Comment 24 for bug 1895192

Revision history for this message
Frank Heimes (fheimes) wrote :

I followed the steps on an LPAR that has an active crypto domain with a master key set, using FCP multipath disk storage.
I did two installations (using Impish), one for each of the MPs, and the results are the same.
The LUKS installations complete and I can boot into the OS afterwards.

However, in both cases a normal (fallback) LUKS installation is done and 'aes-xts-plain64' is used instead of 'paes-xts-plain64'.

$ sudo cryptsetup status $(awk '{ print $1 }' /etc/crypttab ) | grep cipher
  cipher: aes-xts-plain64

Wanting to be sure I checked the master key using the commands from the CCA proprietary package:
/opt/IBM/CCA/bin/panel.exe -mk-query --mktype=AES --mkregister=CURRENT
Preparing to QUERY master key verification pattern

Query of Key Verification Pattern for Master key [AES-MK ] [KEY-KM ] returned:

RND[0000000000000000]
VER[E113AC74BB40CCA1]
as well as using zkey:
# sudo zkey generate --xts --name key-for-verification
# sudo zkey list
Key : key-for-verification
-------------------------------------------------------------------------------------
        Description :
        Secure key size : 128 bytes
        Clear key size : 512 bits
        XTS type key : Yes
        Key type : CCA-AESDATA
        Volumes : (none)
        APQNs : (none)
        Key file name : /etc/zkey/repository/key-for-verification.skey
        Sector size : (system default)
        Volume type : LUKS2
        Verification pattern : 1d6f7ea0dfebdd8b65f0970e573522fd
                               85ebee9ee93ca80cc87dc020aa1eb309
        Created : 2021-08-03 06:38:28
        Changed : (never)
        Re-enciphered : (never)
and both looked fine.

To be sure I re-did the same installation using a single DASD with LVM instead and this worked and resulted in the use of 'paes-xts-plain64':

$ sudo cryptsetup status $(awk '{ print $1 }' /etc/crypttab ) | grep cipher
  cipher: paes-xts-plain64

This shows that an installation using zkey is generally possible, but that there seems to be another issue in the multipath code path that does not properly trigger the zkey usage (like with DASDs).

[I've attached a zip containing two files with the detailed steps that I followed.]