1750680 – LUKS2 reencryption ignores option disabling VK upload in kernel keyring

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1750680 - LUKS2 reencryption ignores option disabling VK upload in kernel keyring

Summary: LUKS2 reencryption ignores option disabling VK upload in kernel keyring

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	cryptsetup
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.2
Assignee:	Ondrej Kozina
QA Contact:	guazhang@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1757783
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-10 08:50 UTC by Ondrej Kozina
Modified:	2021-09-06 15:22 UTC (History)
CC List:	8 users (show)
Fixed In Version:	cryptsetup-2.2.2-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1659579
Environment:
Last Closed:	2020-04-28 16:54:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-27444	0	None	None	None	2021-09-06 15:22:58 UTC
Red Hat Product Errata	RHBA-2020:1848	0	None	None	None	2020-04-28 16:54:51 UTC

Description Ondrej Kozina 2019-09-10 08:50:20 UTC

+++ This bug was initially created as a clone of Bug #1659579 +++

--- Additional comment from Corey Marthaler on 2019-08-14 18:28:12 UTC ---

Also "--disable-keyring" *doesn't* help you if you reencrypt either.


[root@hayes-01 ~]# lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n origin                                                                                                                                                                
  Logical volume "origin" created.                                                                                                                                                                                                            
                                                                                                                                                                                                                                                   
[root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup luksFormat /dev/snapper_thinp/origin                                                                                                                                                       
[root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup luksOpen --disable-keyring /dev/snapper_thinp/origin luks_origin                                                                                                                            
                                                                                                                                                                                                                                                      
[root@hayes-01 ~]# mkfs.ext4 /dev/mapper/luks_origin                                                                                                                                                                                                  
mke2fs 1.44.6 (5-Mar-2019)                                                                                                                                                                                                                              
[...]                                                                                                                                                                                                                                                   
Writing superblocks and filesystem accounting information: done                                                                                                                                                                                          
[root@hayes-01 ~]# mount /dev/mapper/luks_origin /mnt/origin

[root@hayes-01 ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/luks_origin  977M  2.5M  908M   1% /mnt/origin

[root@hayes-01 ~]# lvextend -L +500M -r /dev/snapper_thinp/origin
  Size of logical volume snapper_thinp/origin changed from 1.00 GiB (256 extents) to <1.49 GiB (381 extents).
  Logical volume snapper_thinp/origin successfully resized.
resize2fs 1.44.6 (5-Mar-2019)
Filesystem at /dev/mapper/luks_origin is mounted on /mnt/origin; on-line resizing required
old_desc_blocks = 1, new_desc_blocks = 1
The filesystem on /dev/mapper/luks_origin is now 386048 (4k) blocks long.

[root@hayes-01 ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/luks_origin  1.5G  3.0M  1.4G   1% /mnt/origin

[root@hayes-01 ~]# lvextend -L +500M -r /dev/snapper_thinp/origin
  Size of logical volume snapper_thinp/origin changed from <1.49 GiB (381 extents) to <1.98 GiB (506 extents).
  Logical volume snapper_thinp/origin successfully resized.
resize2fs 1.44.6 (5-Mar-2019)
Filesystem at /dev/mapper/luks_origin is mounted on /mnt/origin; on-line resizing required
old_desc_blocks = 1, new_desc_blocks = 1
The filesystem on /dev/mapper/luks_origin is now 514048 (4k) blocks long.

# now reencrypt
[root@hayes-01 ~]# echo Str0ngP455w0rd### | cryptsetup reencrypt --resilience none --active-name luks_origin
Finished, time 00:21.004, 2008 MiB written, speed  95.6 MiB/s   

# Doesn't work after reencryption
[root@hayes-01 ~]# lvextend -L +500M -r /dev/snapper_thinp/origin
  Size of logical volume snapper_thinp/origin changed from <1.98 GiB (506 extents) to 2.46 GiB (631 extents).
  Logical volume snapper_thinp/origin successfully resized.
Enter passphrase for /dev/mapper/snapper_thinp-origin: 
No key available with this passphrase.
fsadm: Failed to resize active LUKS device
  /usr/sbin/fsadm failed: 1

--- Additional comment from Ondrej Kozina on 2019-08-20 14:10:09 UTC ---

(In reply to Corey Marthaler from comment #3)

This is bug in online reencryption. Currently we reload keys in kernel keyring despite --disable-keyring parameter. Do you agree to clone this into separate bug?


This is not the only issue with kernel keyring and LUKS2 (online) reencryption. Currently reencryption does not work w/ kernel keyring support but this could be improved.

Also reencryption should (by default) switch keyring upload provided the online device has already key uploaded the classical way

Comment 2 guazhang@redhat.com 2019-11-25 11:57:02 UTC

Hello

[root@storageqe-24 ~]# vgcreate snapper_thinp  /dev/sdc
[root@storageqe-24 ~]# lvcreate --thinpool POOL --zero n -L 1G snapper_thinp 
  Thin pool volume with chunk size 64.00 KiB can address at most 15.81 TiB of data.
  Logical volume "POOL" created.

[root@storageqe-24 ~]# lvcreate  --virtualsize 1G -T snapper_thinp/POOL -n origin 
  Logical volume "origin" created.
[root@storageqe-24 ~]# echo Str0ngP455w0rd### | cryptsetup luksFormat /dev/snapper_thinp/origin 
[root@storageqe-24 ~]# echo Str0ngP455w0rd### | cryptsetup luksOpen --disable-keyring /dev/snapper_thinp/origin luks_origin  

[root@storageqe-24 ~]#  mkfs.ext4 /dev/mapper/luks_origin
mke2fs 1.44.6 (5-Mar-2019)
Creating filesystem with 258048 4k blocks and 64512 inodes
Filesystem UUID: e8d48b20-555d-4403-b6d1-35ab0effda53
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

[root@storageqe-24 ~]# lvextend -L +500M -r /dev/snapper_thinp/origin
fsck from util-linux 2.32.1
/dev/mapper/luks_origin: clean, 11/64512 files, 8785/258048 blocks
  WARNING: Sum of all thin volume sizes (<1.49 GiB) exceeds the size of thin pool snapper_thinp/POOL (1.00 GiB).
  WARNING: You have not turned on protection against thin pools running out of space.
  WARNING: Set activation/thin_pool_autoextend_threshold below 100 to trigger automatic extension of thin pools before they get full.
  Size of logical volume snapper_thinp/origin changed from 1.00 GiB (256 extents) to <1.49 GiB (381 extents).
  Logical volume snapper_thinp/origin successfully resized.
resize2fs 1.44.6 (5-Mar-2019)
Resizing the filesystem on /dev/mapper/luks_origin to 386048 (4k) blocks.
The filesystem on /dev/mapper/luks_origin is now 386048 (4k) blocks long.

[root@storageqe-24 ~]# mkdir -p /mnt/origin
[root@storageqe-24 ~]# 
[root@storageqe-24 ~]# mount /dev/mapper/luks_origin /mnt/origin/
[root@storageqe-24 ~]# 
[root@storageqe-24 ~]# df -h
Filesystem                           Size  Used Avail Use% Mounted on
devtmpfs                              32G   10M   32G   1% /dev
tmpfs                                 32G     0   32G   0% /dev/shm
tmpfs                                 32G   26M   32G   1% /run
tmpfs                                 32G     0   32G   0% /sys/fs/cgroup
/dev/mapper/rhel_storageqe--24-root   50G  3.3G   47G   7% /
/dev/sda2                           1014M  165M  850M  17% /boot
/dev/mapper/rhel_storageqe--24-home  5.4T   39G  5.4T   1% /home
tmpfs                                6.3G     0  6.3G   0% /run/user/0
/dev/mapper/luks_origin              1.5G  3.0M  1.4G   1% /mnt/origin
[root@storageqe-24 ~]# lvextend -L +500M -r /dev/snapper_thinp/origin
  WARNING: Sum of all thin volume sizes (<1.98 GiB) exceeds the size of thin pool snapper_thinp/POOL (1.00 GiB).
  WARNING: You have not turned on protection against thin pools running out of space.
  WARNING: Set activation/thin_pool_autoextend_threshold below 100 to trigger automatic extension of thin pools before they get full.
  Size of logical volume snapper_thinp/origin changed from <1.49 GiB (381 extents) to <1.98 GiB (506 extents).
  Logical volume snapper_thinp/origin successfully resized.
resize2fs 1.44.6 (5-Mar-2019)
Filesystem at /dev/mapper/luks_origin is mounted on /mnt/origin; on-line resizing required
old_desc_blocks = 1, new_desc_blocks = 1
The filesystem on /dev/mapper/luks_origin is now 514048 (4k) blocks long.

[root@storageqe-24 ~]# echo Str0ngP455w0rd### | cryptsetup reencrypt --resilience none --active-name luks_origin
Progress:  44.8%, ETA 00:07,  900 MiB written, speed 141.3 MiB/sFailed to write hotzone area starting at 996147200.
Fatal error while reencrypting chunk starting at 1978368, 102400 sectors long.
Reencryption was run in online mode.
[root@storageqe-24 ~]# lvextend -L +500M -r /dev/snapper_thinp/origin
fsadm: Can not find active LUKS device. Unlock "/dev/mapper/snapper_thinp-origin" volume first.
  Filesystem check failed.

HI, 

please have a look the error if expectation ?

Comment 3 Ondrej Kozina 2019-11-25 12:12:53 UTC

The LV 'origin' is twice the size of thin pool. During reencryption the whole device gets written and therefore it can't fit in the thin pool. This works as expected.

Comment 4 Ondrej Kozina 2019-11-25 12:26:49 UTC

Perhaps you can simplify test for this bug:

The bug is in the fact that online reencryption completely ignored user's preference of using --disable-keyring option during device activation.
So you can perhaps just activate the device with

"cryptsetup open /your/device crypt_mapping --disable-keyring"

Later, "cryptsetup status crypt_mapping" should show following output:
(....)
  key location: dm-crypt   <====== here
(...)
  sector size:  512
  offset:  4096 sectors
  size:    293597184 sectors
  mode:    read/write
  flags:   discards

If you reencrypt the device you just need to verify that key remained in dm-crypt after the operation got finished. It should be in dm-crypt for the whole duration of reencryption operation, by the way. You can check the same also with "dmsetup table crypt_mapping --showkeys". The key loaded via kernel keyring will look like ":64:logon:cryptsetup:b85...." whereas key loaded directly in dm-crypt will manifest in plain hexbyte represenation of binary volume key.

Comment 5 guazhang@redhat.com 2019-11-26 03:19:38 UTC

thanks Ondrej for the details, move to verified

Comment 7 errata-xmlrpc 2020-04-28 16:54:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1848

Note You need to log in before you can comment on or make changes to this bug.