Xen project Mailing List

[Xen-devel] [ovmf baseline-only test] 74601: trouble: blocked/broken

To: <xen-devel@xxxxxxxxxxxxxxxxxxx>, <osstest-admin@xxxxxxxxxxxxxx>

From: Platform Team regression test user <citrix-osstest@xxxxxxxxxxxxxx>

Date: Sat, 14 Apr 2018 03:16:29 +0100

Delivery-date: Sat, 14 Apr 2018 02:17:03 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

This run is configured for baseline tests only. flight 74601 ovmf real [real] http://osstest.xs.citrite.net/~osstest/testlogs/logs/74601/ Failures and problems with tests :-( Tests which did not succeed and are blocking, including tests which could not be run: build-amd64-xsm <job status> broken build-i386 <job status> broken build-amd64-pvops <job status> broken build-i386-xsm <job status> broken build-amd64 <job status> broken build-i386-pvops <job status> broken Tests which did not succeed, but are not blocking: test-amd64-amd64-xl-qemuu-ovmf-amd64 1 build-check(1) blocked n/a build-amd64-libvirt 1 build-check(1) blocked n/a test-amd64-i386-xl-qemuu-ovmf-amd64 1 build-check(1) blocked n/a build-i386-libvirt 1 build-check(1) blocked n/a build-amd64-xsm 4 host-install(4) broken baseline untested build-amd64 4 host-install(4) broken baseline untested build-amd64-pvops 4 host-install(4) broken baseline untested build-i386 4 host-install(4) broken baseline untested build-i386-xsm 4 host-install(4) broken baseline untested build-i386-pvops 4 host-install(4) broken baseline untested version targeted for testing: ovmf 2167c7f7a55b9964912d08aae71879357101ace1 baseline version: ovmf 54ec85dd2902bd5dee39106d5291f71088b7d85a Last test of basis 74595 2018-04-13 17:56:39 Z 0 days Testing same since 74601 2018-04-14 00:18:54 Z 0 days 1 attempts ------------------------------------------------------------ People who touched revisions under test: Gary Lin <glin@xxxxxxxx> Laszlo Ersek <lersek@xxxxxxxxxx> jobs: build-amd64-xsm broken build-i386-xsm broken build-amd64 broken build-i386 broken build-amd64-libvirt blocked build-i386-libvirt blocked build-amd64-pvops broken build-i386-pvops broken test-amd64-amd64-xl-qemuu-ovmf-amd64 blocked test-amd64-i386-xl-qemuu-ovmf-amd64 blocked ------------------------------------------------------------ sg-report-flight on osstest.xs.citrite.net logs: /home/osstest/logs images: /home/osstest/images Logs, config files, etc. are available at http://osstest.xs.citrite.net/~osstest/testlogs/logs Test harness code can be found at http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary broken-job build-amd64-xsm broken broken-job build-i386 broken broken-job build-amd64-pvops broken broken-job build-i386-xsm broken broken-job build-amd64 broken broken-job build-i386-pvops broken broken-step build-amd64-xsm host-install(4) broken-step build-amd64 host-install(4) broken-step build-amd64-pvops host-install(4) broken-step build-i386 host-install(4) broken-step build-i386-xsm host-install(4) broken-step build-i386-pvops host-install(4) Push not applicable. ------------------------------------------------------------ commit 2167c7f7a55b9964912d08aae71879357101ace1 Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sat Mar 31 17:33:14 2018 +0200 CryptoPkg/TlsLib: rewrite TlsSetCipherList() Rewrite the TlsSetCipherList() function in order to fix the following issues: - Any cipher identifier in CipherId that is not recognized by TlsGetCipherMapping() will cause the function to return EFI_UNSUPPORTED. This is a problem because CipherId is an ordered preference list, and a caller should not get EFI_UNSUPPORTED just because it has an elaborate CipherId preference list. Instead, we can filter out cipher identifiers that we don't recognize, as long as we keep the relative order intact. - CipherString is allocated on the stack, with 500 bytes. While processing a large CipherId preference list, this room may not be enough. Although no buffer overflow is possible, CipherString exhaustion can lead to a failed TLS connection, because any cipher names that don't fit on CipherString cannot be negotiated. Compute CipherStringSize first, and allocate CipherString dynamically. - Finally, the "@STRENGTH" pseudo cipher name is appended to CipherString. (Assuming there is enough room left in CipherString.) This causes OpenSSL to sort the cipher list "in order of encryption algorithm key length". This is a bad idea. The caller specifically passes an ordered preference list in CipherId. Therefore TlsSetCipherList() must not ask OpenSSL to reorder the list, for any reason. Drop "@STRENGTH". While at it, fix and unify the documentation of the CipherId parameter. Cc: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> Cc: Qin Long <qin.long@xxxxxxxxx> Cc: Siyuan Fu <siyuan.fu@xxxxxxxxx> Cc: Ting Ye <ting.ye@xxxxxxxxx> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> commit a347b0897384a2af6605bdd19a7740972b73f1e7 Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sat Mar 31 22:25:15 2018 +0200 CryptoPkg/TlsLib: sanitize lib classes in internal header and INF "InternalTlsLib.h" includes "BaseCryptLib.h", but the lib class is not listed in the INF file. The INF file lists a good number of lib classes, but none of the lib class headers are included by "InternalTlsLib.h". Synchronize & sort both lists, while removing those library classes that aren't actually needed. (IntrinsicLib and OpensslLib have no edk2 class headers.) Cc: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> Cc: Qin Long <qin.long@xxxxxxxxx> Cc: Siyuan Fu <siyuan.fu@xxxxxxxxx> Cc: Ting Ye <ting.ye@xxxxxxxxx> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> commit 96015d5fc51f6c81902a212662c73b512b0c8535 Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sun Apr 1 11:51:46 2018 +0200 CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable In the next patches, we'll need the lengths of the TLS_CIPHER_MAPPING.OpensslCipher string fields. These lengths can be computed at build time; add the new field "OpensslCipherLength", and introduce the MAP() macro for populating it. While at it, add some horizontal whitespace to "TlsCipherMappingTable", and add a comma after the last element. This will come handy in a later patch. (The patch does not change the first two columns of "TlsCipherMappingTable", which can be easily verified with "git show --word-diff".) Cc: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> Cc: Qin Long <qin.long@xxxxxxxxx> Cc: Siyuan Fu <siyuan.fu@xxxxxxxxx> Cc: Ting Ye <ting.ye@xxxxxxxxx> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> commit 5eadb54e26e239429e8b4fe18897781f2321738a Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sat Mar 31 17:06:39 2018 +0200 CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function Improve the performance of the TlsGetCipherMapping() function by adopting the binary search from DhcpFindOptionFormat() [MdeModulePkg/Universal/Network/Dhcp4Dxe/Dhcp4Option.c]. Cc: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> Cc: Qin Long <qin.long@xxxxxxxxx> Cc: Siyuan Fu <siyuan.fu@xxxxxxxxx> Cc: Ting Ye <ting.ye@xxxxxxxxx> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> commit ecfd37ba1bfe0aacfd4c234013a8aa77811f8b80 Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sun Apr 1 12:53:23 2018 +0200 CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() In the following patches it will be useful if the IANA CipherId lookup returns a pointer to the whole matching IANA-to-OpenSSL mapping structure, not just the OpenSSL cipher suite name. Rename TLS_CIPHER_PAIR and TlsGetCipherString() to TLS_CIPHER_MAPPING and TlsGetCipherMapping() respectively, and make the function return a pointer to TLS_CIPHER_MAPPING. Cc: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> Cc: Qin Long <qin.long@xxxxxxxxx> Cc: Siyuan Fu <siyuan.fu@xxxxxxxxx> Cc: Ting Ye <ting.ye@xxxxxxxxx> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> commit b1c81b6ec3dc3776ffbe8bcc37b1049afcabd24f Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sat Mar 31 16:36:39 2018 +0200 NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList Fix the following style issues: - "Data" is accessed through a pointer to UINT16 rather than to a pointer to EFI_TLS_CIPHER. While technically correct, UINT16 is harder to interpret against the UEFI spec. - Array subscripting is written with weird *(Pointer + Offset) expressions, rather than with Pointer[Offset]. - The byte order is converted with HTONS(), while it should be NTOHS(). Either way, use the Data1 and Data2 fields of EFI_TLS_CIPHER instead. Cc: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> Cc: Siyuan Fu <siyuan.fu@xxxxxxxxx> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Fu Siyuan <siyuan.fu@xxxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> commit 44eb974081ce6abb98fb82ec35b77d790f48dda3 Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sat Mar 31 16:04:10 2018 +0200 NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList TlsSetSessionData() shouldn't just ignore an incomplete EFI_TLS_CIPHER element at the end of "Data": - Generally speaking, malformed input for a security API is best rejected explicitly. - Specifically speaking, the size of EFI_TLS_CIPHER is 2 bytes. If DataSize is 1 on input, then the initial check for (DataSize == 0) will fail, but then TlsSetCipherList() will be called with CipherNum=0. Return EFI_INVALID_PARAMETER from TlsSetSessionData() if "Data" doesn't contain a whole number of EFI_TLS_CIPHER elements. While at it, introduce the dedicated variable CipherCount. Cc: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> Cc: Siyuan Fu <siyuan.fu@xxxxxxxxx> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Fu Siyuan <siyuan.fu@xxxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> commit 344d057a2b539cf34420e2afad2351b45c65178e Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sat Mar 31 16:20:37 2018 +0200 MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC The structures defined in RFC 5246 are not to have any padding between fields or at the end; use the "pack" pragma as necessary. Cc: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> Cc: Liming Gao <liming.gao@xxxxxxxxx> Cc: Michael D Kinney <michael.d.kinney@xxxxxxxxx> Cc: Siyuan Fu <siyuan.fu@xxxxxxxxx> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=915 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Fu Siyuan <siyuan.fu@xxxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> commit ba9c8a8ccbb79697509cba482f9d7b9e8526c7e2 Author: Laszlo Ersek <lersek@xxxxxxxxxx> Date: Sun Apr 1 01:27:43 2018 +0200 OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot Read the list of trusted cipher suites from fw_cfg and to store it to EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE. The fw_cfg file will be formatted by the "update-crypto-policies" utility on the host side, so that the host settings take effect in guest HTTPS boot as well. QEMU forwards the file intact to the firmware. The contents are forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()). Note: the development of the "update-crypto-policies" feature is underway at this time. Meanwhile the following script can be used to generate the binary file for fw_cfg: export LC_ALL=C openssl ciphers -V \ | sed -r -n \ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ | xargs -r -- printf -- '%b' > ciphers.bin Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> Cc: Gary Ching-Pang Lin <glin@xxxxxxxx> Cc: Jordan Justen <jordan.l.justen@xxxxxxxxx> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx> Reviewed-by: Gary Lin <glin@xxxxxxxx> Tested-by: Gary Lin <glin@xxxxxxxx> Reviewed-by: Long Qin <qin.long@xxxxxxxxx> Reviewed-by: Jiaxin Wu <jiaxin.wu@xxxxxxxxx> [lersek@xxxxxxxxxx: update commit msg and add script as requested by Gary] [lersek@xxxxxxxxxx: update commit msg as requested by Jiaxin] _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.