[Bug 2116061] Re: [UBUNTU 25.04] lszcrypt output shows no cards because ap module has to be loaded manually

Massimiliano Pellizzer Mon, 07 Jul 2025 06:35:43 -0700

** Description changed:

+ [ Impact ]
+ 
+ s390: Build ap driver into the kernel
+ 
+ The adjunct processor (AP) bus driver is currently configured as a loadable 
module.
+ This leads to a bug on systems that rely on early access to hardware
+ cryptographic resources. In particular, encrypted root filesystems using 
secure keys
+ may fail to boot if the AP module is not available at boot.
+ 
+ Fix the issue by building the AP driver into the kernel.
+ 
+ [ Fix ]
+ 
+ The issue can be fixed by building the AP driver into the kernel:
+ CONFIG_AP=y
+ 
+ [ Test Plan ]
+ 
+ Run the command lszcrypt.
+ This should display the current state of crypto hardware
+ even without explicitly load the ap module.
+ 
+ [ Regression Potential ]
+ 
+ The now built-in driver is small and unlikely to cause problems unless
+ the target environment is extremely memory-constrained or the kernel
+ image size approaches bootloader limits (rare on IBM Z mainframes).
+ 
+ ---
+ 
  == Comment: #0 - Grgo Mariani <[email protected]> - 2025-06-23 00:28:40 ==
  ---Problem Description---
  Previously kernel built-in module ap now has to be loaded manually. This 
means that lszcrypt output will show no cards and pkey functionality cannot be 
used before the module is loaded.
  
  Terminal output shows:
  
  $ lszcrypt -V
  lszcrypt: Crypto device driver not available.
  $ modprobe ap
  $ lszcrypt -V
  CARD.DOM TYPE  MODE        STATUS     REQUESTS  PENDING HWTYPE QDEPTH 
FUNCTIONS  DRIVER
  
--------------------------------------------------------------------------------------------
  00       CEX7A Accelerator online            0        0     13     08 
-MC-A-N-F- cex4card
  00.0017  CEX7A Accelerator online            0        0     13     08 
-MC-A-N-F- cex4queue
  $ modinfo ap
  filename:       
/lib/modules/6.14.0-22-generic/kernel/drivers/s390/crypto/ap.ko.zst
  license:        GPL
  description:    Adjunct Processor Bus driver
  author:         IBM Corporation
  srcversion:     99B7B128E77089951FE3C3A
  depends:
  intree:         Y
  name:           ap
  vermagic:       6.14.0-22-generic SMP mod_unload modversions
  sig_id:         PKCS#7
  signer:         Build time autogenerated kernel key
-  
+ 
  ---Additional Hardware Info---
- CEX cards attached. 
+ CEX cards attached.
  
-  
  ---Debugger---
  A debugger is not configured
-  
+ 
  ---Steps to Reproduce---
-  Install the distro (ubuntu 25.04) and run the following commands:
+  Install the distro (ubuntu 25.04) and run the following commands:
  $ lszcrypt
  $ modinfo ap
  $ modprobe ap
  $ lszcrypt
-  
+ 
  ---uname output---
  Linux SYSTEM 6.14.0-22-generic #22-Ubuntu SMP Wed May 21 13:32:46 UTC 2025 
s390x s390x s390x GNU/Linux
-  
- Contact Information = [email protected] [email protected] 
-  
- Machine Type = Manufacturer:         IBM              Type:                 
8561 Model:                701              T01 
-  
+ 
+ Contact Information = [email protected] [email protected]
+ 
+ Machine Type = Manufacturer:         IBM              Type:
+ 8561 Model:                701              T01
+ 
  System Dump Info:
-   The system is not configured to capture a system dump.
-  
+   The system is not configured to capture a system dump.
+ 
  Stack trace output:
-  no
-  
+  no
+ 
  Oops output:
-  no
+  no
  
  == Comment: #2 - Holger Dengler <[email protected]> - 2025-06-23 
02:25:11 ==
  The architecture default-configurations all configure ap as built-in. If a 
distribution decides to do it different, they should be aware of such 
regression cases. In my opinion, it is the responsibility of the distro to fix 
this. Either by change the configuration for ap or by loading the ap module 
explicitly.
  
  There is also another aspect: if customres use encrypted disks with
  paes, it might also be necessary to include the ap module in the
  initramfs and load it explicitly there as well. Otherwise it will be
  hard to decrypt the disk, if secure keys are used.
  
  == Comment: #3 - Grgo Mariani <[email protected]> - 2025-06-23 03:30:40 ==
  Good catch, the ap module is not listed in the initrd
  
  $ lsinitramfs /boot/initrd.img-$(uname -r) | grep ap
  usr/lib/modules/6.14.0-22-generic/kernel/drivers/base/regmap
  
usr/lib/modules/6.14.0-22-generic/kernel/drivers/base/regmap/regmap-mmio.ko.zst
  usr/lib/modules/6.14.0-22-generic/kernel/drivers/md/dm-snapshot.ko.zst
  etc/console-setup/cached_UTF-8_del.kmap.gz
  usr/bin/mkswap
  usr/bin/loadkmap
  usr/bin/dumpkmap
  usr/lib/multipath/libprioontap.so
  usr/lib/s390x-linux-gnu/libcap-ng.so.0
  usr/lib/s390x-linux-gnu/libcap-ng.so.0.0.0
  usr/lib/s390x-linux-gnu/libcap.so.2
  usr/lib/s390x-linux-gnu/libcap.so.2.73
  usr/lib/s390x-linux-gnu/libdevmapper-event.so.1.02.1
  usr/lib/s390x-linux-gnu/libdevmapper.so.1.02.1


** Changed in: linux (Ubuntu Plucky)
       Status: Confirmed => In Progress

** Changed in: linux (Ubuntu Questing)
       Status: Confirmed => In Progress

** Changed in: ubuntu-z-systems
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2116061

Title:
  [UBUNTU 25.04] lszcrypt output shows no cards because ap module has to
  be loaded manually

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2116061/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2116061] Re: [UBUNTU 25.04] lszcrypt output shows no cards because ap module has to be loaded manually

Reply via email to