[19.04 FEAT] Installer support for protected key dm-crypt

The following changes will be needed:
1) modify s390-tools to ship zkey utilities in the udeb, for d-i
2) probably some modifications to partman-crypto to allow using zkey generated keys
3) detection when these keys are available
4) ensure consistent defaults are used, at same or greater cryptographic stength

HW prerequisites:
we have z13, and it needs checking if we have the rest of the requirements satisfied

1) An IBM z14 or z13™ with the CPACF feature installed. The use of the CPACF requires the appropriate microcode to be loaded which you can order as no-charge feature code (LIC #3863).

2) For redundancy, two IBM Crypto Express5 or Crypto Express6 adapters in CCA coprocessor mode (CEX5C or CEX6C).

3) A Trusted Key Entry (TKE) workstation.

4) For non-production environments you can use the utilities from the CCA package instead of the TKE to set master keys.

5) SCSI or DASD volumes to be encrypted.

As first steps, it would be advisable to set these up and use, post-install. Then it can be looked into enabling this in the installer too. Given our current efforts targeting stabilising 18.04.1 and developing subiquity, I am not sure much progress will be made towards enabling this feature in 18.10. Certain steps can be made to make it easier to use - e.g. shipping zdev in a udeb.

some additional thoughts:
- I think the latest s390-tool ships with zkey, but needs packaging (other ticket)
- CPACF and CryptoExpress5 (pairs) are availabel on our z13
- but we don't have a TKE, the utilities might be sufficient for testing, anyway end-2-end testing would req. TKE
- considerable work at d-i and partman needed (add. udebs)
- z12 is supported by Ubuntu, but not for pervasive encryption - that would need to be handled in installer, too

------- Comment From <email address hidden> 2018-07-09 06:50 EDT-------
You don't need a TKE.
You need to set up the (AES) masterkey on your card(s), thats all.
This can be done one the command line with an application which
is part of the CCA library. I'll add Ingo to cc and he may write down some more details or attach a paper which describes all this.
@Ingo, can you please copy-and-paste some instructions about how to install the CCA lib and set up master keys here? Thanks

------- Comment From <email address hidden> 2018-07-09 07:08 EDT-------
For installing the CCA lib, please see here:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_install.html

For setting the master key, please see here:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_mkey_admin.html
If you don't have a TKE; then you can use panel.exe, see here:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_panelexe.html

Example:
Clear NEW register:
panel.exe -c -t E

Load key parts:
panel.exe -l -t E -p F `xxd -p -c 256 -l 32 /dev/random`
panel.exe -l -t E -p M `xxd -p -c 256 -l 32 /dev/random`
panel.exe -l -t E -p L `xxd -p -c 256 -l 32 /dev/random`

Set Key:
panel.exe -s -t E

In real life you would not use /dev/random for the key parts, but known values so that you can set the same master key on multiple CCA crypto adapters, or recover the master key.

This bug was fixed in the package s390-tools - 2.6.0-0ubuntu4

---------------
s390-tools (2.6.0-0ubuntu4) cosmic; urgency=medium

  * Add s390-tools-zkey-udeb package with zkey utilities for d-i. LP:
    #1766865

 -- Dimitri John Ledkov <email address hidden> Tue, 04 Sep 2018 16:58:09 +0100

------- Comment From <email address hidden> 2018-09-05 03:53 EDT-------
Addl. information
You cannot encrypt the boot partition. -- After all, there must be code to open an encrypted partition
You can encrypt the root partition
in order to do so the code in boot partition must open the boot partition
i.e., the initrd or initramfs contains code to issue the cryptsetup open/luksOpen commands for the root partition before the chroot command
with LUKS/LUKS2 you must provide a pass phrase - on PCs that is asked for interactively (possibly derived from the password) -- somehow Canonical does this with their Ubuntu distributions today
with protected keys crypto (PAES) - you need not protect a pass phrase. With dm-crypt plain mode you can use a secure key stored somewhere in the initrd/initramfs or with LUKS2 you can simply store the pass phrase in a file in the initrd/initramfs because the security of the disk key is protected by the HSM (CryptoExpress card) and does not depend on being wrapped by a secret pass phrase.
Note, before a system tries to use PAES it should verify that a CCA coprocessor (CEXnC adapter) is available.

------- Comment From <email address hidden> 2018-09-28 05:02 EDT-------
Moved this installer item from 18.10 -> 19.04...

------- Comment From <email address hidden> 2019-04-23 05:16 EDT-------
IBM bugzilla status -> closed, Fix Released with Disco

I can confirm now that this works now on LPAR with DASD as well as with zFCP/SCSI disk storage using subiquity 20.03.
(I had to use edge just to overcome a probing block device issue and had to juggle around an issue with VLAN networking, but the zkey usage is independent on that.)

new installer is out.

successfully tested with 20.04 / subiquity on LPAR with DASD and zFCP disks