diff mbox series

[ima-evm-utils,2/3] CI/CD: Disable pkcs11 providers for Debian and AltLinux

Message ID 20240621005912.1365462-3-stefanb@linux.vnet.ibm.com (mailing list archive)
State New
Headers show
Series Enable and disable OpenSSL provider tests | expand

Commit Message

Stefan Berger June 21, 2024, 12:59 a.m. UTC 
From: Stefan Berger <stefanb@linux.ibm.com>

Disable testing provider support on Debian:latest and AltLinux:sisyphus
since both now get stuck while running OpenSSL provider-related tests.
This is most likely due to an update in a dependency (OpenSSL, libp11,
softhsm,  or others).

On AltLinux the issues is related to a pthread_mutex_lock() down the
C_Login -> C_OpenSession callpath that blocks forever.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ci/alt.sh    | 2 +-
 ci/debian.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Jonathan McDowell June 21, 2024, 10:03 a.m. UTC | #1 
On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> Disable testing provider support on Debian:latest and AltLinux:sisyphus
> since both now get stuck while running OpenSSL provider-related tests.
> This is most likely due to an update in a dependency (OpenSSL, libp11,
> softhsm,  or others).

This seems to disable it for both Debian stable + testing.  Is it
actually broken for both?

> On AltLinux the issues is related to a pthread_mutex_lock() down the
> C_Login -> C_OpenSession callpath that blocks forever.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  ci/alt.sh    | 2 +-
>  ci/debian.sh | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/ci/alt.sh b/ci/alt.sh
> index f86dcec..f1eefbf 100755
> --- a/ci/alt.sh
> +++ b/ci/alt.sh
> @@ -28,4 +28,4 @@ apt-get install -y \
>  		xxd \
>  	&& control openssl-gost enabled
>  
> -apt-get install -y pkcs11-provider || true
> +# apt-get install -y pkcs11-provider || true
> diff --git a/ci/debian.sh b/ci/debian.sh
> index e1bae43..34125d4 100755
> --- a/ci/debian.sh
> +++ b/ci/debian.sh
> @@ -59,4 +59,4 @@ $apt \
>  $apt xxd || $apt vim-common
>  $apt libengine-gost-openssl || true
>  $apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
> -$apt softhsm2 gnutls-bin pkcs11-provider || true
> +# $apt softhsm2 gnutls-bin pkcs11-provider || true
> -- 
> 2.43.0

J.
Mimi Zohar June 21, 2024, 10:24 a.m. UTC | #2 
On Fri, 2024-06-21 at 11:03 +0100, Jonathan McDowell wrote:
> On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> > From: Stefan Berger <stefanb@linux.ibm.com>
> > 
> > Disable testing provider support on Debian:latest and AltLinux:sisyphus
> > since both now get stuck while running OpenSSL provider-related tests.
> > This is most likely due to an update in a dependency (OpenSSL, libp11,
> > softhsm,  or others).
> 
> This seems to disable it for both Debian stable + testing.  Is it
> actually broken for both?

There is no pkcs11-provider package on stable, so the test is skipped.

> 
> > On AltLinux the issues is related to a pthread_mutex_lock() down the
> > C_Login -> C_OpenSession callpath that blocks forever.
> > 
> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > ---
> >  ci/alt.sh    | 2 +-
> >  ci/debian.sh | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/ci/alt.sh b/ci/alt.sh
> > index f86dcec..f1eefbf 100755
> > --- a/ci/alt.sh
> > +++ b/ci/alt.sh
> > @@ -28,4 +28,4 @@ apt-get install -y \
> >  		xxd \
> >  	&& control openssl-gost enabled
> >  
> > -apt-get install -y pkcs11-provider || true
> > +# apt-get install -y pkcs11-provider || true
> > diff --git a/ci/debian.sh b/ci/debian.sh
> > index e1bae43..34125d4 100755
> > --- a/ci/debian.sh
> > +++ b/ci/debian.sh
> > @@ -59,4 +59,4 @@ $apt \
> >  $apt xxd || $apt vim-common
> >  $apt libengine-gost-openssl || true
> >  $apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
> > -$apt softhsm2 gnutls-bin pkcs11-provider || true
> > +# $apt softhsm2 gnutls-bin pkcs11-provider || true
> > -- 
> > 2.43.0
> 
> J.
>
Mimi Zohar June 21, 2024, 11:10 a.m. UTC | #3 
[Cc: Vitaly for AltLinux]

On Thu, 2024-06-20 at 20:59 -0400, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> Disable testing provider support on Debian:latest and AltLinux:sisyphus
> since both now get stuck while running OpenSSL provider-related tests.
> This is most likely due to an update in a dependency (OpenSSL, libp11,
> softhsm,  or others).
> 
> On AltLinux the issues is related to a pthread_mutex_lock() down the
> C_Login -> C_OpenSession callpath that blocks forever.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  ci/alt.sh    | 2 +-
>  ci/debian.sh | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/ci/alt.sh b/ci/alt.sh
> index f86dcec..f1eefbf 100755
> --- a/ci/alt.sh
> +++ b/ci/alt.sh
> @@ -28,4 +28,4 @@ apt-get install -y \
>  		xxd \
>  	&& control openssl-gost enabled
>  
> -apt-get install -y pkcs11-provider || true
> +# apt-get install -y pkcs11-provider || true
> diff --git a/ci/debian.sh b/ci/debian.sh
> index e1bae43..34125d4 100755
> --- a/ci/debian.sh
> +++ b/ci/debian.sh
> @@ -59,4 +59,4 @@ $apt \
>  $apt xxd || $apt vim-common
>  $apt libengine-gost-openssl || true
>  $apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
> -$apt softhsm2 gnutls-bin pkcs11-provider || true
> +# $apt softhsm2 gnutls-bin pkcs11-provider || true
Jonathan McDowell June 21, 2024, 11:44 a.m. UTC | #4 
On Fri, Jun 21, 2024 at 06:24:38AM -0400, Mimi Zohar wrote:
> On Fri, 2024-06-21 at 11:03 +0100, Jonathan McDowell wrote:
> > On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> > > From: Stefan Berger <stefanb@linux.ibm.com>
> > > 
> > > Disable testing provider support on Debian:latest and AltLinux:sisyphus
> > > since both now get stuck while running OpenSSL provider-related tests.
> > > This is most likely due to an update in a dependency (OpenSSL, libp11,
> > > softhsm,  or others).
> > 
> > This seems to disable it for both Debian stable + testing.  Is it
> > actually broken for both?
> 
> There is no pkcs11-provider package on stable, so the test is skipped.

Ah, right. I can't actually figure out what tree Stefan's patch is
against to try myself. https://git.code.sf.net/p/linux-ima/ima-evm-utils
does not have the commented out softhsm2 / pkcs11-provider apt line.
Where should I be looking?

J.
Mimi Zohar June 21, 2024, 8:34 p.m. UTC | #5 
On Fri, 2024-06-21 at 12:44 +0100, Jonathan McDowell wrote:
> On Fri, Jun 21, 2024 at 06:24:38AM -0400, Mimi Zohar wrote:
> > On Fri, 2024-06-21 at 11:03 +0100, Jonathan McDowell wrote:
> > > On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> > > > From: Stefan Berger <stefanb@linux.ibm.com>
> > > > 
> > > > Disable testing provider support on Debian:latest and AltLinux:sisyphus
> > > > since both now get stuck while running OpenSSL provider-related tests.
> > > > This is most likely due to an update in a dependency (OpenSSL, libp11,
> > > > softhsm,  or others).
> > > 
> > > This seems to disable it for both Debian stable + testing.  Is it
> > > actually broken for both?
> > 
> > There is no pkcs11-provider package on stable, so the test is skipped.
> 
> Ah, right. I can't actually figure out what tree Stefan's patch is
> against to try myself. https://git.code.sf.net/p/linux-ima/ima-evm-utils
> does not have the commented out softhsm2 / pkcs11-provider apt line.
> Where should I be looking?

Upstream should be based on the next-testing branch of 
https://github.com/linux-integrity/ima-evm-utils.git.

Mimi
Jonathan McDowell June 24, 2024, 9:24 a.m. UTC | #6 
On Fri, Jun 21, 2024 at 04:34:33PM -0400, Mimi Zohar wrote:
> On Fri, 2024-06-21 at 12:44 +0100, Jonathan McDowell wrote:
> > On Fri, Jun 21, 2024 at 06:24:38AM -0400, Mimi Zohar wrote:
> > > On Fri, 2024-06-21 at 11:03 +0100, Jonathan McDowell wrote:
> > > > On Thu, Jun 20, 2024 at 08:59:11PM -0400, Stefan Berger wrote:
> > > > > From: Stefan Berger <stefanb@linux.ibm.com>
> > > > > 
> > > > > Disable testing provider support on Debian:latest and AltLinux:sisyphus
> > > > > since both now get stuck while running OpenSSL provider-related tests.
> > > > > This is most likely due to an update in a dependency (OpenSSL, libp11,
> > > > > softhsm,  or others).
> > > > 
> > > > This seems to disable it for both Debian stable + testing.  Is it
> > > > actually broken for both?
> > > 
> > > There is no pkcs11-provider package on stable, so the test is skipped.
> > 
> > Ah, right. I can't actually figure out what tree Stefan's patch is
> > against to try myself. https://git.code.sf.net/p/linux-ima/ima-evm-utils
> > does not have the commented out softhsm2 / pkcs11-provider apt line.
> > Where should I be looking?
> 
> Upstream should be based on the next-testing branch of 
> https://github.com/linux-integrity/ima-evm-utils.git.

Thanks, I was able to reproduce with that. There's some sort of deadlock
happening down in the softhsm2 / p11-kit-proxy layers that wasn't
immediately obvious to me. Backtrace at

https://the.earth.li/~noodles/evm-test-failure

in case it means something to someone else.

J.
diff mbox series

Patch

diff --git a/ci/alt.sh b/ci/alt.sh
index f86dcec..f1eefbf 100755
--- a/ci/alt.sh
+++ b/ci/alt.sh
@@ -28,4 +28,4 @@  apt-get install -y \
 		xxd \
 	&& control openssl-gost enabled
 
-apt-get install -y pkcs11-provider || true
+# apt-get install -y pkcs11-provider || true
diff --git a/ci/debian.sh b/ci/debian.sh
index e1bae43..34125d4 100755
--- a/ci/debian.sh
+++ b/ci/debian.sh
@@ -59,4 +59,4 @@  $apt \
 $apt xxd || $apt vim-common
 $apt libengine-gost-openssl || true
 $apt softhsm2 gnutls-bin libengine-pkcs11-openssl || true
-$apt softhsm2 gnutls-bin pkcs11-provider || true
+# $apt softhsm2 gnutls-bin pkcs11-provider || true