[Ubuntu 18.04] cryptsetup: 'device-mapper: reload ioctl on failed' when setting up a second end-to-end encrypted disk

Bug #1762353 reported by bugproxy on 2018-04-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
High
Canonical Kernel Team
linux (Ubuntu)
High
Skipper Bug Screeners

Bug Description

Problem Description:
Environment: z14 VM Guest system with one CEX6C CCA coprocessor
in toleration mode (i.e. CEX6 HW presented as CEX5)
OS: Ubuntu 18.04 Prerelease
Setting up a second dm-crypt device using protected CCA paes-xts keys fails.
The problem is reproducible.

Details
=======
Setting up two or more plain end-to-end encrypted disks using 'cryptsetup'
fails when using a cipher based on the protected key mechanism.
The setup needs the paes and pkey modules loaded, the former providing the
paes-xts-plain64 cipher (cat /proc/crpyto |grep paes).

A second attempt to establish an end-to-end encrypted disk fails
with : "device-mapper: reload ioctl on failed: No such file or directory."

The problem is independent of the second encrypted disk being based on a second DASD or second partition on one DASD.

---uname output---
Linux s3514004 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:15:56 UTC 2018 s390x s390x s390x GNU/Linux

---Steps to Reproduce---
1.) The following cryptsetup statement works, and is the first one I issued.
cryptsetup plainOpen --key-file securekey.bin --key-size 1024 --cipher paes-xts-plain64 /dev/disk/by-path/ccw-0.0.NNNN-part1 enc-pv1
2.) After this successful statement, I issued the following:
cryptsetup plainOpen --key-file securekey.bin --key-size 1024 --cipher paes-xts-plain64 /dev/disk/by-path/ccw-0.0.NNNN-part2 enc-pv2
device-mapper: reload ioctl on failed: No such file or directory.

See attached patch (comment #1) as fix.

CVE References

Default Comment by Bridge

tags: added: architecture-s39031.64 bugnameltc-163909 severity-high targetmilestone-inin1804
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)

------- Comment From <email address hidden> 2018-04-09 05:41 EDT-------
Probloem Description:
Environment: z14 VM Guest system with one CEX6C CCA coprocessor
in toleration mode (i.e. CEX6 HW presented as CEX5)
OS: Ubuntu 18.04 Prerelease
Setting up a second dm-crypt device using protected CCA paes-xts keys fails.
The problem is reproducible.

Details
=======
Setting up two or more plain end-to-end encrypted disks using 'cryptsetup'
fails when using a cipher based on the protected key mechanism.
The setup needs the paes and pkey modules loaded, the former providing the
paes-xts-plain64 cipher (cat /proc/crpyto |grep paes).

A second attempt to establish an end-to-end encrypted disk fails
with : "device-mapper: reload ioctl on failed: No such file or directory."

The problem is independent of the second encrypted disk being based on a second DASD or second partition on one DASD.

---uname output---
Linux s3514004 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:15:56 UTC 2018 s390x s390x s390x GNU/Linux

---Steps to Reproduce---
1.) The following cryptsetup statement works, and is the first one I issued.
cryptsetup plainOpen --key-file securekey.bin --key-size 1024 --cipher paes-xts-plain64 /dev/disk/by-path/ccw-0.0.NNNN-part1 enc-pv1
2.) After this successful statement, I issued the following:
cryptsetup plainOpen --key-file securekey.bin --key-size 1024 --cipher paes-xts-plain64 /dev/disk/by-path/ccw-0.0.NNNN-part2 enc-pv2
device-mapper: reload ioctl on failed: No such file or directory.

Stack trace output:
no

Oops output:
no

System Dump Info:
The system is not configured to capture a system dump.

*Additional Instructions for <email address hidden>:
-Attach sysctl -a output output to the bug.

description: updated
Changed in ubuntu-z-systems:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-04-09 06:37 EDT-------
This problem occurs on all kernels since 4.12.
The priorities for the in-kernel crypto s390 paes (and s390 aes) ciphers
are not correct.

Created attachment 126006 [details]
Adjust s390 aes and paes cipher priorities

Please note this is still not upstream available.
Tentativ upstream targert is kernel 4.17 (merge window currently open)

summary: - cryptsetup: 'device-mapper: reload ioctl on failed' when setting up a
- second end-to-end encrypted disk
+ [Ubuntu 18.04] cryptsetup: 'device-mapper: reload ioctl on failed' when
+ setting up a second end-to-end encrypted disk
Changed in linux (Ubuntu):
importance: Undecided → High
status: New → Triaged
tags: added: kernel-da-key
Seth Forshee (sforshee) on 2018-04-10
Changed in linux (Ubuntu):
status: Triaged → Fix Committed
Changed in ubuntu-z-systems:
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (35.7 KiB)

This bug was fixed in the package linux - 4.15.0-19.20

---------------
linux (4.15.0-19.20) bionic; urgency=medium

  * linux: 4.15.0-19.20 -proposed tracker (LP: #1766021)

  * Kernel 4.15.0-15 breaks Dell PowerEdge 12th Gen servers (LP: #1765232)
    - Revert "blk-mq: simplify queue mapping & schedule with each possisble CPU"
    - Revert "genirq/affinity: assign vectors to all possible CPUs"

linux (4.15.0-18.19) bionic; urgency=medium

  * linux: 4.15.0-18.19 -proposed tracker (LP: #1765490)

  * [regression] Ubuntu 18.04:[4.15.0-17-generic #18] KVM Guest Kernel:
    meltdown: rfi/fallback displacement flush not enabled bydefault (kvm)
    (LP: #1765429)
    - powerpc/pseries: Fix clearing of security feature flags

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Config] signing -- enable Opal signing for ppc64el
    - [Packaging] printenv -- add signing options

  * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
    - [Packaging] signing -- add support for signing Opal kernel binaries

  * Please cherrypick s390 unwind fix (LP: #1765083)
    - s390/compat: fix setup_frame32

  * Ubuntu 18.04 installer does not detect any IPR based HDD/RAID array [S822L]
    [ipr] (LP: #1751813)
    - d-i: move ipr to storage-core-modules on ppc64el

  * drivers/gpu/drm/bridge/adv7511/adv7511.ko missing (LP: #1764816)
    - SAUCE: (no-up) rename the adv7511 drm driver to adv7511_drm

  * Miscellaneous Ubuntu changes
    - [Packaging] Add linux-oem to rebuild test blacklist.

linux (4.15.0-17.18) bionic; urgency=medium

  * linux: 4.15.0-17.18 -proposed tracker (LP: #1764498)

  * Eventual OOM with profile reloads (LP: #1750594)
    - SAUCE: apparmor: fix memory leak when duplicate profile load

linux (4.15.0-16.17) bionic; urgency=medium

  * linux: 4.15.0-16.17 -proposed tracker (LP: #1763785)

  * [18.04] [bug] CFL-S(CNP)/CNL GPIO testing failed (LP: #1757346)
    - [Config]: Set CONFIG_PINCTRL_CANNONLAKE=y

  * [Ubuntu 18.04] USB Type-C test failed on GLK (LP: #1758797)
    - SAUCE: usb: typec: ucsi: Increase command completion timeout value

  * Fix trying to "push" an already active pool VP (LP: #1763386)
    - SAUCE: powerpc/xive: Fix trying to "push" an already active pool VP

  * hisi_sas: Revert and replace SAUCE patches w/ upstream (LP: #1762824)
    - Revert "UBUNTU: SAUCE: scsi: hisi_sas: export device table of v3 hw to
      userspace"
    - Revert "UBUNTU: SAUCE: scsi: hisi_sas: config for hip08 ES"
    - scsi: hisi_sas: modify some register config for hip08
    - scsi: hisi_sas: add v3 hw MODULE_DEVICE_TABLE()

  * Realtek card reader - RTS5243 [VEN_10EC&DEV_5260] (LP: #1737673)
    - misc: rtsx: Move Realtek Card Reader Driver to misc
    - updateconfigs for Realtek Card Reader Driver
    - misc: rtsx: Add support for RTS5260
    - misc: rtsx: Fix symbol clashes

  * Mellanox [mlx5] [bionic] UBSAN: Undefined behaviour in
    ./include/linux/net_dim.h (LP: #1...

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-04-24 11:29 EDT-------
The problem does not longer occur with 4.15.0-19-generic kernel. Closing defect.

Details:
To verify we updated our system via ports.ubuntu.com using apt-get update ; apt-get upgrade ; apt-get dist-upgrade to 4.15.0-19-generic kernel version besides other updates.

We attached an additional DASD with two partitions and repeated the setup of two end-to-end encrypted disks to have both available after processing all ---Steps to Reproduce--- .
We could close all end-to-end encrypted disk setups and run the setups again.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-04-25 02:26 EDT-------
IBM Bugzilla status -> closed, Fix Released by Canonical and verified by IBM.

bugproxy (bugproxy) on 2019-01-16
tags: added: architecture-s39064
removed: architecture-s39031.64
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Frank Heimes (frank-heimes) wrote :

Ticket is already Fix Released - correcting the tags again ...

tags: added: verification-done-bionic
removed: verification-needed-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers