl" packages
-
LD_PRELOAD=libpulp.soneeds to injected into the tested packages, otherwise livepatching does not get active -
tests/kernel/ulp_openposix.pmhas quite some wrapper baseline code already for glibc, but similar can be done for openssl
Related ticket: https://progress.opensuse.org/issues/112004 (ULP tests implemented by mdoucha for glibc-livepatches and libpulp0)
Updated by msmeissn about 2 years ago
sample long running openssl users:
apache2
openssh (daemon)
postfix
you would need to inject the LD_PRELOAD=libpulp.so howevert in their systemd config scripts via:
[Service]
Environment="LD_PRELOAD=libpulp.so.0"
Updated by msmeissn about 2 years ago
Sample manual testprocedure:
- install all updates
- configure apache2 for SSL support
- configure apache2 for livepatch support, add in the [Service] section:
Environment="LD_PRELOAD=libpulp.so.0"
- start apache2 and verify SSL access works.
- verify libpulp.so is loaded in httpd using "lsof"
lsof |grep http.*pulp
Then we need to test all variants that get livepatched:
LOOP over all released openssl-1_1 versions (GA, 1st Update, 2nd Update, ... last update)
- install the selected libopenssl1_1 version
- restart apache2 to use this version
- test https access to the apache2 server
- apply the openssl-livepatches RPM. it SHOULD report something like:
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22685): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22691): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22692): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22693): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22694): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22695): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: Processes patched: 0, Skipped: 6, Failed: 0.
(output is weird ... not sure if this is 100% ok)
- test https access to the apache2 server again , if not FAIL
- test if lp is really loaded ( it loads the shared module from the package), if not FAIL
lsof |grep http.*livepatches
httpd-pre 22685 root mem REG 253,2 6760 242393 /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
Updated by pluskalm about 2 years ago
My understanding is that in future qam-kernel/qam-sle groups are not to be assigned for such updates
Updated by dzedro about 2 years ago
- Tags set to qe-core-february-sprint
- Status changed from New to In Progress
- Assignee set to dzedro
- Target version set to QE-Core: Ready
Updated by pluskalm about 2 years ago
- Assignee deleted (
dzedro) - Target version deleted (
QE-Core: Ready)
See also https://qam.suse.de/reports/SUSE:Maintenance:27706:289566/log for ssh used for testing
Updated by szarate about 2 years ago
- Sprint set to QE-Core: February Sprint (Feb 08 - Mar 08)
- Category set to New test
- Assignee set to dzedro
- Target version set to QE-Core: Ready
Updated by szarate about 2 years ago
- Sprint changed from QE-Core: February Sprint (Feb 08 - Mar 08) to QE-Core: March Sprint (Mar 08 - Apr 05)
Updated by szarate about 2 years ago
- Sprint changed from QE-Core: March Sprint (Mar 08 - Apr 05) to QE-Core: April Sprint 23 (Apr 05 - May 03)
Updated by szarate almost 2 years ago
- Sprint changed from QE-Core: April Sprint 23 (Apr 05 - May 03) to QE-Core: May Sprint 23 (May 10 - May 31)
Updated by fgerling almost 2 years ago
- Status changed from In Progress to Workable
- Assignee deleted (
dzedro)
Updated by szarate almost 2 years ago
- Sprint changed from QE-Core: May Sprint 23 (May 10 - May 31) to QE-Core: June Sprint 23 (Jun 14 - Jun 28)
Updated by szarate almost 2 years ago
- Sprint changed from QE-Core: June Sprint 23 (Jun 14 - Jun 28) to QE-Core: July Sprint 23 (Jul 05 - Jul 26)
Updated by szarate almost 2 years ago
- Category changed from New test to Spike/Research
Perhaps we just need to split this further
Updated by szarate over 1 year ago
- Sprint changed from QE-Core: July Sprint 23 (Jul 05 - Jul 26) to QE-Core: August Sprint 23 (Aug 09 - Sep 04)
Updated by szarate over 1 year ago
- Sprint changed from QE-Core: August Sprint 23 (Aug 09 - Sep 04) to QE-Core: September Sprint 23 (Sep 06 - Oct 04)
Updated by szarate over 1 year ago
- Sprint deleted (
QE-Core: September Sprint 23 (Sep 06 - Oct 04)) - Tags deleted (
qe-core-february-sprint, qe-core-march-sprint) - Subject changed from [qe-core] Implement userspace livepatching tests for openssl to [qe-security] Implement userspace livepatching tests for openssl
Updated by szarate over 1 year ago
The more I look at this task, the more it feels that it is a qe-security task, cc @tjyrinki_suse
Updated by tjyrinki_suse over 1 year ago
From the former QE Security we inherited certain specific security related features (STIG, SCAP, apparmor, TPM, ...), and testing libraries like openssl under FIPS.I'd like to keep the current status quo even though it's all lines in sand, mostly because there starts to be more and more security focus in ALP and I'd like to try distinct between security-by-default features (security for everyone) and more special security features.
For example for Full Disk Encryption we discussed at one point that QE Core or YaM would test the default FDE, and we would test the TPM part.
For this specific case, it's security all over but it's also a general feature like live patching combined with one of the most common libraries around, so all in all it's not very special.
For openssl we concentrate on fixed openssl versions that do not usually see updates, even live updates.
Does this make sense?
Updated by tjyrinki_suse over 1 year ago
- Subject changed from [qe-security] Implement userspace livepatching tests for openssl to [qe-core] Implement userspace livepatching tests for openssl
Updated by pluskalm over 1 year ago
See also updated testing https://qam.suse.de/reports/SUSE:Maintenance:31520:313169/log due to some packaging changes (livepatches now pull in fixed version of library so that manual downgrade to vulnerable version is necessary)
Updated by hrommel1 over 1 year ago
We had received the 2nd wave of openssl-*-livepatches, this time for both 15-SP4 and 15-SP5 (S:M:31520:313169 + S:M:31521:313460). To meet the deadlines, tests had to be executed manually.
As the number of products supporting these kind of updates is going to grow steady, please reconsider raising the priority of this task and make it part of the next sprints.
Updated by szarate about 1 year ago
- Project changed from openQA Tests (public) to 247
- Subject changed from [qe-core] Implement userspace livepatching tests for openssl to Implement userspace livepatching tests for openssl
- Category deleted (
Spike/Research) - Target version deleted (
QE-Core: Ready)
Bouncing to Security, as PED-7092
Updated by jstehlik about 1 year ago
- Project changed from 247 to openQA Tests (public)
- Subject changed from Implement userspace livepatching tests for openssl to [qe-core]Implement userspace livepatching tests for openssl
After discussing with Timo, this is for now out of QESecurity scope. Assigning back to QECore with note, that after SP6 we should review team scopes and adapt team member allocations.
Updated by zluo about 1 year ago
- Copied to action #159456: [qe-core] implement a test 'report live patching state for openssl' added
Updated by slo-gin 27 days ago
This ticket was set to Normal priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.