action #124251
open
[qe-core]Implement userspace livepatching tests for openssl
Added by vsvecova almost 2 years ago.
Updated 9 months ago.
Description
- Adapt existing
openssl
tests for livepatching
- Bot has to be updated to schedule
SLE-Module-Live-Patching:15-SP4
- It needs to run tests with "older openssl" packages
LD_PRELOAD=libpulp.so
needs to injected into the tested packages, otherwise livepatching does not get active
tests/kernel/ulp_openposix.pm
has quite some wrapper baseline code already for glibc, but similar can be done for openssl
Related ticket: https://progress.opensuse.org/issues/112004 (ULP tests implemented by mdoucha for glibc-livepatches and libpulp0)
Related issues
1 (1 open — 0 closed)
sample long running openssl users:
apache2
openssh (daemon)
postfix
you would need to inject the LD_PRELOAD=libpulp.so howevert in their systemd config scripts via:
[Service]
Environment="LD_PRELOAD=libpulp.so.0"
Sample manual testprocedure:
- install all updates
- configure apache2 for SSL support
- configure apache2 for livepatch support, add in the [Service] section:
Environment="LD_PRELOAD=libpulp.so.0"
- start apache2 and verify SSL access works.
- verify libpulp.so is loaded in httpd using "lsof"
lsof |grep http.*pulp
Then we need to test all variants that get livepatched:
LOOP over all released openssl-1_1 versions (GA, 1st Update, 2nd Update, ... last update)
- install the selected libopenssl1_1 version
- restart apache2 to use this version
- test https access to the apache2 server
- apply the openssl-livepatches RPM. it SHOULD report something like:
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22685): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22691): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22692): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22693): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22694): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22695): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: Processes patched: 0, Skipped: 6, Failed: 0.
(output is weird ... not sure if this is 100% ok)
- test https access to the apache2 server again , if not FAIL
- test if lp is really loaded ( it loads the shared module from the package), if not FAIL
lsof |grep http.*livepatches
httpd-pre 22685 root mem REG 253,2 6760 242393 /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
My understanding is that in future qam-kernel/qam-sle groups are not to be assigned for such updates
- Tags set to qe-core-february-sprint
- Status changed from New to In Progress
- Assignee set to dzedro
- Target version set to QE-Core: Ready
- Assignee deleted (
dzedro)
- Target version deleted (
QE-Core: Ready)
- Sprint set to QE-Core: February Sprint (Feb 08 - Mar 08)
- Category set to New test
- Assignee set to dzedro
- Target version set to QE-Core: Ready
- Sprint changed from QE-Core: February Sprint (Feb 08 - Mar 08) to QE-Core: March Sprint (Mar 08 - Apr 05)
- Sprint changed from QE-Core: March Sprint (Mar 08 - Apr 05) to QE-Core: April Sprint 23 (Apr 05 - May 03)
- Sprint changed from QE-Core: April Sprint 23 (Apr 05 - May 03) to QE-Core: May Sprint 23 (May 10 - May 31)
- Status changed from In Progress to Workable
- Assignee deleted (
dzedro)
- Sprint changed from QE-Core: May Sprint 23 (May 10 - May 31) to QE-Core: June Sprint 23 (Jun 14 - Jun 28)
- Sprint changed from QE-Core: June Sprint 23 (Jun 14 - Jun 28) to QE-Core: July Sprint 23 (Jul 05 - Jul 26)
- Category changed from New test to Spike/Research
Perhaps we just need to split this further
- Sprint changed from QE-Core: July Sprint 23 (Jul 05 - Jul 26) to QE-Core: August Sprint 23 (Aug 09 - Sep 04)
- Sprint changed from QE-Core: August Sprint 23 (Aug 09 - Sep 04) to QE-Core: September Sprint 23 (Sep 06 - Oct 04)
- Sprint deleted (
QE-Core: September Sprint 23 (Sep 06 - Oct 04))
- Tags deleted (
qe-core-february-sprint, qe-core-march-sprint)
- Subject changed from [qe-core] Implement userspace livepatching tests for openssl to [qe-security] Implement userspace livepatching tests for openssl
The more I look at this task, the more it feels that it is a qe-security task, cc @tjyrinki_suse
From the former QE Security we inherited certain specific security related features (STIG, SCAP, apparmor, TPM, ...), and testing libraries like openssl under FIPS.I'd like to keep the current status quo even though it's all lines in sand, mostly because there starts to be more and more security focus in ALP and I'd like to try distinct between security-by-default features (security for everyone) and more special security features.
For example for Full Disk Encryption we discussed at one point that QE Core or YaM would test the default FDE, and we would test the TPM part.
For this specific case, it's security all over but it's also a general feature like live patching combined with one of the most common libraries around, so all in all it's not very special.
For openssl we concentrate on fixed openssl versions that do not usually see updates, even live updates.
Does this make sense?
- Subject changed from [qe-security] Implement userspace livepatching tests for openssl to [qe-core] Implement userspace livepatching tests for openssl
We had received the 2nd wave of openssl-*-livepatches, this time for both 15-SP4 and 15-SP5 (S:M:31520:313169 + S:M:31521:313460). To meet the deadlines, tests had to be executed manually.
As the number of products supporting these kind of updates is going to grow steady, please reconsider raising the priority of this task and make it part of the next sprints.
- Project changed from openQA Tests (public) to 247
- Subject changed from [qe-core] Implement userspace livepatching tests for openssl to Implement userspace livepatching tests for openssl
- Category deleted (
Spike/Research)
- Target version deleted (
QE-Core: Ready)
Bouncing to Security, as PED-7092
- Project changed from 247 to openQA Tests (public)
- Subject changed from Implement userspace livepatching tests for openssl to [qe-core]Implement userspace livepatching tests for openssl
After discussing with Timo, this is for now out of QESecurity scope. Assigning back to QECore with note, that after SP6 we should review team scopes and adapt team member allocations.
- Copied to action #159456: [qe-core] implement a test 'report live patching state for openssl' added
Also available in: Atom
PDF