Bug 2142660

Summary: using --escrowcert with LUKS and FIPS results in segfault
Product: Red Hat Enterprise Linux 8 Reporter: Lark Gordon <lagordon>
Component: libblockdevAssignee: Vojtech Trefny <vtrefny>
Status: CLOSED ERRATA QA Contact: guazhang <guazhang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6CC: guazhang, JONATHAN.SATTELBERGER, jstodola, vtrefny
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: libblockdev-2.28-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2143223 2143226 (view as bug list) Environment:
Last Closed: 2023-05-16 08:16:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2143223    

Description Lark Gordon 2022-11-14 19:28:57 UTC 
Description of problem:
When installing a new RHEL 8 system using the following partitioning scheme: 
----------------------------------
autopart --type=lvm --encrypted --luks-version=luks2 --passphrase=XXXXX --escrowcert=http://XXXXX/escrow-ca.crt --backuppassphrase
----------------------------------

installation fails with: 
----------------------------------
19:15:49,702 WARNING org.fedoraproject.Anaconda.Modules.Storage:DEBUG:blivet:escrow: escrow_volume start for /dev/sda2
19:15:52,388 WARNING org.fedoraproject.Anaconda.Modules.Storage:WARNING:py.warnings:/usr/lib64/python3.6/site-packages/gi/overrides/BlockDev.py:253: Warning: GError set over the top of a previous GError or uninitialized memory.
19:15:52,388 WARNING org.fedoraproject.Anaconda.Modules.Storage:This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
19:15:52,388 WARNING org.fedoraproject.Anaconda.Modules.Storage:The overwriting error message was: Failed to get escrow data
19:15:52,388 WARNING org.fedoraproject.Anaconda.Modules.Storage:  return _crypto_escrow_device(device, passphrase, cert_data, directory, backup_passphrase)
19:15:52,389 WARNING org.fedoraproject.Anaconda.Modules.Storage:Fatal Python error: Segmentation fault
----------------------------------

Version-Release number of selected component (if applicable):
RHEL 8.6

How reproducible:
Every time

Steps to Reproduce:
1. Create an escrow cert: 
--------------------------------
# openssl req -newkey rsa:4096 -keyout escrow-ca.key -nodes \
   -x509 -days 7300 \
   -out escrow-ca.crt \
   -subj '/C=US/ST=State/L=City/O=Org/OU=Red Hat/emailAddress=lark/CN=example.com'
--------------------------------
2.Configure a kickstart which uses the cert, for example: 
----------------------------------
autopart --type=lvm --encrypted --luks-version=luks2 --passphrase=XXXXX --escrowcert=http://XXXXX/escrow-ca.crt --backuppassphrase
----------------------------------
3. Attempt to install a new RHEL 8 server with FIPS enabled using the kickstart.

*NOTE: Able to reproduce with luks-version=luks2 and luks-version=luks1

Actual results:
Installation fails with traceback and segfault

Expected results:
Should be able to install a system with luks encryption, a backup passphrase, and FIPS enabled.

Additional info:
Attaching installation logs from a failed install. 

Issue is NOT reproducible if fips is not enabled.
Comment 3 Vojtech Trefny 2022-11-15 12:19:43 UTC 
There is definitely starts with a bug in libblockdev code so I am moving this to libblockdev. But the segfault happens in an error path, so there probably is a different issue with the volume key + fips installation, probably in libvolume_key, but we I can report a new bug when I have the libblockdev fix ready for testing.
Comment 4 Vojtech Trefny 2022-11-16 11:56:16 UTC 
upstream PR: https://github.com/storaged-project/libblockdev/pull/816

Note that this only fixes the segfault caused by libblockdev, the installation will still fail when creating the escrow packet with "security library: received bad data.", I will clone this bug to volume_key to track this separately.
Comment 7 guazhang@redhat.com 2022-12-01 05:12:57 UTC 
Hi

# fips-mode-setup --check
FIPS mode is enabled.

libblockdev-2.28-1.el8.x86_64

[root@storageqe-25 libblockdev-2.28]# python3 tests/run_tests.py crypto_test.CryptoTestEscrow.test_backup_passphrase -i
/root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py:13: PyGIWarning: BlockDev was imported without specifying a version first. Use gi.require_version('BlockDev', '2.0') before import to ensure that the right version gets loaded.
  from gi.repository import BlockDev, GLib
test_backup_passphrase (crypto_test.CryptoTestEscrow)
Verify that a backup passphrase can be created for a device ... 

Generating key.  This may take a few moments...

/usr/lib64/python3.6/site-packages/gi/overrides/BlockDev.py:253: Warning: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
The overwriting error message was: Failed to get escrow data
  return _crypto_escrow_device(device, passphrase, cert_data, directory, backup_passphrase)
malloc_consolidate(): unaligned fastbin chunk detected
Aborted (core dumped)




libblockdev-2.28-2.el8.x86_64 
[root@storageqe-25 libblockdev-2.28]# python3 tests/run_tests.py crypto_test.CryptoTestEscrow.test_backup_passphrase -i
/root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py:13: PyGIWarning: BlockDev was imported without specifying a version first. Use gi.require_version('BlockDev', '2.0') before import to ensure that the right version gets loaded.
  from gi.repository import BlockDev, GLib
test_backup_passphrase (crypto_test.CryptoTestEscrow)
Verify that a backup passphrase can be created for a device ... 

Generating key.  This may take a few moments...

ERROR

======================================================================
ERROR: test_backup_passphrase (crypto_test.CryptoTestEscrow)
Verify that a backup passphrase can be created for a device
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py", line 722, in test_backup_passphrase
    escrow_dir, backup_passphrase)
  File "/usr/lib64/python3.6/site-packages/gi/overrides/BlockDev.py", line 253, in crypto_escrow_device
    return _crypto_escrow_device(device, passphrase, cert_data, directory, backup_passphrase)
GLib.GError: g-bd-crypto-error-quark: Failed to get escrow data: security library: received bad data. (12)

----------------------------------------------------------------------
Ran 1 test in 16.693s

FAILED (errors=1)
[root@storageqe-25 libblockdev-2.28]#
Comment 11 errata-xmlrpc 2023-05-16 08:16:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libblockdev bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2755