Ubuntu
intel-ipsec-mb package

MIR for intel-ipsec-mb

Bug #1786201 reported by Colin Ian King
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
intel-ipsec-mb (Ubuntu)
Invalid
Medium
Ubuntu Security Team
Ubuntu ubuntu-19.10
Declined for Bionic by Jamie Strandboge
Cosmic
Invalid
Medium
Ubuntu Security Team
Ubuntu ubuntu-18.10
Eoan
Invalid
Medium
Ubuntu Security Team
Ubuntu ubuntu-19.10

Bug Description

[ Ignore the Nominate for Bionic, that's not required ]

== Overview ==

Intel Multi-Buffer Crypto for IPsec Library is highly-optimized
software implementations of the core cryptographic processing for IPsec,
which provides industry-leading performance on a range of Intel(R) Processors.

For information on how to build and use this library, see the
Intel White Paper:
"Fast Multi-buffer IPsec Implementations on Intel Architecture Processors".
Jim Guilford, Sean Gulley, et. al.

[ See https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/fast-multi-buffer-ipsec-implementations-ia-processors-paper.pdf ]

== Answers to UbuntuMainInclusionRequirements ==

= Requirements =

1. Availability
   Package is in universe: https://launchpad.net/ubuntu/+source/intel-ipsec-mb

2. Rationale
   Intel-ipsec-mb is useful for projects that require core IPsec cryptographic processing
   that is highly optimized and performant on x86-64 processors. Projects such as
   DPDK (https://www.dpdk.org/) will be able to improve performance with this library.

3. Security:
   No security issues exposed so far. However, the tools have only been in Ubuntu since
   early Mar 2018, so this currently a several weeks over the 90 days threshold.

4. Quality assurance:
   * Manual is provided
   * No debconf questions higher than medium
   * No outstanding bugs. I'm also helping Intel fix issues that I'm finding with
     static analysis tools such as scan-build, cppcheck and CoverityScan,
     see: https://scan.coverity.com/projects/intel-ipsec-mb
   * Exotic Hardware: x86-64 support only, since this is hand optimized for this
     specific architecture.
   * No Test Suite shipped with the package
   * Does not rely on obsolete or demoted packages

5. UI standards:
   * This is a CLI tool. Tool has normal CLI style short help and man pages
   * No desktop file required as it is a CLI tool.

6. Binary Dependencies:
   * None

7. Standards compliance:
   lintian clean and meets the FHS + Debian Policy standards to the best of my knowledge

8. Maintenance
   * Package owning team: The Ubuntu Kernel Team
   * Debian package maintained by Colin Ian King (myself from the Kernel Team)

9. Background Information
   This provides an optimized IPSEC multiblock library.

  Search in the National Vulnerability Database using the package as a keyword
  * No CVEs found

  http://secunia.com/advisories/search/: search for the package as a keyword
  * No security advisories found

  Ubuntu CVE Tracker
    http://people.ubuntu.com/~ubuntu-security/cve/main.html
    * No
    http://people.ubuntu.com/~ubuntu-security/cve/universe.html
    * No
    http://people.ubuntu.com/~ubuntu-security/cve/partner.html
    * No

    Check for security relevant binaries. If any are present, this
    requires a more in-depth security review.

    Executables which have the suid or sgid bit set.
      * No.

    Executables in /sbin, /usr/sbin.
      * None in these paths, it's a library

    Packages which install daemons (/etc/init.d/*)
      * No

    Packages which open privileged ports (ports < 1024).
      * No

     Add-ons and plugins to security-sensitive software (filters,
     scanners, UI skins, etc)
      * None

See original description
Colin Ian King (colin-king)
Changed in intel-ipsec-mb (Ubuntu):
importance: Undecided → Medium
description: updated
Colin Ian King (colin-king)
Changed in intel-ipsec-mb (Ubuntu):
milestone: none → ubuntu-18.10
Revision history for this message
Colin Ian King (colin-king) wrote :

Christian Ehrhardt (paelzer) also emailed me with this comment:

"one need that I know about is that DPDK will grow a dependency on intel-ipsec-mb to support their offloads. DPDK is in MAIN and this would be a component mismatch, therefore I'm glad to hear that you planned to file a MIR anyway.

This also gives it sort of a minimum timeframe - I'll need that for DPDK 18.11 which should show up in 19.04 around November/December this year - if until then the MIR on this could be done that would be great."

Revision history for this message
Colin Ian King (colin-king) wrote :

@Ping. Any progress on this MIR?

Jamie Strandboge (jdstrand)
Changed in intel-ipsec-mb (Ubuntu Cosmic):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This is unlikely to get security team traction before 18.10.

Thanks

Revision history for this message
Christian Ehrhardt  (paelzer) wrote : Re: [Bug 1786201] Re: MIR for intel-ipsec-mb

On Wed, Aug 29, 2018 at 2:01 AM Seth Arnold <email address hidden>
wrote:

> This is unlikely to get security team traction before 18.10.
>

@Seth - 18.10 would be ok with me, but can we plan for "early 18.10, like
the first 1/3 of the cycle" to not be locked up by component mismatches
until close to the end of the cycle?
@Colin what was would be your timeline?

Revision history for this message
Colin Ian King (colin-king) wrote :

My timeline was just based on the requirement to get this complete for the DPDK folk, so they can call the shots on the timeline constraints.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI: I'm going to try breaking up some dependencies in DPDK so that not all of DPDK will end up in Main. The intention is to have commonly used and well tested PMDs and libs in main, but some of the more edge-cases can stay in Universe.

In that sense the lib that needs intel-ipsec-mb would become part of the universe binaries.

This is only true if I succeed in doing for 19.04. Also the usage-prio might change later on, so having the MIR processed will stay a valid request but at a lower prio than before.

I'll update the bug here once that DPDK task is completed (or abandoned).

Until then the my request would be:
1. @Security team please reduce the prio on this in your Review planning
2. @Colin if you had another reason to MIR this please bring it up to be known here

Revision history for this message
Colin Ian King (colin-king) wrote :

I've no other reason for this to MIR this apart from the requirement for DPDK, so I'm OK with it being lowered in priority

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - the dependency split (less common PMDs) worked it is currently on its way to the new queue in Debian and will sooner or later be in Ubuntu (at the same time that the dependency to ipsec is added).
Due to the split of dependencies I'll NOT need to promote intel-ipsec-mb to MAIN for DPDK.

Colin said he had "no other reason" to MIR this, therefore should we set this to invalid and take it off the security teams backlog?

Revision history for this message
Colin Ian King (colin-king) wrote :

I'm OK with making this invalid. Saves work all round IMHO.

Changed in intel-ipsec-mb (Ubuntu):
status: New → Invalid
Changed in intel-ipsec-mb (Ubuntu Cosmic):
status: New → Invalid
Revision history for this message
James Page (james-page) wrote :

Re-opening MIR - the latest Open vSwitch builds with DPDK pull this in as a dependency resulting in a component mismatch.

Changed in intel-ipsec-mb (Ubuntu):
status: Invalid → New
Changed in intel-ipsec-mb (Ubuntu Eoan):
milestone: ubuntu-18.10 → ubuntu-19.10
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

After discussion the current -proposed builds with OVS 2.11.1 don't do this.
The 2.12 builds might (our theory) overlink, but Jamespage will look into that.
Until then we consider the MIR invalid.

Changed in intel-ipsec-mb (Ubuntu Eoan):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.