Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1931847

Summary: [Regression] The RHEL8.3 is not capable of encryption with cipher aes-cbc-essiv:sha256 with DISA STIG or Non-DISA systems.
Product: Red Hat Enterprise Linux 8 Reporter: Parikshit Khedekar <pkhedeka>
Component: libblockdevAssignee: Vojtech Trefny <vtrefny>
Status: CLOSED ERRATA QA Contact: guazhang <guazhang>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 8.3CC: guazhang, jstodola, mvanderw, rmetrich, vtrefny
Target Milestone: rcKeywords: TestCaseNeeded
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: libblockdev-2.24-6.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1954005 (view as bug list) Environment:
Last Closed: 2021-11-09 18:13:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1954005    

Description Parikshit Khedekar 2021-02-23 11:51:51 UTC 
Description of problem:

The installation will fail with a traceback while we add the encryption type for cipher
as "aes-cbc-essiv:sha256"


The traceback we get as,

------------------------------------
------------------------------------

11:33:32,562 INF progress: Creating disklabel on /dev/vda
11:33:35,563 INF progress: Creating luks on /dev/vda2
11:33:36,595 INF threading: Thread Failed: AnaInstallThread (140194223806208)
11:33:36,595 DBG exception: running handleException
11:33:36,599 CRT exception: Traceback (most recent call last):

  File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)
  File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 394, in run_installation
    queue.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 490, in start
    self.run_task()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 521, in run_task
    sync_run_task(self._task_proxy)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/modules/common/task/__init__.py", line 46, in sync_run_task
    task_proxy.Finish()
  File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 447, in _call_method
    **kwargs,
  File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 477, in _get_method_reply
    return self._handle_method_error(error)
  File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 497, in _handle_method_error
    raise exception from None
dasbus.error.DBusError: Failed to format device: Invalid argument
------------------------------------
------------------------------------

It doesn't matter whether we choose the profiles or remove them, even with simple installation I see this.
If I remove the cypher text and use line as below then installation works fine.

~~~~~
part pv.01 --grow  --size=1  --encrypted --passphrase="helloDolly@123456" 
~~~~~

The older release 8.2,8.1 work fine with above kickstart but again sometimes errors while executing oscap to
check the compliance in post section which I feel resolved to 8.3 but issue remains with uses of cipher.

Version-Release number of selected component (if applicable):

8.3

How reproducible:

Every time installation of 8.3 for encryption with cipher.

Steps to Reproduce:
1. Create an installation env with 8.3 ISO and kickstart.
2. Use the following kickstart,

------------------------------------
------------------------------------
install
cdrom
lang en_US.UTF-8
keyboard us
network --onboot yes --bootproto dhcp
text

#root password server
rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220

#admin password is admin123
user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
firewall --enabled --ssh
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc America/New_York
bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"

#This partitioning is for 20GB or higher disk.
zerombr
clearpart --all --initlabel
part /boot --fstype=xfs --size=512
part pv.01 --grow  --size=1  --encrypted --passphrase="helloDolly@123456" --cipher=aes-cbc-essiv:sha256

volgroup VolGroup --pesize=4096 pv.01

logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
logvol swap --name=swap --vgname=VolGroup --size=2016


%packages
@Base
%end

%addon org_fedora_oscap
    content-type = scap-security-guide
    profile = xccdf_org.ssgproject.content_profile_stig
%end

------------------------------------
------------------------------------

The addon is optional, reproducible without it as well.

3. Check the console to see tracebacks.

Actual results:

Results to a traceback

Expected results:

Shouldn't give traceback and add the cipher to encryption.


Additional info:

RHEL 8.1,8.2 work fine with it, I don't see issue due to DISA as even after removing it from kickstart
the issue occurs. I believe this is around the missed cipher for ecnryption with 8.3
Comment 6 Vojtech Trefny 2021-02-24 16:32:18 UTC 
upstream PR: https://github.com/storaged-project/libblockdev/pull/620

updates image for 8.4: https://vtrefny.fedorapeople.org/img/rhbz1931847.img
Comment 7 Jan Stodola 2021-02-25 09:13:55 UTC 
The provided updates image works fine.
Comment 9 guazhang@redhat.com 2021-04-23 06:26:11 UTC 
Hi

reproduce the bug with RHEL-8.5.0-20210421.n.1


Creating disklabel on /dev/sda
Creating luks on /dev/sda3


An unknown error has occured, look at the /tmp/anaconda-tb* file(s) for more details
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 490, in start
    self.run_task()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
    item.start()
  File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 403, in run_installation
    queue.start()
  File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)
dasbus.error.DBusError: Failed to format device: Invalid argument
Comment 12 guazhang@redhat.com 2021-05-17 12:20:05 UTC 
Hi

Test pass with fixed package, so move to verified.

lv = b.new_lv(parents=[vg], size=blivet.size.Size("100 MiB"), grow=True, fmt_type="luks",
                fmt_args={"passphrase": LUKS_PASSPHRASE,
                            "cipher":"aes-cbc-essiv:sha256",
                        "key_size":int(256),
                        "luks_version":"luks2", })
b.create_device(lv)
Comment 15 errata-xmlrpc 2021-11-09 18:13:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libblockdev bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4206