[19.04 FEAT] Installer support for protected key dm-crypt

Bug #1766865 reported by bugproxy on 2018-04-25
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
High
Canonical Foundations Team
curtin (Ubuntu)
Undecided
Unassigned
debian-installer (Ubuntu)
Undecided
Skipper Bug Screeners
partman-crypto (Ubuntu)
Undecided
Unassigned
s390-tools (Ubuntu)
Undecided
Unassigned

Bug Description

Documentation regarding pervasive encryption is available on IBM knowledge center, for details see
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lxdc_quick/lxdc_a_quick_linuxonz.html

  -> PDF file for Getting started with pervasive encryption
  -> Prerequisites
  These hardware and software components are required for implementing pervasive disk encryption.

 -> Creating and accessing an encrypted partition
 Setting up disk encryption entails generating secure keys and creating logical volumes.

bugproxy (bugproxy) on 2018-04-25
tags: added: architecture-s39064 bugnameltc-166899 severity-high targetmilestone-inin1810
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → debian-installer (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Dimitri John Ledkov (xnox) wrote :

The following changes will be needed:
1) modify s390-tools to ship zkey utilities in the udeb, for d-i
2) probably some modifications to partman-crypto to allow using zkey generated keys
3) detection when these keys are available
4) ensure consistent defaults are used, at same or greater cryptographic stength

HW prerequisites:
we have z13, and it needs checking if we have the rest of the requirements satisfied

1) An IBM z14 or z13™ with the CPACF feature installed. The use of the CPACF requires the appropriate microcode to be loaded which you can order as no-charge feature code (LIC #3863).

2) For redundancy, two IBM Crypto Express5 or Crypto Express6 adapters in CCA coprocessor mode (CEX5C or CEX6C).

3) A Trusted Key Entry (TKE) workstation.

4) For non-production environments you can use the utilities from the CCA package instead of the TKE to set master keys.

5) SCSI or DASD volumes to be encrypted.

As first steps, it would be advisable to set these up and use, post-install. Then it can be looked into enabling this in the installer too. Given our current efforts targeting stabilising 18.04.1 and developing subiquity, I am not sure much progress will be made towards enabling this feature in 18.10. Certain steps can be made to make it easier to use - e.g. shipping zdev in a udeb.

Frank Heimes (frank-heimes) wrote :

some additional thoughts:
- I think the latest s390-tool ships with zkey, but needs packaging (other ticket)
- CPACF and CryptoExpress5 (pairs) are availabel on our z13
- but we don't have a TKE, the utilities might be sufficient for testing, anyway end-2-end testing would req. TKE
- considerable work at d-i and partman needed (add. udebs)
- z12 is supported by Ubuntu, but not for pervasive encryption - that would need to be handled in installer, too

Changed in ubuntu-z-systems:
status: New → Triaged
summary: - [18.10 FEAT]Installer support for protected key dm-crypt
+ [18.10 FEAT] Installer support for protected key dm-crypt
Changed in ubuntu-z-systems:
importance: Undecided → Wishlist

------- Comment From <email address hidden> 2018-07-09 06:50 EDT-------
You don't need a TKE.
You need to set up the (AES) masterkey on your card(s), thats all.
This can be done one the command line with an application which
is part of the CCA library. I'll add Ingo to cc and he may write down some more details or attach a paper which describes all this.
@Ingo, can you please copy-and-paste some instructions about how to install the CCA lib and set up master keys here? Thanks

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-07-09 07:08 EDT-------
For installing the CCA lib, please see here:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_install.html

For setting the master key, please see here:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_mkey_admin.html
If you don't have a TKE; then you can use panel.exe, see here:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.wskc.doc/wskc_c_panelexe.html

Example:
Clear NEW register:
panel.exe -c -t E

Load key parts:
panel.exe -l -t E -p F `xxd -p -c 256 -l 32 /dev/random`
panel.exe -l -t E -p M `xxd -p -c 256 -l 32 /dev/random`
panel.exe -l -t E -p L `xxd -p -c 256 -l 32 /dev/random`

Set Key:
panel.exe -s -t E

In real life you would not use /dev/random for the key parts, but known values so that you can set the same master key on multiple CCA crypto adapters, or recover the master key.

information type: Private → Public

This bug was fixed in the package s390-tools - 2.6.0-0ubuntu4

---------------
s390-tools (2.6.0-0ubuntu4) cosmic; urgency=medium

  * Add s390-tools-zkey-udeb package with zkey utilities for d-i. LP:
    #1766865

 -- Dimitri John Ledkov <email address hidden> Tue, 04 Sep 2018 16:58:09 +0100

Changed in s390-tools (Ubuntu):
status: New → Fix Released

------- Comment From <email address hidden> 2018-09-05 03:53 EDT-------
Addl. information
You cannot encrypt the boot partition. -- After all, there must be code to open an encrypted partition
You can encrypt the root partition
in order to do so the code in boot partition must open the boot partition
i.e., the initrd or initramfs contains code to issue the cryptsetup open/luksOpen commands for the root partition before the chroot command
with LUKS/LUKS2 you must provide a pass phrase - on PCs that is asked for interactively (possibly derived from the password) -- somehow Canonical does this with their Ubuntu distributions today
with protected keys crypto (PAES) - you need not protect a pass phrase. With dm-crypt plain mode you can use a secure key stored somewhere in the initrd/initramfs or with LUKS2 you can simply store the pass phrase in a file in the initrd/initramfs because the security of the disk key is protected by the HSM (CryptoExpress card) and does not depend on being wrapped by a secret pass phrase.
Note, before a system tries to use PAES it should verify that a CCA coprocessor (CEXnC adapter) is available.

tags: added: id-5b3c6fb0aa2141c18a16c328
tags: added: zkey
tags: added: id-5baa3014eeb0ad048552b5b5
summary: - [18.10 FEAT] Installer support for protected key dm-crypt
+ [19.04 FEAT] Installer support for protected key dm-crypt
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-09-28 05:02 EDT-------
Moved this installer item from 18.10 -> 19.04...

tags: added: targetmilestone-inin1904
removed: targetmilestone-inin1810
Changed in ubuntu-z-systems:
importance: Wishlist → High
Changed in ubuntu-z-systems:
status: Triaged → Fix Released
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2019-04-23 05:16 EDT-------
IBM bugzilla status -> closed, Fix Released with Disco

tags: added: installer
Changed in curtin (Ubuntu):
status: New → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers