action #124251
open[qe-core]Implement userspace livepatching tests for openssl
Added by vsvecova about 1 year ago. Updated 26 days ago.
0%
Description
- Adapt existing
openssltests for livepatching - Bot has to be updated to schedule
SLE-Module-Live-Patching:15-SP4 - It needs to run tests with "older openssl" packages
LD_PRELOAD=libpulp.soneeds to injected into the tested packages, otherwise livepatching does not get activetests/kernel/ulp_openposix.pmhas quite some wrapper baseline code already for glibc, but similar can be done for openssl
Related ticket: https://progress.opensuse.org/issues/112004 (ULP tests implemented by mdoucha for glibc-livepatches and libpulp0)
Updated by msmeissn about 1 year ago
sample long running openssl users:
apache2
openssh (daemon)
postfix
you would need to inject the LD_PRELOAD=libpulp.so howevert in their systemd config scripts via:
[Service]
Environment="LD_PRELOAD=libpulp.so.0"
Updated by msmeissn about 1 year ago
Sample manual testprocedure:
- install all updates
- configure apache2 for SSL support
- configure apache2 for livepatch support, add in the [Service] section:
Environment="LD_PRELOAD=libpulp.so.0"
- start apache2 and verify SSL access works.
- verify libpulp.so is loaded in httpd using "lsof"
lsof |grep http.*pulp
Then we need to test all variants that get livepatched:
LOOP over all released openssl-1_1 versions (GA, 1st Update, 2nd Update, ... last update)
- install the selected libopenssl1_1 version
- restart apache2 to use this version
- test https access to the apache2 server
- apply the openssl-livepatches RPM. it SHOULD report something like:
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22685): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22691): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22692): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22693): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22694): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22695): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: Processes patched: 0, Skipped: 6, Failed: 0.
(output is weird ... not sure if this is 100% ok)
- test https access to the apache2 server again , if not FAIL
- test if lp is really loaded ( it loads the shared module from the package), if not FAIL lsof |grep http.*livepatches httpd-pre 22685 root mem REG 253,2 6760 242393 /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
Updated by pluskalm about 1 year ago
My understanding is that in future qam-kernel/qam-sle groups are not to be assigned for such updates
Updated by dzedro about 1 year ago
- Tags set to qe-core-february-sprint
- Status changed from New to In Progress
- Assignee set to dzedro
- Target version set to QE-Core: Ready
Updated by pluskalm about 1 year ago
- Assignee deleted (
dzedro) - Target version deleted (
QE-Core: Ready)
See also https://qam.suse.de/reports/SUSE:Maintenance:27706:289566/log for ssh used for testing
Updated by szarate about 1 year ago
- Sprint set to QE-Core: February Sprint (Feb 08 - Mar 08)
- Category set to New test
- Assignee set to dzedro
- Target version set to QE-Core: Ready
Updated by szarate about 1 year ago
- Sprint changed from QE-Core: February Sprint (Feb 08 - Mar 08) to QE-Core: March Sprint (Mar 08 - Apr 05)
Updated by szarate about 1 year ago
- Sprint changed from QE-Core: March Sprint (Mar 08 - Apr 05) to QE-Core: April Sprint 23 (Apr 05 - May 03)
Updated by szarate 8 months ago
- Sprint deleted (
QE-Core: September Sprint 23 (Sep 06 - Oct 04)) - Tags deleted (
qe-core-february-sprint, qe-core-march-sprint) - Subject changed from [qe-core] Implement userspace livepatching tests for openssl to [qe-security] Implement userspace livepatching tests for openssl
Updated by szarate 8 months ago
The more I look at this task, the more it feels that it is a qe-security task, cc @tjyrinki_suse
Updated by tjyrinki_suse 8 months ago
From the former QE Security we inherited certain specific security related features (STIG, SCAP, apparmor, TPM, ...), and testing libraries like openssl under FIPS.I'd like to keep the current status quo even though it's all lines in sand, mostly because there starts to be more and more security focus in ALP and I'd like to try distinct between security-by-default features (security for everyone) and more special security features.
For example for Full Disk Encryption we discussed at one point that QE Core or YaM would test the default FDE, and we would test the TPM part.
For this specific case, it's security all over but it's also a general feature like live patching combined with one of the most common libraries around, so all in all it's not very special.
For openssl we concentrate on fixed openssl versions that do not usually see updates, even live updates.
Does this make sense?
Updated by tjyrinki_suse 8 months ago
- Subject changed from [qe-security] Implement userspace livepatching tests for openssl to [qe-core] Implement userspace livepatching tests for openssl
Updated by pluskalm 5 months ago
See also updated testing https://qam.suse.de/reports/SUSE:Maintenance:31520:313169/log due to some packaging changes (livepatches now pull in fixed version of library so that manual downgrade to vulnerable version is necessary)
Updated by hrommel1 5 months ago
We had received the 2nd wave of openssl-*-livepatches, this time for both 15-SP4 and 15-SP5 (S:M:31520:313169 + S:M:31521:313460). To meet the deadlines, tests had to be executed manually.
As the number of products supporting these kind of updates is going to grow steady, please reconsider raising the priority of this task and make it part of the next sprints.
Updated by szarate 27 days ago
- Project changed from openQA Tests to 247
- Subject changed from [qe-core] Implement userspace livepatching tests for openssl to Implement userspace livepatching tests for openssl
- Category deleted (
Spike/Research) - Target version deleted (
QE-Core: Ready)
Bouncing to Security, as PED-7092
Updated by jstehlik 26 days ago
- Project changed from 247 to openQA Tests
- Subject changed from Implement userspace livepatching tests for openssl to [qe-core]Implement userspace livepatching tests for openssl
After discussing with Timo, this is for now out of QESecurity scope. Assigning back to QECore with note, that after SP6 we should review team scopes and adapt team member allocations.
Updated by zluo 15 days ago
- Copied to action #159456: [qe-core] implement a test 'report live patching state for openssl' added