RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2142660 - using --escrowcert with LUKS and FIPS results in segfault
Summary: using --escrowcert with LUKS and FIPS results in segfault
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libblockdev
Version: 8.6
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Vojtech Trefny
QA Contact: guazhang@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 2143223
TreeView+ depends on / blocked
 
Reported: 2022-11-14 19:28 UTC by Lark Gordon
Modified: 2023-05-16 08:53 UTC (History)
4 users (show)

Fixed In Version: libblockdev-2.28-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2143223 2143226 (view as bug list)
Environment:
Last Closed: 2023-05-16 08:16:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-139324 0 None None None 2022-11-14 19:30:54 UTC
Red Hat Product Errata RHBA-2023:2755 0 None None None 2023-05-16 08:16:26 UTC

Description Lark Gordon 2022-11-14 19:28:57 UTC 
Description of problem:
When installing a new RHEL 8 system using the following partitioning scheme: 
----------------------------------
autopart --type=lvm --encrypted --luks-version=luks2 --passphrase=XXXXX --escrowcert=http://XXXXX/escrow-ca.crt --backuppassphrase
----------------------------------

installation fails with: 
----------------------------------
19:15:49,702 WARNING org.fedoraproject.Anaconda.Modules.Storage:DEBUG:blivet:escrow: escrow_volume start for /dev/sda2
19:15:52,388 WARNING org.fedoraproject.Anaconda.Modules.Storage:WARNING:py.warnings:/usr/lib64/python3.6/site-packages/gi/overrides/BlockDev.py:253: Warning: GError set over the top of a previous GError or uninitialized memory.
19:15:52,388 WARNING org.fedoraproject.Anaconda.Modules.Storage:This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
19:15:52,388 WARNING org.fedoraproject.Anaconda.Modules.Storage:The overwriting error message was: Failed to get escrow data
19:15:52,388 WARNING org.fedoraproject.Anaconda.Modules.Storage:  return _crypto_escrow_device(device, passphrase, cert_data, directory, backup_passphrase)
19:15:52,389 WARNING org.fedoraproject.Anaconda.Modules.Storage:Fatal Python error: Segmentation fault
----------------------------------

Version-Release number of selected component (if applicable):
RHEL 8.6

How reproducible:
Every time

Steps to Reproduce:
1. Create an escrow cert: 
--------------------------------
# openssl req -newkey rsa:4096 -keyout escrow-ca.key -nodes \
   -x509 -days 7300 \
   -out escrow-ca.crt \
   -subj '/C=US/ST=State/L=City/O=Org/OU=Red Hat/emailAddress=lark/CN=example.com'
--------------------------------
2.Configure a kickstart which uses the cert, for example: 
----------------------------------
autopart --type=lvm --encrypted --luks-version=luks2 --passphrase=XXXXX --escrowcert=http://XXXXX/escrow-ca.crt --backuppassphrase
----------------------------------
3. Attempt to install a new RHEL 8 server with FIPS enabled using the kickstart.

*NOTE: Able to reproduce with luks-version=luks2 and luks-version=luks1

Actual results:
Installation fails with traceback and segfault

Expected results:
Should be able to install a system with luks encryption, a backup passphrase, and FIPS enabled.

Additional info:
Attaching installation logs from a failed install. 

Issue is NOT reproducible if fips is not enabled.
Comment 3 Vojtech Trefny 2022-11-15 12:19:43 UTC 
There is definitely starts with a bug in libblockdev code so I am moving this to libblockdev. But the segfault happens in an error path, so there probably is a different issue with the volume key + fips installation, probably in libvolume_key, but we I can report a new bug when I have the libblockdev fix ready for testing.
Comment 4 Vojtech Trefny 2022-11-16 11:56:16 UTC 
upstream PR: https://github.com/storaged-project/libblockdev/pull/816

Note that this only fixes the segfault caused by libblockdev, the installation will still fail when creating the escrow packet with "security library: received bad data.", I will clone this bug to volume_key to track this separately.
Comment 7 guazhang@redhat.com 2022-12-01 05:12:57 UTC 
Hi

# fips-mode-setup --check
FIPS mode is enabled.

libblockdev-2.28-1.el8.x86_64

[root@storageqe-25 libblockdev-2.28]# python3 tests/run_tests.py crypto_test.CryptoTestEscrow.test_backup_passphrase -i
/root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py:13: PyGIWarning: BlockDev was imported without specifying a version first. Use gi.require_version('BlockDev', '2.0') before import to ensure that the right version gets loaded.
  from gi.repository import BlockDev, GLib
test_backup_passphrase (crypto_test.CryptoTestEscrow)
Verify that a backup passphrase can be created for a device ... 

Generating key.  This may take a few moments...

/usr/lib64/python3.6/site-packages/gi/overrides/BlockDev.py:253: Warning: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone's code. You must ensure an error is NULL before it's set.
The overwriting error message was: Failed to get escrow data
  return _crypto_escrow_device(device, passphrase, cert_data, directory, backup_passphrase)
malloc_consolidate(): unaligned fastbin chunk detected
Aborted (core dumped)




libblockdev-2.28-2.el8.x86_64 
[root@storageqe-25 libblockdev-2.28]# python3 tests/run_tests.py crypto_test.CryptoTestEscrow.test_backup_passphrase -i
/root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py:13: PyGIWarning: BlockDev was imported without specifying a version first. Use gi.require_version('BlockDev', '2.0') before import to ensure that the right version gets loaded.
  from gi.repository import BlockDev, GLib
test_backup_passphrase (crypto_test.CryptoTestEscrow)
Verify that a backup passphrase can be created for a device ... 

Generating key.  This may take a few moments...

ERROR

======================================================================
ERROR: test_backup_passphrase (crypto_test.CryptoTestEscrow)
Verify that a backup passphrase can be created for a device
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/rpmbuild/BUILD/libblockdev-2.28/tests/crypto_test.py", line 722, in test_backup_passphrase
    escrow_dir, backup_passphrase)
  File "/usr/lib64/python3.6/site-packages/gi/overrides/BlockDev.py", line 253, in crypto_escrow_device
    return _crypto_escrow_device(device, passphrase, cert_data, directory, backup_passphrase)
GLib.GError: g-bd-crypto-error-quark: Failed to get escrow data: security library: received bad data. (12)

----------------------------------------------------------------------
Ran 1 test in 16.693s

FAILED (errors=1)
[root@storageqe-25 libblockdev-2.28]#
Comment 11 errata-xmlrpc 2023-05-16 08:16:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libblockdev bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2755
Note You need to log in before you can comment on or make changes to this bug.