[Bug 1811354] Re: [19.04 FEAT] in-kernel crypto: support protected keys generated by random in paes module

Frank Heimes 1811354 at bugs.launchpad.net
Tue Apr 16 17:59:50 UTC 2019 

** Information type changed from Private to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1811354

Title:
  [19.04 FEAT] in-kernel crypto: support protected keys generated by
  random in paes module

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in linux package in Ubuntu:
  Fix Released
Status in s390-tools package in Ubuntu:
  Fix Released

Bug description:
  Allow the protected key AES (paes) module to derive protected keys from clear keys.
  This allows simple use of protected keys w/o requiring CryptoExpress adapters in case the keys are ephemeral, that their life time does not extend over different boot or machine migrations.
  An example of such keys are keys used to encrypt swap volumes of non-migratable systems.

  Function will be provided via kernel 4.20 .

  Important:
  Install file s390-pkey.conf introduced with this commit into /usr/lib/modules-load.d/ (or /etc/modules-load.d)

  
  Addl. Information for integration.

  Kernel module pkey is loaded too late during system startup.
   
  Kernel module pkey uses the CPU feature match mechanism to get loaded automatically when the CPU supports crypto. However, it gets loaded too late by the feature match mechanism. 

  When using the support added with "in-kernel crypto: support protected
  keys generated by random in paes module" to encrypt a swap disk with a
  randomly generated protected key, the pkey module must have been
  loaded before the /etc/crypttab is processed. It turned out that the
  automatic loading via CPU feature match is too late for that, and pkey
  is not yet loaded at the required point in time.

  The kernel module pkey should therefor loaded explicitly via
  /usr/lib/modules.load.d/.(or /etc/modules-load.d/). This is performed
  early enough, i.e. before /etc/crypttab is processed.

  Please integrate upstream commit
  https://github.com/ibm-s390-tools/s390-tools/commit/dffd41943e5c01be2f343da7726edabf9d2ec05e
  titled "pkey: Support autoloading kernel pkey module". -> comes with
  kernel 4.20.

  Important:
  Install file s390-pkey.conf introduced with this commit into /usr/lib/modules-load.d/ (or /etc/modules-load.d)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1811354/+subscriptions

More information about the foundations-bugs mailing list