[19.04 FEAT] in-kernel crypto: support protected keys generated by random in paes module

Bug #1811354 reported by bugproxy on 2019-01-11
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
High
Skipper Bug Screeners
linux (Ubuntu)
Undecided
Skipper Bug Screeners
s390-tools (Ubuntu)
Undecided
Skipper Bug Screeners

Bug Description

Allow the protected key AES (paes) module to derive protected keys from clear keys.
This allows simple use of protected keys w/o requiring CryptoExpress adapters in case the keys are ephemeral, that their life time does not extend over different boot or machine migrations.
An example of such keys are keys used to encrypt swap volumes of non-migratable systems.

Function will be provided via kernel 4.20 .

Important:
Install file s390-pkey.conf introduced with this commit into /usr/lib/modules-load.d/ (or /etc/modules-load.d)

Addl. Information for integration.

Kernel module pkey is loaded too late during system startup.

Kernel module pkey uses the CPU feature match mechanism to get loaded automatically when the CPU supports crypto. However, it gets loaded too late by the feature match mechanism.

When using the support added with "in-kernel crypto: support protected keys generated by random in paes module" to encrypt a swap disk with a randomly generated protected key, the pkey module must have been loaded before the /etc/crypttab is processed. It turned out that the automatic loading via CPU feature match is too late for that, and pkey is not yet loaded at the required point in time.

The kernel module pkey should therefor loaded explicitly via /usr/lib/modules.load.d/.(or /etc/modules-load.d/). This is performed early enough, i.e. before /etc/crypttab is processed.

Please integrate upstream commit https://github.com/ibm-s390-tools/s390-tools/commit/dffd41943e5c01be2f343da7726edabf9d2ec05e titled "pkey: Support autoloading kernel pkey module". -> comes with kernel 4.20.

Important:
Install file s390-pkey.conf introduced with this commit into /usr/lib/modules-load.d/ (or /etc/modules-load.d)

bugproxy (bugproxy) on 2019-01-11
tags: added: architecture-s39064 bugnameltc-174603 severity-high targetmilestone-inin1904
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
importance: Undecided → High
Changed in ubuntu-z-systems:
assignee: Canonical Kernel Team (canonical-kernel-team) → nobody
status: New → Triaged
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in s390-tools (Ubuntu):
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Frank Heimes (frank-heimes) wrote :

Not assigning, since it will be available with the disco target kernel anyway - just monitoring ...

------- Comment From <email address hidden> 2019-02-01 07:44 EDT-------
Git commit: kernel 4.20 [a45a5c7d36]

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in ubuntu-z-systems:
status: Triaged → Incomplete
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2019-02-12 08:24 EDT-------
The s390-tools part will be provided via 2.8.0 , provided before 2019-02-21 FF

Frank Heimes (frank-heimes) wrote :

Since s390-tools v2.8.0 landed in disco:
s390-tools | 2.8.0-0ubuntu1 | disco | s390x
I'm changing the affects s390-tools entry to Fix Released.

Changed in s390-tools (Ubuntu):
status: New → Fix Released
Frank Heimes (frank-heimes) wrote :

Just double-checked and can confirm that the commit "s390/pkey: Introduce new API for random protected key generation" landed in disco-proposed kernel "Ubuntu-5.0.0-7.8" (as "a45a5c7d").
Hence updating status to Fix Committed.

Changed in linux (Ubuntu):
status: Incomplete → Fix Committed
Changed in ubuntu-z-systems:
status: Incomplete → Fix Committed
Frank Heimes (frank-heimes) wrote :

Since Kernel 5.0 landed in disco's release pocket today, I'm changing the status to Fix Released.

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2019-03-15 06:27 EDT-------
IBM Bugzilla status -> closed, Fix Released for disco

information type: Private → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers