Allow the protected key AES (paes) module to derive protected keys from clear keys.
This allows simple use of protected keys w/o requiring CryptoExpress adapters in case the keys are ephemeral, that their life time does not extend over different boot or machine migrations.
An example of such keys are keys used to encrypt swap volumes of non-migratable systems.
Function will be provided via kernel 4.20 .
Important:
Install file s390-pkey.conf introduced with this commit into /usr/lib/modules-load.d/ (or /etc/modules-load.d)
Addl. Information for integration.
Kernel module pkey is loaded too late during system startup.
Kernel module pkey uses the CPU feature match mechanism to get loaded automatically when the CPU supports crypto. However, it gets loaded too late by the feature match mechanism.
When using the support added with "in-kernel crypto: support protected keys generated by random in paes module" to encrypt a swap disk with a randomly generated protected key, the pkey module must have been loaded before the /etc/crypttab is processed. It turned out that the automatic loading via CPU feature match is too late for that, and pkey is not yet loaded at the required point in time.
The kernel module pkey should therefor loaded explicitly via /usr/lib/modules.load.d/.(or /etc/modules-load.d/). This is performed early enough, i.e. before /etc/crypttab is processed.
Please integrate upstream commit https://github.com/ibm-s390-tools/s390-tools/commit/dffd41943e5c01be2f343da7726edabf9d2ec05e titled "pkey: Support autoloading kernel pkey module". -> comes with kernel 4.20.
Important:
Install file s390-pkey.conf introduced with this commit into /usr/lib/modules-load.d/ (or /etc/modules-load.d)
Not assigning, since it will be available with the disco target kernel anyway - just monitoring ...