This is currently causing failures on my system in anything that has USE=secureboot: andrew-gentoo-pc ~ # sbsign --engine pkcs11 --key 'pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=00050000ae4c;token=OpenPGP%20card%20%28User%20PIN%29;id=%03' --cert /boot/cert.pem --output /tmp/test.efi /tmp/portage/sys-kernel/gentoo-kernel-6.5.9/image/usr/src/linux-6.5.9-gentoo-dist/arch/x86/boot/bzImage Enter engine key pass phrase: zsh: segmentation fault sbsign --engine pkcs11 --key --cert /boot/cert.pem --output /tmp/test.efi
(gdb) run Starting program: /usr/bin/sbsign --engine pkcs11 --key pkcs11:model=PKCS%2315%20emulated\;manufacturer=ZeitControl\;serial=00050000ae4c\;token=OpenPGP%20card%20%28User%20PIN%29\;id=%03 --cert /boot/cert.pem --output /tmp/test.efi /tmp/portage/sys-kernel/gentoo-kernel-6.5.9/image/usr/src/linux-6.5.9-gentoo-dist/arch/x86/boot/bzImage [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib64/libthread_db.so.1". Enter engine key pass phrase: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7fb5375 in ?? () from /usr/lib64/engines-3/pkcs11.so (gdb) backtrace #0 0x00007ffff7fb5375 in ?? () from /usr/lib64/engines-3/pkcs11.so #1 0x00007ffff7fb545c in ?? () from /usr/lib64/engines-3/pkcs11.so #2 0x00007ffff7fb5560 in ?? () from /usr/lib64/engines-3/pkcs11.so #3 0x00007ffff7fb7e5b in ?? () from /usr/lib64/engines-3/pkcs11.so #4 0x00007ffff7fb87b3 in ?? () from /usr/lib64/engines-3/pkcs11.so #5 0x00007ffff7fb72f2 in ?? () from /usr/lib64/engines-3/pkcs11.so #6 0x00007ffff7fb841f in ?? () from /usr/lib64/engines-3/pkcs11.so #7 0x00007ffff7fb84a4 in ?? () from /usr/lib64/engines-3/pkcs11.so #8 0x00007ffff7cf59ed in RSA_sign () from /usr/lib64/libcrypto.so.3 #9 0x00007ffff7cf429e in ?? () from /usr/lib64/libcrypto.so.3 #10 0x00007ffff7be0ede in EVP_DigestSignFinal () from /usr/lib64/libcrypto.so.3 #11 0x00007ffff7cd57e8 in PKCS7_SIGNER_INFO_sign () from /usr/lib64/libcrypto.so.3 #12 0x00007ffff7cd5a62 in PKCS7_dataFinal () from /usr/lib64/libcrypto.so.3 #13 0x00005555555581b0 in ?? () #14 0x000055555555795e in ?? () #15 0x00007ffff784cf0a in ?? () from /usr/lib64/libc.so.6 #16 0x00007ffff784cfc5 in __libc_start_main () from /usr/lib64/libc.so.6 #17 0x0000555555557c11 in ?? () Will make a proper backtrace with debug info later.
(gdb) run Starting program: /usr/bin/sbsign --engine pkcs11 --key pkcs11:model=PKCS%2315%20emulated\;manufacturer=ZeitControl\;serial=00050000ae4c\;token=OpenPGP%20card%20%28User%20PIN%29\;id=%03 --cert /boot/cert.pem --output /tmp/test.efi /tmp/portage/sys-kernel/gentoo-kernel-6.5.9/image/usr/src/linux-6.5.9-gentoo-dist/arch/x86/boot/bzImage [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib64/libthread_db.so.1". Enter engine key pass phrase: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7fb5375 in pkcs11_getattr_var (ctx=ctx@entry=0x5fffbc54da182a88, session=session@entry=17, object=object@entry=93891482819376, type=type@entry=288, value=value@entry=0x0, size=size@entry=0x7fffffffca90) at p11_attr.c:46 46 p11_attr.c: No such file or directory. (gdb) backtrace #0 0x00007ffff7fb5375 in pkcs11_getattr_var (ctx=ctx@entry=0x5fffbc54da182a88, session=session@entry=17, object=object@entry=93891482819376, type=type@entry=288, value=value@entry=0x0, size=size@entry=0x7fffffffca90) at p11_attr.c:46 #1 0x00007ffff7fb545c in pkcs11_getattr_alloc (ctx=ctx@entry=0x5fffbc54da182a88, session=17, object=object@entry=93891482819376, type=type@entry=288, value=value@entry=0x7fffffffcae8, size=size@entry=0x7fffffffcaf0) at p11_attr.c:66 #2 0x00007ffff7fb5560 in pkcs11_getattr_bn (ctx=ctx@entry=0x5fffbc54da182a88, session=<optimized out>, object=object@entry=93891482819376, type=type@entry=288, bn=bn@entry=0x7fffffffcb20) at p11_attr.c:92 #3 0x00007ffff7fb7e5b in pkcs11_get_rsa (key=0x555555587aa0) at p11_rsa.c:197 #4 0x00007ffff7fb87b3 in pkcs11_get_evp_key_rsa (key=0x555555587aa0) at p11_rsa.c:265 #5 0x00007ffff7fb72f2 in pkcs11_get_key (key0=key0@entry=0x555555587aa0, object_class=<optimized out>) at p11_key.c:450 #6 0x00007ffff7fb841f in pkcs11_rsa (key=key@entry=0x555555587aa0) at p11_rsa.c:34 #7 pkcs11_get_key_size (key=key@entry=0x555555587aa0) at p11_rsa.c:332 #8 0x00007ffff7fb84a4 in pkcs11_private_encrypt (flen=51, from=0x5555555a2d70 "010\r\006\t`\206H\001e\003\004\002\001\005", to=0x555555563ee0 "cUUU\005", key=0x555555587aa0, padding=1) at p11_rsa.c:91 #9 0x00007ffff7cf59ed in RSA_sign (type=<optimized out>, m=m@entry=0x7fffffffd050 "\343H\177\222O\a~\217\252Sl\335\337Еڇ\326\3004\316\200~\320ƌ\307\372\f\361I\037 )ZUUU", m_len=m_len@entry=32, sigret=sigret@entry=0x555555563ee0 "cUUU\005", siglen=siglen@entry=0x7fffffffcfe4, rsa=rsa@entry=0x555555587d80) at ../openssl-3.1.4/crypto/rsa/rsa_sign.c:309 #10 0x00007ffff7cf429e in pkey_rsa_sign (ctx=0x555555563480, sig=0x555555563ee0 "cUUU\005", siglen=0x7fffffffd0f0, tbs=0x7fffffffd050 "\343H\177\222O\a~\217\252Sl\335\337Еڇ\326\3004\316\200~\320ƌ\307\372\f\361I\037 )ZUUU", tbslen=32) at ../openssl-3.1.4/crypto/rsa/rsa_pmeth.c:176 #11 0x00007ffff7be0ede in EVP_DigestSignFinal (ctx=ctx@entry=0x5555555a2810, --Type <RET> for more, q to quit, c to continue without paging--c sigret=0x555555563ee0 "cUUU\005", siglen=siglen@entry=0x7fffffffd0f0) at ../openssl-3.1.4/crypto/evp/m_sigver.c:553 #12 0x00007ffff7cd57e8 in PKCS7_SIGNER_INFO_sign (si=si@entry=0x55555559b6e0) at ../openssl-3.1.4/crypto/pkcs7/pk7_doit.c:945 #13 0x00007ffff7cd5a62 in do_pkcs7_signed_attrib (mctx=<optimized out>, si=0x55555559b6e0) at ../openssl-3.1.4/crypto/pkcs7/pk7_doit.c:721 #14 PKCS7_dataFinal (p7=0x555555586c10, bio=0x55555559b730) at ../openssl-3.1.4/crypto/pkcs7/pk7_doit.c:843 #15 0x00005555555581b0 in ?? () #16 0x000055555555795e in ?? () #17 0x00007ffff784cf0a in ?? () from /usr/lib64/libc.so.6 #18 0x00007ffff784cfc5 in __libc_start_main () from /usr/lib64/libc.so.6 #19 0x0000555555557c11 in ?? ()
The problem is introduced in openssl-3.1.4, downgrading to openssl-3.1.3 resolves the segfault.
There's https://github.com/openssl/openssl/issues/22508 too...
Signing with a regular key works fine, so the problem is specific to libp11.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=794bb500c772272eddaf96765df66838bf5a56d6 commit 794bb500c772272eddaf96765df66838bf5a56d6 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2023-10-27 13:02:44 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2023-10-27 13:04:53 +0000 dev-libs/libp11: temporarily restrict to <dev-libs/openssl-3.1.4 Bug: https://bugs.gentoo.org/916328 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> .../{libp11-0.4.12-r3.ebuild => libp11-0.4.12-r4.ebuild} | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)
Andrew: I don't see how libp11 is involved here. None of the symbols in your backtrace appear to be from that library. Could you please elaborate on your reasoning here?
Oh, I guess they are non-public symbols from the OpenSSL plugin installed by libp11 (/usr/lib64/engines-3/pkcs11.so).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc967d99bab80dad3fd013b2184954fba9597293 commit fc967d99bab80dad3fd013b2184954fba9597293 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2024-01-02 18:50:35 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2024-01-02 18:52:43 +0000 dev-libs/libp11: fixup openssl version restrictions it breaks with 4 and up of the 3.1 series and with version 12 and up of the 3.0 series the recent removal of 3.1.3 broke things again on my system when openssl was downgraded to 3.0.12, downgrading again to 3.0.11 fixes the problem again. Bug: https://bugs.gentoo.org/916328 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> .../{libp11-0.4.12-r4.ebuild => libp11-0.4.12-r5.ebuild} | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d9f0cf25f1b992278cea5dacc29f54a03cd45bb commit 1d9f0cf25f1b992278cea5dacc29f54a03cd45bb Author: Sam James <sam@gentoo.org> AuthorDate: 2024-02-01 16:42:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-02-01 16:45:56 +0000 dev-libs/openssl: backport libp11 segfault fix/workaround to 3.1.5-r1, 3.2.1-r1 Bug: https://bugs.gentoo.org/916328 Signed-off-by: Sam James <sam@gentoo.org> .../openssl/files/openssl-3.1.5-p11-segfault.patch | 78 ++++++ .../openssl/files/openssl-3.2.1-p11-segfault.patch | 79 ++++++ dev-libs/openssl/openssl-3.1.5-r1.ebuild | 285 +++++++++++++++++++ dev-libs/openssl/openssl-3.2.1-r1.ebuild | 304 +++++++++++++++++++++ 4 files changed, 746 insertions(+)
The deps still need adjusting in libp11 which Andrew is going to handle tomorrow morning. Maybe we should wait until stable is fixed before closing too.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=358fcf2c875fef243ab1670c996749a793463c90 commit 358fcf2c875fef243ab1670c996749a793463c90 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2024-02-02 06:35:56 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2024-02-02 06:37:56 +0000 dev-libs/libp11: update allowed versions of openssl The underlying issue in openssl has been fixed in 3.1.5-r1+ and 3.2.1-r1+ Bug: https://bugs.gentoo.org/916328 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> .../{libp11-0.4.12-r5.ebuild => libp11-0.4.12-r6.ebuild} | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0626b571d9c2a3f6774d5cf929e80b325e571a38 commit 0626b571d9c2a3f6774d5cf929e80b325e571a38 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-15 08:12:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-15 08:16:46 +0000 dev-libs/openssl: backport libp11 segfault fix to 3.0.13 too Bug: https://bugs.gentoo.org/916328 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssl-3.0.13-p11-segfault.patch | 79 ++++++ dev-libs/openssl/openssl-3.0.13-r2.ebuild | 283 +++++++++++++++++++++ 2 files changed, 362 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32e186395feea86d289dc5f5601e334e2f32aff8 commit 32e186395feea86d289dc5f5601e334e2f32aff8 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2024-04-15 09:40:13 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2024-04-15 09:40:13 +0000 dev-libs/libp11: adjust blockers allow 3.0.13-r2 Bug: https://bugs.gentoo.org/916328 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> .../libp11/{libp11-0.4.12-r6.ebuild => libp11-0.4.12-r7.ebuild} | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)