<div>Hi Daniel,</div> <div> </div> <div>Thanks for your explanation. </div> <div> </div> <div>>>So secmem is left enabled.This is not an issue on most distros, since they allow users to mlock<br>sufficient memory.</div> <div> </div> <div>I could not understand your above statement. Can you please explain it a bit more. </div> <div> </div> <div>Please let us know the place where we need to look into for the corresponding source code. We will try to provide a fix for it.</div> <div> </div> <div>To add more info, This works fine on our board with libvirt version 0.9.4. This is not working from libvirt 0.9.10</div> <div> </div> <div>Thanks and Regards,</div> <div>Shree Duth Awasthi.</div> <div> </div> <div>GDB FULL ( if needed )</div> <div> </div> <div>(gdb) bt full<br>#0 0x00007f5adad0b005 in raise () from /lib64/libc.so.6<br>No symbol table info available.<br>#1 0x00007f5adad0de40 in abort () from /lib64/libc.so.6<br>No symbol table info available.<br>#2 0x00007f5adc4f4dc5 in _gcry_logv (level=50, fmt=0x7f5adc53b170 "operation is not possible without initialized secure memory\n",<br> arg_ptr=0x7fff04a2a770) at misc.c:136<br>No locals.<br>#3 0x00007f5adc4f53d5 in _gcry_log_bug (fmt=0x67d6 <Address 0x67d6 out of bounds>) at misc.c:220<br> arg_ptr = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7fff04a2a850, reg_save_area = 0x7fff04a2a790}}<br> #4 0x00007f5adc4fa697 in _gcry_secmem_malloc_internal (size=<value optimized out>) at secmem.c:497<br> mb = <value optimized out><br>#5 0x00007f5adc4fa79c in _gcry_secmem_malloc (size=136) at secmem.c:522<br> p = <value optimized out><br>#6 0x00007f5adc4f5a65 in do_malloc (n=26582, flags=<value optimized out>, mem=0x7fff04a2a8d0) at global.c:553<br> m = <value optimized out><br>#7 0x00007f5adc4f5aa9 in _gcry_malloc_secure (n=26582) at global.c:592<br> ---Type <return> to continue, or q <return> to quit---<br> mem = 0x0<br>#8 0x00007f5adc4f5b19 in _gcry_xmalloc_secure (n=136) at global.c:746<br>No locals.<br>#9 0x00007f5adc5385df in _gcry_mpi_alloc_limb_space (nlimbs=17, secure=26582) at mpiutil.c:92<br> len = 26582<br>#10 0x00007f5adc53865f in _gcry_mpi_alloc_secure (nlimbs=17) at mpiutil.c:75<br>No locals.<br>#11 0x00007f5adc52525a in secret (output=0x2297d80, input=0x228ce80, skey=0x6) at rsa.c:365<br> m1 = <value optimized out><br> m2 = <value optimized out><br> h = <value optimized out><br>#12 0x00007f5adc52545a in _gcry_rsa_sign (algo=<value optimized out>, resarr=0x228cfb0, data=0x228ce80, skey=<value optimized out>) at rsa.c:608<br> sk = {n = 0x231b790, e = 0x231ddc0, d = 0x23100e0, p = 0x230fb10, q = 0x231dd50, u = 0x228c690}<br>#13 0x00007f5adc5011ef in pubkey_sign (r_sig=0x7fff04a2aac8, s_hash=<value optimized out>, s_skey=<value optimized out>) at pubkey.c:692<br> module = <value optimized out><br> i = 32767<br>---Type <return> to continue, or q <return> to quit---<br>#14 _gcry_pk_sign (r_sig=0x7fff04a2aac8, s_hash=<value optimized out>, s_skey=<value optimized out>) at pubkey.c:1807<br> skey = 0x22991c0<br> hash = 0x228ce80<br> result = 0x228cfb0<br> pubkey = <value optimized out><br> module = 0x224b890<br> algo_name = 0x7f5adc547967 "rsa"<br> algo_elems = 0x7f5adc547bd1 "s"<br> i = <value optimized out><br> rc = <value optimized out><br> __PRETTY_FUNCTION__ = "_gcry_pk_sign"<br> __FUNCTION__ = "_gcry_pk_sign"<br>#15 0x00007f5adc79ef9c in _wrap_gcry_pk_sign (algo=GNUTLS_PK_RSA, signature=0x7fff04a2ab50, vdata=<value optimized out>, pk_params=0x7fff04a2ab70)<br> at pk-libgcrypt.c:308<br> s_hash = 0x230f370<br> s_key = 0x2288680<br>---Type <return> to continue, or q <return> to quit---<br> s_sig = 0x0<br> list = <value optimized out><br> rc = <value optimized out><br> ret = <value optimized out><br> hash = 0x22cfe30<br> res = {0x0, 0x0}<br>#16 0x00007f5adc78b08a in _gnutls_pkcs1_rsa_encrypt (ciphertext=<value optimized out>, plaintext=<value optimized out>, params=<value optimized out>,<br> params_len=6, btype=<value optimized out>) at gnutls_pk.c:150<br> i = <value optimized out><br> pad = <value optimized out><br> ret = <value optimized out><br> edata = 0x228c980 ""<br> ps = 0x228c982 "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"<br> k = <value optimized out><br>---Type <return> to continue, or q <return> to quit---<br> psize = <value optimized out><br> mod_bits = <value optimized out><br> pk_params = {params = {0x224f360, 0x224ef40, 0x224f3d0, 0x224f140, 0x225dba0, 0x224ffc0}, params_nr = 6, flags = 32767}<br> to_encrypt = {data = 0x228c980 "", size = 128}<br> encrypted = {data = 0x7fff04a2ad90 "!\002", size = 3671393680}<br>#17 0x00007f5adc792fe6 in _gnutls_sign (algo=<value optimized out>, params=<value optimized out>, params_size=<value optimized out>,<br> data=0x7fff04a2acb0, signature=0x0) at gnutls_sig.c:251<br> ret = <value optimized out><br>#18 0x00007f5adc79388f in _gnutls_handshake_sign_data (session=0x22ceb70, cert=0x2278c20, pkey=<value optimized out>, params=<value optimized out>,<br> signature=0x7fff04a2ad90, sign_algo=<value optimized out>) at gnutls_sig.c:226<br> dconcat = {data = 0x7fff04a2acd0 "0!0\t\006\005+\016\003\002\032\005", size = 35}<br> ret = 0<br> td_sha = {registered = 0, hd = {gc = 0x2288680, rh = {cc = 0x2288680, ctx = 0x82}}, algorithm = GNUTLS_MAC_SHA1, key = 0x7fff04a2ad00,<br> keysize = -623573616, active = 0}<br> concat = "0!0\t\006\005+\016\003\002\032\005\000\004\024\213^q\253^G\342\062\256\263\310\060\230\030(2-d\212\300\004\377\177\000\000\020\255\242\004\377\177\000\000\200\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\200", '\000' <repeats 15 times>"\340, \306("<br> ---Type <return> to continue, or q <return> to quit---<br> ver = GNUTLS_TLS1_2<br> hash_algo = GNUTLS_DIG_SHA1<br>#19 0x00007f5adc793fbf in gen_dhe_server_kx (session=0x22ceb70, data=0x7fff04a2ae00) at auth_dhe.c:152<br> g = <value optimized out><br> p = <value optimized out><br> mpis = <value optimized out><br> ret = 263<br> data_size = <value optimized out><br> apr_cert_list = 0x2278c20<br> apr_pkey = 0x2278560<br> apr_cert_list_length = 1<br> signature = {data = 0x221 <Address 0x221 out of bounds>, size = 0}<br> ddata = {data = 0x2280f70 "", size = 263}<br> dh_params = <value optimized out><br> sign_algo = <value optimized out><br> ver = GNUTLS_TLS1_2<br>---Type <return> to continue, or q <return> to quit---<br>#20 0x00007f5adc780195 in _gnutls_send_server_kx_message (session=0x67d6, again=<value optimized out>) at gnutls_kx.c:207<br> data = 0x2280f70 ""<br> data_size = <value optimized out><br> ret = <value optimized out><br>#21 0x00007f5adc77bc55 in _gnutls_handshake_server (session=0x22ceb70) at gnutls_handshake.c:3047<br> ret = 545<br>#22 0x00007f5adc77c481 in gnutls_handshake (session=0x22ceb70) at gnutls_handshake.c:2709<br> ret = <value optimized out><br>#23 0x00007f5add51e744 in virNetTLSSessionHandshake () from /usr/lib64/libvirt.so.0<br> No symbol table info available.<br>#24 0x00007f5add513a2b in virNetServerClientInit () from /usr/lib64/libvirt.so.0<br>No symbol table info available.<br>#25 0x00007f5add511821 in ?? () from /usr/lib64/libvirt.so.0<br>No symbol table info available.<br> #26 0x00007f5add51512a in ?? () from /usr/lib64/libvirt.so.0<br>No symbol table info available.</div> <div><br><br> </div> <div class="gmail_quote">On Fri, Apr 12, 2013 at 3:24 PM, Daniel P. Berrange <span dir="ltr"><<a href="mailto:berrange@redhat.com" target="_blank">berrange@redhat.com</a>></span> wrote:<br> <blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"> <div class="im">On Fri, Apr 12, 2013 at 03:14:58PM +0200, SHREE DUTH AWASTHI wrote:<br>> Hi Daniel,<br>><br>> Thanks for your time.<br>><br>> Please find the requested output.<br>><br>> # ulimit -a<br> > core file size (blocks, -c) 1000000<br>> data seg size (kbytes, -d) unlimited<br>> scheduling priority (-e) 0<br>> file size (blocks, -f) unlimited<br>> pending signals (-i) 63706<br> > max locked memory (kbytes, -l) 64<br>> max memory size (kbytes, -m) unlimited<br>> open files (-n) 1024<br>> pipe size (512 bytes, -p) 8<br>> POSIX message queues (bytes, -q) 819200<br> > real-time priority (-r) 0<br>> stack size (kbytes, -s) 8192<br>> cpu time (seconds, -t) unlimited<br>> max user processes (-u) 1024<br>> virtual memory (kbytes, -v) unlimited<br> > file locks (-x) unlimited<br><br></div>Ok, so ordinarily gnutls would initialize libgcrypt disabling secmem.<br>Libvirt, however, needs to register thread callbacks with gcrypt. Doing<br>this in turn disables gnutls' setup code. So secmem is left enabled.<br> This is not an issue on most distros, since they allow users to mlock<br>sufficient memory.<br><br>Anyway we need to fix libvirt to disable secmem, since we've blocked<br>gnutls' own setup from running<br> <div class="HOEnZb"> <div class="h5"><br>Daniel<br>--<br>|: <a href="http://berrange.com/" target="_blank">http://berrange.com</a> -o- <a href="http://www.flickr.com/photos/dberrange/" target="_blank">http://www.flickr.com/photos/dberrange/</a> :|<br> |: <a href="http://libvirt.org/" target="_blank">http://libvirt.org</a> -o- <a href="http://virt-manager.org/" target="_blank">http://virt-manager.org</a> :|<br>|: <a href="http://autobuild.org/" target="_blank">http://autobuild.org</a> -o- <a href="http://search.cpan.org/~danberr/" target="_blank">http://search.cpan.org/~danberr/</a> :|<br> |: <a href="http://entangle-photo.org/" target="_blank">http://entangle-photo.org</a> -o- <a href="http://live.gnome.org/gtk-vnc" target="_blank">http://live.gnome.org/gtk-vnc</a> :|<br></div></div></blockquote> </div><br>