Are these installs with zkey/paes or without? Because, in Ubuntu, when zkey was introduced I have reverted the s390-tools upstream change to lower the argon2i settings. Due to my lack of understanding of the security features there. And later, we have made similar choices for TPM backed encryption elsewhere on the Ubuntu platofrm. Thus for example, for zkey/paes Imho argon2i should be used, but with a lower benchmark criteria capped at 200ms trial, instead of the builtin default of 2000ms trial. Otherwise, the RAM requirements to dump back onto paes/zkey encrypted volume will ever grow with the machine RAM size.
To test this out, install the system with little ram (ie. 1GB), then deactive, bump ram to 16GB. And I suspect that kdump to zkey/paes volume will then just work. For non-protected (no zkey/paes) encryption with just passthrases, the argon2i is the only protection we can provide, and yes it will always run install time benchmark and will always use ever increasing amount of ram to perform unlock. If we want to always have kdump working onto non- protected zkey/paes drives, we must introspect the luks volume argon2i benchmark details and base the reserved RAM off that. Because in theory, some future cryptsetup might change the benchmark, and thus result in different amount of RAM requirement to unlock the drive. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877533 Title: [20.10 FEAT] Increase the crashkernel setting if the root volume is luks2-encrypted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1877533/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
