Bug 1184419

Summary: Leap 15.3 cannot handle encrypted swap with random key
Product: [openSUSE] openSUSE Distribution Reporter: Neil Rickert <nwr10cst-oslnx>
Component: KernelAssignee: Coly Li <colyli>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: aschnell, hannsj_uhl, heming.zhao, jjletho67-esus, msuchanek, nwr10cst-oslnx, rgoldwyn, tiwai
Version: Leap 15.3   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Screenshot showing error during install

Description Neil Rickert 2021-04-06 20:13:48 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Build Identifier: 

I heard about this problem in a forum post:

https://forums.opensuse.org/showthread.php/552398-encrypted-swap-on-raid1-not-working

I then reproduced the problem in a KVM virtual machine (I did not use RAID).

I used the expert partitioner, and allocated a 2G partition for swap.  I then attempted to encrypt that partition with a random key.  The installer seemed to handle this well, except I ended up with an error message.

I was able to continue and ignore the error message.  I had to click "Continue" several to proceed to the install.

The installed system looked fine.  But, on boot, in prompted me for an encryption key for "cr_swap".  I hit CTRL-D to skip that.  The system booted, but without swap.

I then configured the Leap 15.2 update repo as an additional repo. And I installed kernel-default-5.3.18-lp152.66.2 from there.

Rebooting, I used the grub menu to boot with that Leap 15.2 kernel. And it booted just fine with the swap working as it should.

It looks as if this kind of encryption is supported by the 15.2 kernel, but is not supported by the 15.3 kernel.

Reproducible: Always




In my opinion, this is a serious security issue and should be a show stopper for Leap 15.3 (until fixed).

I'll note that bug 1183063 is another (different) crypto-related issue with Leap 15.3
Comment 1 Neil Rickert 2021-04-06 20:19:44 UTC 
Created attachment 848024 [details]
Screenshot showing error during install
Comment 2 Takashi Iwai 2021-04-07 08:14:22 UTC 
Reassigned to Coly (as well as bug 1183063).
Comment 3 heming zhao 2021-04-19 15:52:30 UTC 
hello,

could you please try latest leap 15.3 ISO/repo.
I think your issue is duplicate with bsc#1184134
Comment 4 Neil Rickert 2021-04-19 21:03:06 UTC 
Yes, this appears to be fixed with the latest release of Leap 15.3.

I took the system that I had previously installed, and I then updated
kernel-default
kernel-default-extra
kernel-default-optional.

I then rebooted with this new kernel.  And the randomly encrypted swap is now recognized.  Thanks.

I'll probably delete that virtual machine now that it isn't needed for further testing this.  I do have another VM with Leap 15.0 that uses randomly encrypted swap.  So sometime later this week I'll either upgrade in place or install 15.3 to replace 15.0.  That will be a further test of this.
Comment 5 heming zhao 2021-04-20 02:09:23 UTC 
wait for your test result, if your issue is totally resolved, this bug will set duplicated for bsc#1184134
Comment 6 Neil Rickert 2021-04-21 02:36:17 UTC 
I have completed my testing.

I started with a KVM virtual machine that had Leap 15.0 installed and was using a randomly encrypted swap.

First test: I did an online update to Leap 15.3, using:

 zypper --releasever=15.3 dup

Note that "zypp.conf" already allows vendor-change.

This went pretty well.  There were a bunch of "NOKEY" errors, but this did not stop the install.  I'm pretty sure that there's another bug for those errors.

On reboot, after the update, the swap was working correctly, and
 cat /proc/swaps
showed that it was using an encrypted device ("/dev/dm-0").

Second test: I did a clean install to the same VM.  I used expert partitioner and import mount points during the install, to get exactly the same partitioning.  This worked perfectly.  The installer recognized the randomly encrypted swap, and set it up correctly.

Yes, it seems safe to close this bug as fixed.  I'll leave that to you, because you want to mark it as a duplicate of a bug that I am unable to access.
Comment 7 Michal Suchanek 2021-04-21 08:12:37 UTC 
Thanks for testing

*** This bug has been marked as a duplicate of bug 1184134 ***
Comment 8 Marco M. 2021-04-28 15:50:35 UTC 
Hi,
I've just performed a test with the latest beta (build 142.1, installed from scratch) and I can confirm the bug has disappeared.