Uploaded image for project: 'CoreOS OCP'
  1. CoreOS OCP
  2. COS-2734

[coreos/ignition] enable RHEL LUKS s390x CEX

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • Upstream
    • False
    • Hide

      None

      Show
      None
    • False
    • 0
    • 0

      [1849032703] Upstream Reporter: Madhu Pillai
      Upstream issue status: Closed
      Upstream description:

      1. Feature Request #

      Luks PIN for IBM CEX (Cryptograpic Express Card) similar to TPM for Encrypting root volume LUKS with secureKeys by using IBM CEX card co-processor CCA .
      I am in process of enabling CEX cryptograhic card in S390x for Luks Disk Encryption specifically for root volume.

      The main aim is to implement in OCP to utilize protected key generated from utility zkey where each CEX (CCA)cards will be assigned to each OCP nodes with Master key loaded. For that this feature requires in RHEL.
      The secure key get generated from the master key in the cryptographic co-processor and the effective key in securekey can be only derived inside cryptogrpahic cards with master key residing in the card.

        1. Environment ##

      IBM S390x.

      What hardware/cloud provider/hypervisor is being used to run Ignition?

      IBM S390x.

        1. Desired Feature ##

      A CEX (Hardware Security Module) in LUKS PIN for root device encryption. Similar to TPM2.

        1. Other Information ##

      Have tested by creating volume for pervasive encryption in s390x. similarly using for root device LUKS encryption with protected key.

      <https://www.ibm.com/docs/en/linux-on-systems?topic=volumes-creating-volume-pervasive-encryption>

              mapillai Madhu Pillai
              upstream-sync Upstream Sync
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: