RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1931847 - [Regression] The RHEL8.3 is not capable of encryption with cipher aes-cbc-essiv:sha256 with DISA STIG or Non-DISA systems.
Summary: [Regression] The RHEL8.3 is not capable of encryption with cipher aes-cbc-ess...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libblockdev
Version: 8.3
Hardware: All
OS: All
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Vojtech Trefny
QA Contact: guazhang@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1954005
TreeView+ depends on / blocked
 
Reported: 2021-02-23 11:51 UTC by Parikshit Khedekar
Modified: 2024-12-20 19:40 UTC (History)
5 users (show)

Fixed In Version: libblockdev-2.24-6.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1954005 (view as bug list)
Environment:
Last Closed: 2021-11-09 18:13:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4206 0 None None None 2021-11-09 18:13:51 UTC

Description Parikshit Khedekar 2021-02-23 11:51:51 UTC 
Description of problem:

The installation will fail with a traceback while we add the encryption type for cipher
as "aes-cbc-essiv:sha256"


The traceback we get as,

------------------------------------
------------------------------------

11:33:32,562 INF progress: Creating disklabel on /dev/vda
11:33:35,563 INF progress: Creating luks on /dev/vda2
11:33:36,595 INF threading: Thread Failed: AnaInstallThread (140194223806208)
11:33:36,595 DBG exception: running handleException
11:33:36,599 CRT exception: Traceback (most recent call last):

  File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)
  File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 394, in run_installation
    queue.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 490, in start
    self.run_task()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 521, in run_task
    sync_run_task(self._task_proxy)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/modules/common/task/__init__.py", line 46, in sync_run_task
    task_proxy.Finish()
  File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 447, in _call_method
    **kwargs,
  File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 477, in _get_method_reply
    return self._handle_method_error(error)
  File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 497, in _handle_method_error
    raise exception from None
dasbus.error.DBusError: Failed to format device: Invalid argument
------------------------------------
------------------------------------

It doesn't matter whether we choose the profiles or remove them, even with simple installation I see this.
If I remove the cypher text and use line as below then installation works fine.

~~~~~
part pv.01 --grow  --size=1  --encrypted --passphrase="helloDolly@123456" 
~~~~~

The older release 8.2,8.1 work fine with above kickstart but again sometimes errors while executing oscap to
check the compliance in post section which I feel resolved to 8.3 but issue remains with uses of cipher.

Version-Release number of selected component (if applicable):

8.3

How reproducible:

Every time installation of 8.3 for encryption with cipher.

Steps to Reproduce:
1. Create an installation env with 8.3 ISO and kickstart.
2. Use the following kickstart,

------------------------------------
------------------------------------
install
cdrom
lang en_US.UTF-8
keyboard us
network --onboot yes --bootproto dhcp
text

#root password server
rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220

#admin password is admin123
user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
firewall --enabled --ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc America/New_York
bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"

#This partitioning is for 20GB or higher disk.
zerombr
clearpart --all --initlabel
part /boot --fstype=xfs --size=512
part pv.01 --grow  --size=1  --encrypted --passphrase="helloDolly@123456" --cipher=aes-cbc-essiv:sha256

volgroup VolGroup --pesize=4096 pv.01

logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
logvol swap --name=swap --vgname=VolGroup --size=2016


%packages
@Base
%end

%addon org_fedora_oscap
    content-type = scap-security-guide
    profile = xccdf_org.ssgproject.content_profile_stig
%end

------------------------------------
------------------------------------

The addon is optional, reproducible without it as well.

3. Check the console to see tracebacks.

Actual results:

Results to a traceback

Expected results:

Shouldn't give traceback and add the cipher to encryption.


Additional info:

RHEL 8.1,8.2 work fine with it, I don't see issue due to DISA as even after removing it from kickstart
the issue occurs. I believe this is around the missed cipher for ecnryption with 8.3
Comment 6 Vojtech Trefny 2021-02-24 16:32:18 UTC 
upstream PR: https://github.com/storaged-project/libblockdev/pull/620

updates image for 8.4: https://vtrefny.fedorapeople.org/img/rhbz1931847.img
Comment 7 Jan Stodola 2021-02-25 09:13:55 UTC 
The provided updates image works fine.
Comment 9 guazhang@redhat.com 2021-04-23 06:26:11 UTC 
Hi

reproduce the bug with RHEL-8.5.0-20210421.n.1


Creating disklabel on /dev/sda
Creating luks on /dev/sda3


An unknown error has occured, look at the /tmp/anaconda-tb* file(s) for more details
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 490, in start
    self.run_task()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 403, in run_installation
    queue.start()
  File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)
dasbus.error.DBusError: Failed to format device: Invalid argument
Comment 12 guazhang@redhat.com 2021-05-17 12:20:05 UTC 
Hi

Test pass with fixed package, so move to verified.

lv = b.new_lv(parents=[vg], size=blivet.size.Size("100 MiB"), grow=True, fmt_type="luks",
                fmt_args={"passphrase": LUKS_PASSPHRASE,
                            "cipher":"aes-cbc-essiv:sha256",
                        "key_size":int(256),
                        "luks_version":"luks2", })
b.create_device(lv)
Comment 15 errata-xmlrpc 2021-11-09 18:13:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libblockdev bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4206
Note You need to log in before you can comment on or make changes to this bug.